G Suite Marketplace Security Assessment Program

The G Suite Marketplace Security Assessment Program provides optional reviews that are performed by third-party security firms. These reviews cover penetration testing, deployment review, and a policy and procedure review. Apps that have completed this assessment are highlighted with a badge on their G Suite Marketplace listing:

Security assessment badge

Developers have the option to submit all new and existing apps to go through the new security assessment program.

Why should I submit my project for review?

Apps that have passed this assessment earn a badge on their G Suite Marketplace listing. This badge is discoverable by Marketplace users.

What does the security assessment include?

The process tests for vulnerabilities in your application across four key areas:

  • External Network Penetration Testing identifies potential vulnerabilities in external, internet-facing infrastructure systems.
  • Application Penetration Testing identifies potential vulnerabilities in applications that access user data.
  • Deployment Review identifies exploits and vulnerabilities in developer infrastructure.
  • Policy and Procedure Review examines the efficacy of information security policies and procedures.

For more precise details about the assessment, please see the Security Assessment Help Center article.

Badges are granted once an app successfully undergoes the assessment. In order to maintain the badge, apps must be reassessed every 12 months. The security assessment badges are not a guarantee against every possible threat or harm, rather it is an indication that the particular app has successfully completed a security review based on the above criteria.

How much does it cost?

Costs for the security assessment generally range between $15,000 and $75,000, and vary depending on the complexity of the application. All fees associated with the assessment are determined by and paid to the designated third-party security firm. Developers are responsible for all fees associated with the assessment.

The fees may be required whether or not your app passes the assessment. Fees include one remediation assessment if needed. If your app has previously completed a security assessment as determined by a Google-designated security firm, you can provide a letter of assessment that may reduce the scope of the review.

Applications that previously passed the Gmail API Security Assessment as part of the OAuth restricted scope app verification receive a badge as well.

How do I get started with the security review process?

Contact one of the security firms below. You must provide a link to your app's listing in the G Suite Marketplace.

Security assessors
NCC To contact NCC, please reach out to NCC Google Management.
Bishop Fox To contact Bishop Fox, please reach out to Bishop Fox.
Leviathan Security To contact Leviathan Security, please reach out to GCP at Leviathan Security.

Should domain private apps undergo this security assessment?

While any app can choose to undergo a security assessment and go through this review process, it is most likely useful for publicly listed apps targeting an external (outside the domain) audience.