An App Directory is a listing of applications (internal or third-party) integrated with an organization’s ecosystem — not all applications listed are directly hosted or managed by the platform owner. Our app directory penetration testing service helps ensure that listed applications meet baseline security criteria, are securely integrated and do not pose any risk to the organization’s ecosystem — without requiring source code access.
The first step in the review of a app directory application is to validate the application integration and features to correctly scope the security reviews.
Pre-Requisites
- Application Installation/Integration on Platform (with required licenses)
- User Access
The application is then validated for core features/functionalities and data being shared between the application and platform. Moreover, if external applications are integrated with to-and-fro data exchange, the external application/API is also considered in the scope of the review. An App Directory Security Review mainly focuses on integration safety — such as how APIs and SSO (single sign-on) are configured, what permissions the applications requests, whether the listed URLs and redirects are safe, and that the application is not exposing sensitive data or creating risks for users or the platform.
Once data flows are identified and scoped correctly, the detailed security review is performed based on the Web Application penetration testing methodology.