Security audit by Watchcom

In this article

    SuperOffice’s security policy requires its partners to pass a security evaluation before being accepted into the software sphere of SuperOffice. 

    This security evaluation is performed by Watchcom Security Group, a specialist on internet security.

    Watchcom Security Group is working for SuperOffice AS to evaluate the security of your company as a prerequisite to getting your partner application / integration accepted.

    The security evaluation is designed to make sure that you as a partner have given thought to the cyber security of your company and the information security of your application / integration.

    We are aware that some partners may already have done a security audit by another vendor. However, for our App Store, we require that your app goes through our particular audit since WatchCom Security Group knows SuperOffice and our environment.

    Execution

    The security evaluation consists of the following activities:

    1. Port scanning exposed infrastructure: Depending on the Internet presence of your company, we will scan the whole of your external infrastructure to make sure that computers in the network don’t expose services that can be easily exploited. The focus will be on computers hosting the partner application / integration.
    2. Vulnerability scanning of exposed infrastructure: Exposed services found in the previous phase will be scanned for known vulnerabilities. Watchcom Security Group employs a range of vulnerability scanners to keep up with industry standards.
    3. Web vulnerability scanning will be conducted of any web applications or web APIs that are to communicate with SuperOffice’s servers.
    4. Manual audit: Watchcom’s expert penetration testers will make a limited manual audit of the application / integration.
    5. Design, architecture, infrastructure and data storage will be audited with regards to information security by Watchcom Security Group AS. This is to make sure that customer data, and data belonging to SuperOffice are properly protected.

    Security audit packages: small, medium and large

    Security audits come in three different packages, including small, medium and large.

    Activities included in all audits are:

    1. Self-assessment review
    2. Testing
    3. Audit report
    Small  Medium  Large 
    The partner app has little interaction against a customer database. Typically a "read only" app. The partner app has both access to read and write against a customer database.

    The partner app has both access to read and write against a customer database, have their own login screen and not just SuperOffice federathed authentication or the service Database Mirroring is in use by the app.

    Time: 7 work hours (test and prepare report) Time: 11 work hours (test and prepare report) Time: 18 work hours (test and prepare report) 
    Price: 10.000 NOK + VAT (approx Euro 995) Price: 15.000 NOK + VAT (approx Euro 1490) Price: 25.000 NOK + VAT (approx Euro 2480)

    Additional auditing requirements

    The self-assessment and the audit report are confidential between the Partner and Watchcom AS. SuperOffice are only informed if there are red flags needing to be fixed or not.

    In the event the audit uncovers extensive issues needing to be fixed, it may lead to re-testing and additional auditing services required which may induce additional fees. You will be notified if and when this occurs. You are not obliged to complete and pay for an additional audit, however, failing to do so will lead to your app not being certified and therefore not listed in the SuperOffice App Store.

    Fee payment

    You will be invoiced and pay Wathcom AS directly for the services delivered in connection with the security audit.

    “Security was not high on our agenda before we were introduced to Watchcom. We thought we did okay, but the advice and thinking we got from Watchcom has been invaluable for us"
    Søren Hartig, Development Manager CRM, Adwiza

    “We are informed in a timely manner during Expander World 2015 on how Watchcom was going to perform the security check. In preparation for the developing our apps, we took this into account. So this information has previously contributed to the fact that our products easily passed the security check. During the certification process, we have received several tips from Watchcom that have ensured that our products for the online and on-premises environment are safer.”
    Bert Klomphaar, Directeur, All-CRM
    “Invaluable feedback! We learned things we’ll use in all future projects. The feedback from Watchcom has made all our projects more secure. ”
    Frode Lillerud, Senior Developer / SuperOffice MVP, Ganske Enkelt AS
    “With the feedback from Watchcom we fine-tuned our internal Q&A procedure before releasing new products. After some very simple changes we managed to make our current and future product even more secure.”
    Matthijs Wagemakers, In charge of the development control panel, Infobridge Software B.V.
    “Working with Watchcom and SuperOffice in order to certify Visma.net Sync for SuperOffice gave an interesting perspective on security, and some valuable lessons on how to tighten the security of your web application.”
    Ole Melhus, ON IT AS
    "Providing apps working with your customer’s data in the cloud is quite another security story than providing integrations living inside the customer’s own network. Watchcom is looking at your app with the eyes of a critical customer (and SuperOffice) and helps you keeping security as top priority for delivering a trustworthy app. Watchcom guides you so that your app keeps the security standard of a SuperOffice App. This way Watchcom can save you valuable time doing it right first time and bring your app to the SO App store market faster."
    Lars Dyre Jespersen, CEO, Siteshop ApS
    “After the audit we receive a detailed security evaluation from Watchcom. The document contained a description concerning a “security misconfiguration” which was discovered during the audit. As far as I see, all the information we received from Watchcom and the whole process was very professional. Especially that they showed us how someone could exploit the “security misconfiguration”. Thank you for this information! This changed our point of view, we will keep an eye on those things from now on. All over, we have learned a lot and now it is much easier getting the next app up to the store ;-)”
    Uwe Nouvertné, Geschäftsführer / Managing director, SP softwarepartner GmbH