Ask HN: Has Google made you pay $15,000 to $75,000 for a security review?
Has anyone gone through Google's OAuth verification process for restricted scopes recently? They give you a choice of just two very expensive companies for security reviews. We are in the process of going through this but have not yet received the confirmation that our scope is approved. This process was a huge surprise for us. We are a bootstrapped startup that spent a significant amount of time building the Gmail integration last year before this was announced. We are launching shortly and have had to remove the entire integration. We have no idea how much it is going to cost or if we will be approved. We are launching a product in a mature market with lots of competitors (hence the long initial development time), one of those being Google. According to Wikipedia, Gmail has 1.4 billion customers. I don't understand how this got past their lawyers - 1) monopoly in e-mail space, 2) create other products tightly integrated, 3) charge a $15k - $75k fee to any new competitors in your space. Google isn't charging you anything in this instance; they're requiring you to get an assessment from a third party, and while $75k is way out of line for a straightforward assessment of a simple CRUD-type app, $15k is actually on the low end for that kind of work. Understood, however from our cash flow perspective, Google is “charging” us this amount in order to play. We have no alternatives, we cannot find another vendor, and at the end of the day have to pay a minimum of $15k to compete with them. It makes no difference who gets the money, obviously that amount of money means nothing to Google. > and at the end of the day have to pay a minimum of $15k to compete with them. From your previous statement, it seems your product is tightly integrated with gmail. That suggest you're actually relying on Google to be your infrastructure provider. If that's the case then claiming the fee is "to compete with them" is not the most accurate or honest description. They're paying a lot more than $15k on security. Your money isn't going to them; it's going to a reputable assessment firm. I don't see the unfairness. You're neither competing with them nor are they charging you money.
They're wanting an assessment from a trusted company, to ensure that you don't mess around on their service.
Yes, it costs money, but from their standpoint it's simply an insurance against exploitation on their service/platform. When we asked to use another security company for the assessment Google responded: "We understand your concern but you will have to request a security assessment from one of the following independent third-party assessors: Leviathan Security, Bishop Fox". Here is the problem explained https://www.theregister.co.uk/2019/02/11/google_gmail_develo... Interesting! I have some ideas for options here if you'd like to chat offline to see if I can help you here hit us up. https://includesecurity.com/#contact Context: I work in this space and actively work on programs such as these. The problem is that Google wants to see reviews from one of those companies. We're communicating with them regarding this more ... Because this is just a major shake down which will put small dev. shops out of business. Yes I understand the problem, we've seen it before. I still have ideas that could help you if you'd like to communicate off HN, I'm happy to share. Google completely ignores our complaints about forcing app developers to use just those two firms so any dev. shop using Gmail API (or IMAP over OAuth2) should be prepared to pay >$15k! That is going to drive many small businesses out of business. Got it. Let me see what Google responds to our last inquiry, then I'll contact. For what it's worth, Leviathan and Bishop Fox are both strong firms. Agree 100% tptacek. Though I would suggest that opening up vetting to add new firms and the resulting competition would only improve the situation for partners in terms of pricing, scheduling, process, etc. Obviously we're a competing firm to those, so bias warning :), but I think it's a sound principal that would help the market. Related: I am going through Google's OAuth verification for a simple "sign up with google" function plus a non-restricted scope access. They say that the application is approved, the console has a green check mark and says "published" and I got an email saying that the application has been approved. However, whenever a user actually tries to sign up, it says that the app is not verified. So I can't submit anything for review, because everything has been reviewed and approved, but it still doesn't work. I’m going off very little info here, but this is almost always not Google’s fault. Double-check everything and try a prebuilt application that’s known to work with those scopes. The practice is pretty common when dealing with a large enterprise. Pen tests vary wildly, in quality and scope. Typically, you require 3rd party pen tests, a little more common is to review the report and methodology. However, it's not uncommon to specify that it has to be a Big4 type firm or from an approved vendor list. It's pricey, especially for small firms. However, most companies don't know what their security posture is - this is all part of managing risk. Yes, and it's about time. The reality is that email is a huge attack vector for corporations and it's not practical for Google to bear the burden of review as part of their ecosystem. It was tested and failed. They've only approved two vendors, blargh. More will come in time. Be patient, or raise money. It's very common for developers to mess up authentication. It requires a fundamental understanding of protocols. What makes it worse is that an incorrectly implemented protocol doesn't break the integration, it just breaks the security benefits. A pen test mitigates that risk. This seems to be new as of January 15, 2019. https://developers.google.com/terms/api-services-user-data-p... https://cloud.google.com/blog/products/g-suite/elevating-use... It's an optional step[1] if you list your app as a G Suite marketplace app with domain only install. Of course, it makes sense if your app targets only G Suite customers and not general Gmail customers. It also limits the market reach. [1] https://developers.google.com/gsuite/marketplace/security-as... It appears to be a CYA move by google. A penetration test, clear detailed information about usage of user data, and it is done by separate contractors. I would hope they allow more contractors in the future. Yep this is a common move a lot of companies are doing for their biz partners and customers are requiring these sorts of tests be done before getting final procurement sign-off. Its all just another another moat around those sweet sweet enterprise $$