Google OAuth Security Review

Google OAuth Reverification

4 min read
Tags:

Updated September 15, 2020

NOTE: If you are a Nylas customer, you can use our Express Security Review to quickly complete the Google security review at the lowest cost possible.

Last year, Google announced that Google OAuth API verification would be necessary for applications that use their APIs to access user data defined as “sensitive or restricted” – i.e. calendar data, Drive data, and email data. Having undergone the verification process ourselves at Nylas, we understood how confusing it could be and shared a post detailing the costs and timeline of the verification process. As the annual assessment of your application comes up for renewal, we wanted to answer a few questions you may have about what the assessment might look like this year.

Costs of the Annual Assessment May Decrease for Renewal

When information about the Google security assessment was first released, the cost of the security review was officially stated to be between $15,000 and $75,000. The range in cost depended on the complexity of the application. However, since that time, we’ve learned that if you’ve carried out a recent penetration test (for example as part of your SOC-2, Type II certification) you might be able to reduce your security assessment costs and burden. In addition, if you were assessed last year and your application has stayed relatively the same since that time, your cost is likely to be much lower than the initial assessment.

Security Assessors Increase Velocity of App Review

Last year, Google’s security assessments were conducted by Bishop Fox, and Leviathan and the NCC Group. These three companies continue to be the Google-approved assessors going into this new year of the Google Cloud Platform assessment program. As 2019 was the first year of the program, the assessors were unable to predict how much capacity they’d need in order to service the demand, and as a result, customers experienced some delays in processing as well as some assessors simply turning people away. All firms assure us that capacity is no longer an issue, especially as the annual assessment is considered a lower risk than the initial assessment.

After over a year of working with Google on this program, the security firms also report that returning customers will likely receive some leeway on timelines with Google. That said, we still strongly advise you to engage your security firm at your earliest convenience.

To that end, it would be helpful for you to have a clear idea of what your deadlines are and what outstanding items you need to complete in order to obtain your assessment in a timely manner. Once you’ve established contact with a security assessor, each firm will have a questionnaire that can help you figure out what you need to get done and when.

“Medium”- Level Security Infractions

As your application was assessed, there may have been security issues that were flagged as “medium” in terms of severity. It has since been verified that 73% of “medium” level issues were cloud-related issues for remediation. Google will be releasing information soon on whether developers must fix “medium” level issues before approval letters can be issued.

Safeguarding Your Privacy and Security

In order to prioritize your security and privacy needs, communication regarding your Google security assessment must remain between you and the security assessors. However, Nylas is here to help. We have been in direct communication with all three firms, as well as the Google Trust & Safety team that oversees the Google security assessment program. As you proceed with this process, if there is any information that we can provide to you or if there are any inquiries we can make on your behalf, we are always happy to do so. Simply reach out to Nylas Support at [email protected].

Related resources

Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are…

Building a security-first culture in your organization

In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…

Nylas’ Response to the Log4j Vulnerability

At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.