The following Self-Assessment Questionnaire (SAQ) is meant to prepare you for the Google Partner Program security assessment. The Google Partner Security Program is a collaborative effort to protect partner, customer, and Google data by increasing the security of Google partners’ applications and networks that integrate with the Google ecosystems. Google has engaged Bishop Fox to conduct appropriate security testing with the goal of validating the security of Google partners’ applications and ensuring Google user data is being handled securely.
This self-assessment addresses common threats, based on industry trend reports, CIS CSC Top 20, and our experience both as testers and as the firm who partnered with Google to create the testing methodology. Responses are reviewed as “met”, “partially met”, or “not met” based on standardized evaluation criteria. Our goal is to help you prepare for the security assessment and help you successfully complete and meet Google’s requirements so that you can continue to offer your application within the Google ecosystem. This guide will provide an overview of the topics covered on the Self-Assessment Questionnaire (SAQ) and highlight the most common security findings produced by the assessments. By sharing these findings, we hope to help you focus on areas where you’re most likely to run into issues so that you can quickly complete your assessment, while still ensuring privacy and security for users.
This list represents the most common findings identified across last year’s SAQ security assessments. These findings helped us create our SAQ and provided areas of improvement where our clients should focus their efforts. The five most common findings:
Missing Vulnerability Disclosure Program (see Vulnerability Disclosure Program)
Improper Incident Response Plan (see Incident Response Plan)
Missing Account Threat Detection Mechanism (see Logging Practice)
Insecure Token Storage (See Google API Access Token Storage)
Lack of Encryption at Rest for User Data Storage Volumes (See User Account and Personal Data Deletion)
Now, we’ll jump into the SAQ to help you and your team prepare:
Incident Response Plan
Vulnerability Disclosure Program
User Account and Personal Data Deletion
IT and Workstation Security
Secure Software Development Lifecycle
Google API Access Token Storage
Data Classification Policy
Incident response plans require participation and contribution from different departments and team members. Ensure that your incident response plan provides clear guidance and responsibilities for each party participating in the process.
Do you have documentation describing your incident response plan?
Does your incident response plan include descriptions of how incidents are identified, how to triage an incident, and who is responsible?
Following an incident, do you share a post-mortem or any lessons learned with your employees?
Do you have defined protocols and procedures for reporting incidents to the appropriate regulatory bodies or law enforcement?
Logging and monitoring are critical for alerts, rapid response, and investigations. Consider the existing automation currently in place in regard to your infrastructure, and identify ways in which additional monitoring might be introduced to enhance their security posture. For example, AWS users might add a CloudTrail rule which alerts when users have administrative privileges added to their accounts.
Monitoring and alerting are not just for system administrators. Users can benefit from information such as unsuccessful login attempts, access from an unrecognized IP address, or pertinent information on recent account activity.
Are alerts generated when changes are made to users with administrative privileges over your cloud or on-premise infrastructure?
Do you log unsuccessful attempts to access administrative or deactivated accounts?
What steps do you take to prevent the exfiltration of data on your corporate network? What processes and tools are used?
Do you notify users of unsuccessful login attempts to their account?
A vulnerability disclosure program allows your organization to provide clear instructions to securely transmit vulnerabilities identified by customers or security researchers.
Awarding bounties or using a triage service like HackerOne, Intigriti, or BugCrowd is optional, and may be a good fit for your organization. Some organizations have found success crowdsourcing their vulnerability identification through these programs as it provides security researchers with additional incentive to identify and disclose vulnerabilities that might be exploited by malicious users. However, simply providing a webpage with clear directions on reporting vulnerabilities, creating a firstname.lastname@example.org email list, and triaging and remediating findings in the industry standard 90-day window is also sufficient.
Do you have a vulnerability disclosure program?
Is there a publicly available web page describing how to report vulnerabilities?
Do you implement security.txt and/or have a email@example.com email alias?
Do you have established internal SLAs or deadlines for triaging reported or identified vulnerabilities?
Focus on basic user data privileges such as access, modification, and deletion. Users should be able to control and remove their data from the application. Additionally, all storage volumes containing user data should be encrypted at rest.
Can a user delete their account, or request that their account be deleted?
Are users able to delete their data?
Are storage volumes containing user data encrypted at rest?
(Optional) Can users access/download their data?
To ensure the integrity of the application, it’s important to consider the security policies of the organization as a whole, as a breach in one area can easily impact the security of the rest of the environment.
What does the average employee workstation look like?
Do all users have administrative privileges on their workstations, or is it limited to certain users and departments?
What steps do you take to reduce the usage of default passwords on your infrastructure? What about default accounts?
How are patches deployed to servers? Is the process automated or manual?
What steps do you take to secure employee email clients?
Do you conduct security awareness training? What is the frequency? How do you verify successful completion?
If security incidents are caused by employee error, do the lessons learned get incorporated into the security awareness program?
How is wireless access encrypted and what is the authentication mechanism?
How do you detect rogue access points?
Do you perform DNS filtering of known malicious domains?
Are workstations configured to prevent the use of removeable media? What about auto-running programs on removable media? If you don’t have mechanisms in place to automatically prevent the use of removable media, do you have a policy that forbids their usage?
How is system configuration enforced for your infrastructure?
What endpoint protection mechanisms are in place on employee workstations? What percentage of workstations have an anti-malware solution deployed? How often are signatures updated?
Are software and hardware purchases required to be performed by a specific person or department? What person or department approves these? What tooling is used to track software and hardware inventory?
Secure development operations, designs, and deployments make up the backbone of application security. Consider the questions below to determine the maturity of your application.
How do you harden your server and/or container images?
Is there a clear, understood definition of what constitutes a secret and where it is and is not supposed to be stored? What steps do you take to ensure that is the case?
Are secrets encrypted at rest?
How are patches deployed to applications, frameworks, and systems? How are you alerted to new vulnerabilities in key third-party products?
Are development and test teams trained on the OWASP Top 10 and other secure coding guidelines?
Does the development team follow a defined security quality assurance test process?
Is there an approval process for code contributions to the production codebase? What about infrastructure or configuration modifications?
Is sensitive information physically and logically separated from the rest of the network?
How often are port scans performed?
With the upward trend in credential stuffing attacks, the need for defense-in-depth strategies, such as deploying MFA across internal and external services is a must for both an organization and for customers. Consider your organization’s usage of MFA for general employees, developers, monitoring tools, and services.
Does your organization use multi-factor authentication (MFA) for internal employee or developer access to critical infrastructure, such as your cloud environment?
Since Google API tokens provide access to the end-user’s Google account, it is important that the associated tokens be protected with strong encryption to prevent unauthorized access to the user’s data. API access tokens should be encrypted via a service such as AWS KMS, Azure Key Vault, GCP Cloud KMS, Heroku ICE, or an equivalent solution. Encrypted records can then be safely stored in a database. Encryption at rest is not a substitute, but a separate security mechanism. For more information on secure storage of user tokens, please see: https://developers.google.com/identity/protocols/oauth2/policies#secure-credentials
Data classification policies ensure that sensitive data is properly secured and segmented from public data. Having clear definitions of classification and handling allow the organization to define when a violation or leak of sensitive data has occurred.
Do you have a documented data classification and handling policy?
Do you include authentication credentials and session tokens as sensitive data?
For additional resources on designing data classification and handling policies, please see:
Secure data backup processes are a crucial part of a secure application deployment. It is important to have tested processes in place for disaster recovery.
How often do you perform user data backups, where are they stored, and for how long? What about application data (e.g., source code, configuration, etc.)?
Are backup volumes encrypted at rest?
Are backups stored in a cloud account separate from the account hosting application? What steps do you take to protect backups in the event of cloud account compromise?
We hope that this SAQ not only helps prepare you to pass the Google security assessment, but also helps you make measurable improvements in your application’s security posture. You may also find our article, Google Partner Program Top 10 useful. Inspired by the OWASP Top 10, we’ve created a prioritized list of the top 10 most common and high-risk bugs that we find on these assessments.
As a Google-approved testing firm, we’re happy to help you prepare for and complete the Google Partner Program assessment. Get more information and talk to our testing experts.