We’re raising our platform’s global security standards
At Xero, we have a duty of care to protect the data and privacy of our partners and customers. We don’t take this responsibility lightly and we’re constantly looking for ways to improve security across our platform. That’s why we’re rolling out new global security standards for Xero app partners.
To meet the new standard, every existing app partner with greater than 1000 connections to the Xero API or WorkflowMax API or any connection to Xero Practice Manager, Xero Tax or Xero HQ (practice apps), will need to successfully complete a security self-assessment by 30 June 2020. However any app certified from 1 January 2020 will need to successfully complete the assessment before being able to reach 1000 connections, or any app wishing to be certified as a practice app.
Over the past year or so, we’ve been working closely with the Australian Tax Office (ATO) and other industry players around raising security best practice. Through the Australian Business Software Industry Association, the ATO has recently released a set of standards for digital services providers with add-on marketplaces, which led us to review and update our own security standards.
In early 2020, we’ll begin rolling out the security self-assessment to all of our global app partners with over 1000 connections to the Xero API and WorkflowMax API, and those nearing this threshold, via email, as well as any practice app (those connecting to Xero Practice Manager, Xero Tax or Xero HQ). We’ll also send out a number of reminders and keep you posted as we lead up to the 30 June 2020 deadline.
For app partners connecting to Xero Practice Manager, WorkflowMax and Xero Tax, we’ll be communicating additional changes to authentication late Jan 2020.
App partners will need to complete and pass the assessment by the 30 June 2020. API access may be restricted if the self-assessment isn’t successfully completed and remediated within an agreed timeframe.
The security self-assessment will need to be completed on an annual basis.
Below is a summary of the sections covered within the security self-assessment. You can also read more about the Security Standard for Add-on Marketplaces here. Rest assured we’ll be communicating directly with our app partners in the coming months, but we wanted to give a heads up of what’s coming so you can start to think and plan any likely work.
Encryption key management
App partners must have key management in place to protect client data and verify their app meets requirements for OAuth token management.
Encryption in transit
Sensitive client data must be protected during the transport process.
Indirect access to data
Unauthorised third-parties must not be able to access customer data without a justifiable business need clearly stated within application policies and/or terms and conditions.
App server configuration
App servers need be secure and configuration must follow an industry accepted hardening practice.
Vulnerability management
Apps must be secure against common vulnerabilities and follow an industry accepted standard for secure code development, such as OWASP Top 10 to protect against vulnerabilities.
Encryption at rest
Sensitive client data must be protected while at rest. NIST Cryptographic Mechanisms are mandatory for data repositories holding or managing sensitive commercial or personal information.
Audit logging
Appropriate audit logging functionality must be implemented and maintained. It should include both application level and event-based actions.
Data hosting
Client data must not be hosted in high risk areas. Consideration needs to be given to country, legal, contractual, access, sovereignty and counter-party risks.
Security monitoring practices and breach reporting
Security monitoring practices need to be in place to detect and manage threats. App partners must be able to show they scan for threats, take appropriate action where anomalies are detected and report these to Xero.
Post updated 18th March 2020 to reflect changes to the WorkflowMax API approach.
