This document outlines the security requirements and expectations for all third-party applications which are to be listed on the Sage Marketplace.
Your overall approach to information security and responsibilities
Organizations today are facing increasing pressure to secure and protect employee data to ever higher standards. There is widespread concern regarding individual consumer and employee data privacy and security, resulting in new legislation, such as the EU’s General Data Protection Regulation (GDPR). Regulations such as the GDPR are requiring organizations to ensure they are taking data security seriously. The potential penalties for data breaches are very significant, not to mention the damage to trust and brand reputation.
Sage expects its partners to organise their information security programs using a management framework, and to ensure they appropriately define and allocate information security responsibilities. Listed below are some of the requirements that Sage expects its partners to adhere to.
Verify that your application meets the following requirements regarding how it handles and stores cookies.
All app session cookies have the following attributes set:
See OWASP for more details.
Finding and fixing security problems
Sage expects our partners to have a program in place for scanning computer hardware and software on a regular basis to look for weaknesses that could potentially lead to security problems. If partners find these weaknesses, they should fix them, on a priority basis.
Good coding practises
Sage encourages its partners to follow the security best practices for your programming language and platform, having sufficient testing in place to discover security weaknesses, and to become familiar with defending and fixing web security weaknesses you may encounter (e.g. The OWASP top 10).
Sage expects that Partners will ensure that their hosted or cloud services are following good operational practises which should include:
- Firewall technologies to automatically block cyber-attacks.
- Scan for weaknesses and manage vulnerabilities via patching.
- Sensible procedures for approving and applying changes.
- Understand how to detect, manage, and report security issues.
- Understand how to recognise and handle security incidents.
- Regular independent testing of your security, such as pen testing
- Never copying real data into test systems
Responsible approach to handling data & secrets
Partners must ensure that the protections used are proportionate to the sensitivity of the data, and more sensitive data may need extra security controls.
Partners should have clear policies in place for correct handling of data. Ideally production data should not be copied, or ever be stored outside of a secure production environment. Partners should train their employees to make sure that they do not misuse systems in ways that could reduce the security of the data they handle.
Highly sensitive secrets such as signing certificates used to sign requests should be stored in a secure manner where access is strictly controlled. Where possible these secrets should not be stored in source code.
We expect Partners to have rules in place to control which employees can access sensitive data, and to only allow employees to access sensitive data if it is needed for them to do their job, for example, to provide technical support. Ideally Partners should be able to track and log all employees that have access to data.
Partners must use good encryption to protect customer data, for example where is being sent over the internet. Partners should use multiple layers of security, including leading encryption technology such as HTTPS and Transport Layer Security.
Wherever data is stored, disk encryption should be applied.
Where available ISV Partners should use appropriate SDK/APIs to control access to data and should follow relevant advice on using the SDK/API securely.
Handling of Security Incidents
Following discovery or notice of any Security Incident, Partner shall (where necessary):
notify Sage of a Security Incident without undue delay after Partner becomes aware of it.
promptly take corrective action to mitigate any risks or damages involved with such Security Incident and to protect the Service and its Data from any further compromise.
take steps to mitigate any such defect or vulnerability as quickly as reasonably possible, according to the level or risk arising from the defect or vulnerability; and
take any other actions that may be required by applicable laws, regulations, and standards.