
Ask HN: Has Google made you pay $15,000 to $75,000 for a security review? - aspantel
Has anyone gone through Google&#x27;s OAuth verification process for restricted scopes recently? They give you a choice of just two very expensive companies for security reviews.
======
lowkj
We are in the process of going through this but have not yet received the
confirmation that our scope is approved.

This process was a huge surprise for us. We are a bootstrapped startup that
spent a significant amount of time building the Gmail integration last year
before this was announced. We are launching shortly and have had to remove the
entire integration. We have no idea how much it is going to cost or if we will
be approved.

We are launching a product in a mature market with lots of competitors (hence
the long initial development time), one of those being Google. According to
Wikipedia, Gmail has ‎1.4 billion customers. I don't understand how this got
past their lawyers - 1) monopoly in e-mail space, 2) create other products
tightly integrated, 3) charge a $15k - $75k fee to any new competitors in your
space.

~~~
tptacek
Google isn't charging you anything in this instance; they're requiring you to
get an assessment from a third party, and while $75k is way out of line for a
straightforward assessment of a simple CRUD-type app, $15k is actually on the
low end for that kind of work.

~~~
lowkj
Understood, however from our cash flow perspective, Google is “charging” us
this amount in order to play. We have no alternatives, we cannot find another
vendor, and at the end of the day have to pay a minimum of $15k to compete
with them. It makes no difference who gets the money, obviously that amount of
money means nothing to Google.

~~~
geezerjay
> and at the end of the day have to pay a minimum of $15k to compete with
> them.

From your previous statement, it seems your product is tightly integrated with
gmail. That suggest you're actually relying on Google to be your
infrastructure provider. If that's the case then claiming the fee is "to
compete with them" is not the most accurate or honest description.

------
aspantel
When we asked to use another security company for the assessment Google
responded: "We understand your concern but you will have to request a security
assessment from one of the following independent third-party assessors:
Leviathan Security, Bishop Fox".

~~~
IncludeSecurity
Interesting! I have some ideas for options here if you'd like to chat offline
to see if I can help you here hit us up.
[https://includesecurity.com/#contact](https://includesecurity.com/#contact)

Context: I work in this space and actively work on programs such as these.

~~~
aspantel
The problem is that Google wants to see reviews from one of those companies.
We're communicating with them regarding this more ... Because this is just a
major shake down which will put small dev. shops out of business.

~~~
IncludeSecurity
Yes I understand the problem, we've seen it before. I still have ideas that
could help you if you'd like to communicate off HN, I'm happy to share.

~~~
aspantel
Google completely ignores our complaints about forcing app developers to use
just those two firms so any dev. shop using Gmail API (or IMAP over OAuth2)
should be prepared to pay >$15k! That is going to drive many small businesses
out of business.

------
tptacek
For what it's worth, Leviathan and Bishop Fox are both strong firms.

~~~
IncludeSecurity
Agree 100% tptacek. Though I would suggest that opening up vetting to add new
firms and the resulting competition would only improve the situation for
partners in terms of pricing, scheduling, process, etc.

Obviously we're a competing firm to those, so bias warning :), but I think
it's a sound principal that would help the market.

------
philipkiely
Related: I am going through Google's OAuth verification for a simple "sign up
with google" function plus a non-restricted scope access. They say that the
application is approved, the console has a green check mark and says
"published" and I got an email saying that the application has been approved.

However, whenever a user actually tries to sign up, it says that the app is
not verified. So I can't submit anything for review, because everything has
been reviewed and approved, but it still doesn't work.

~~~
zenexer
I’m going off very little info here, but this is almost always not Google’s
fault. Double-check everything and try a prebuilt application that’s known to
work with those scopes.

------
relaunched
The practice is pretty common when dealing with a large enterprise. Pen tests
vary wildly, in quality and scope. Typically, you require 3rd party pen tests,
a little more common is to review the report and methodology. However, it's
not uncommon to specify that it has to be a Big4 type firm or from an approved
vendor list.

It's pricey, especially for small firms. However, most companies don't know
what their security posture is - this is all part of managing risk.

------
xfitm3
Yes, and it's about time. The reality is that email is a huge attack vector
for corporations and it's not practical for Google to bear the burden of
review as part of their ecosystem. It was tested and failed.

They've only approved two vendors, blargh. More will come in time. Be patient,
or raise money.

------
relaunched
It's very common for developers to mess up authentication. It requires a
fundamental understanding of protocols. What makes it worse is that an
incorrectly implemented protocol doesn't break the integration, it just breaks
the security benefits.

A pen test mitigates that risk.

------
spiznnx
This seems to be new as of January 15, 2019.

[https://developers.google.com/terms/api-services-user-
data-p...](https://developers.google.com/terms/api-services-user-data-
policy#additional-requirements-for-specific-api-scopes)

[https://cloud.google.com/blog/products/g-suite/elevating-
use...](https://cloud.google.com/blog/products/g-suite/elevating-user-trust-
in-our-api-ecosystems)

------
prkvs
It's an optional step[1] if you list your app as a G Suite marketplace app
with domain only install. Of course, it makes sense if your app targets only G
Suite customers and not general Gmail customers. It also limits the market
reach.

[1] [https://developers.google.com/gsuite/marketplace/security-
as...](https://developers.google.com/gsuite/marketplace/security-assessment)

------
aSockPuppeteer
It appears to be a CYA move by google. A penetration test, clear detailed
information about usage of user data, and it is done by separate contractors.
I would hope they allow more contractors in the future.

~~~
IncludeSecurity
Yep this is a common move a lot of companies are doing for their biz partners
and customers are requiring these sorts of tests be done before getting final
procurement sign-off.

------
Jedi72
Its all just another another moat around those sweet sweet enterprise $$

