The Nylas Express Security Review

The Nylas Express Security Review

4 min read
Tags:

In 2020, we announced the Express Security Review, the only program of its kind that simplifies the Google OAuth verification and security assessment process. Through partnerships with Google certified, third-party security firms, we set out to make this complex verification process as simple as possible. Today, we are excited to announce that we have made this workflow even easier by automating the Express Security Review process through the Nylas dashboard.

Starting the Nylas Express Security Review

Going forward, most of the assessment steps are handled through the Nylas dashboard and with direct communication with the Nylas Customer Success team. There are three main stages in the Nylas Express Security Review process: the Qualifier and Purchase Assessment, Google Verification Wizard, and the Security Assessment. To begin the security review process, there are a couple of prerequisites:

  1. In your Nylas Dashboard, add the Google Project ID that needs verification. 
  2. Ensure your Google application’s OAuth Client ID and Client Secret are added to your Nylas Dashboard under “App Settings” in the “Google OAuth” tab.
  3. You are ready to begin the assessment. Click on “Express Security Review” to start the assessment.

Qualifier and Purchase Assessment

The first portion consists of two steps and should be completed by someone on your team who understands how your platform uses the Nylas APIs and knows your billing and payment information.The Qualifier section determines the kind of Google Oauth verification/assessment your platform needs. In this step, select your Google Project number as well as the Nylas APIs you use (email, calendar, or contacts), and indicate how you use the selected APIs. Depending on your answer, you are redirected to one of two different paths:

  1. Purchase Assessment – You proceed to this step if your application requires a third-party security assessment.
  2. Google Verification Wizard – You proceed to this step if your application does not require a third-party security assessment and only requires Google Verification.

The Purchase Assessment step uses your answers to estimate the final security assessment costs. As stated above, there are two outcomes within this step.

  • Your application is eligible for the standard Security Assessment cost.
  • Your application needs a custom quote from a third-party security assessor.
    • Based on the dashboard questionnaire responses, a Nylas representative will reach out within five business days to coordinate between you and the third-party security firm to produce the exact quote.

Google Verification Wizard

In this stage, the Nylas team reviews your application to ensure details submitted to Google are sufficient to get approved. We work with members of your team who can answer product questions, technical questions and navigate legal language. This portion of the process has questions around application functionality, requires a video recording demonstrating functionality, and works with your team to update your Privacy Policy to include Google-approved language. After you submit the responses, a Nylas Customer Success manager will reach out in two business days if there are any additional questions. Our team has helped app developers through hundreds of verifications –  we offer the best practices we’ve learned and guidance at no additional charge to our customers.

Security Assessment

Once the verification process has been completed, the Nylas team then sets up a streamlined assessment with one of Google’s approved security firms. At this stage, you’ll need someone from your team who can answer product questions and technical questions while remediating any found security issues/concerns. After you submit the responses, a Nylas Customer Success manager will reach out in two business days if there are any additional questions. This step also streamlines the sharing of general information with the third-party security firm, including: company name, project points of contact information, preferred communication methods, previous security test reports, and incidents so that testing can get underway quickly.

Here’s a visual overview of the process from start to finish:

ESR-Flowchart

Speak to a platform specialist now to learn more about the Nylas Express Security Review.

Related resources

Implementing security by design at startups

Building security by design is crucial, especially for startups and small businesses, where resources are…

Building a security-first culture in your organization

In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…

Nylas’ Response to the Log4j Vulnerability

At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.