Following the recent review of the Operational Security Framework (OSF) DSPANZ, together with the ATO, will begin the first review of the
Security Standard for Add-on Marketplaces (SSAM).
The review will consist of a minimum three ninety minute workshops across August and September. Following the review, we will aim to host
an industry playback session in mid October. Catch up on the SSAM webinar held at Webinar
Week here.
Summaries from each of the workshops can be found
below.
Purpose of the Review
Since the SSAM was first published in 2019, we have seen an increase in digital activity and therefore a changed threat environment. There
has also been changes to the OSF and other industry standards that should be reflected in the SSAM.
Other sectors are also looking at the SSAM's applicability for their own ecosystems. The review will look to assess the gaps between the
SSAM and existing standards in other sectors.
Scope of the Review
The review will cover the following areas:
- Review existing SSAM requirements against new industry practices and/or government market processes
- Align the SSAM with the updated DSP OSF requirements
- Assess and review the gap between the SSAM and CDR security requirements
- Assess and review the gap between the SSAM and e-Invoicing security processes
Working Group Members
Chair - Simon Foster (DSPANZ)
Meeting Host - Matthew Prouse (DSPANZ)
Technical Advisor - Diana Porter (Australian Taxation Office)
Secretary - Maggie Leese (DSPANZ)
DSPs | Government & Observers | |
Bogdana Ilieva (MYOB) David Field (OZEDI) David Martin (Intuit) Erika Villanueva (AssuranceLab) Estevan Chaves (Sage) Ian Gibson (DSPANZ) Mark Anderson (Microsoft) Michael Wright (Sage) Paul Murray (AccountKit) Paul Salcombe (Business Automation Works) Paul Wenham (AssuranceLab) Philip Boadi (Class) Regan Ashworth (Xero) Rob Cameron (FYI Docs) Simeon Duncan (Intuit) |
Cristina Blumberg (Treasury) Karen Spicer (ATO) Kylie Johnston (ATO) Maddison Gilmore (ATO) Maria Gal (ATO) Michelle Bower (GNGB) Natalie Plumridge (ACCC) |
Working Group Outcomes
- Review Session 1 Summary & Outcomes
- Review Session 2 Summary & Outcomes
- Review Session 3 Summary & Outcomes
Review Report
Following the conclusion of the workshops, we worked to put together a report covering the history of the SSAM, the insights from the surveys and the results from the 2021 review.
You can read the full report here.
Review Survey
During the review, DSPANZ ran two surveys and conducted interviews with developers to better understand the experiences of both DSPs and add-ons when implementing and complying with the API security standards included in the SSAM.
Below is a quick summary of the survey outcomes and you can read more about the survey results here.
Digital Service Provider (DSP)
- Only 30% had dedicated staff for this work
- Majority of DSPs process self-assessments manually
- Spending between $100,000 and $1 million annually on compliance efforts
- Processing up to 500 security assessments each year
- Introducing mandatory two-factor authentication (2SA) was challenging
DSPs considered the introduction of consistent ecosystem security requirements to be a positive development that has helped to secure the broader API community. Survey responses focused on communicating security requirements to third party developers, reviewing security questionnaires and change management processes with API consumers and end customers. The results showed that the annual review and certification process is very manual for most DSPs
Add-on
- 50% of add-ons integrated with four or more different DSPs
- Completing an average of five security assessments each year
- 30% had independent ISO 27001 or SOC2 certifications
- Less than one third used single sign-on provided by a DSP
- More than 70% built their own 2SA solution
- Surveys took hours to days to complete
- 46% took between 3-6 months to implement the security requirements
API consumers and add-on developers found the introduction of consistent ecosystem security requirements a positive, more so than their DSP counterparts. Responses focused on the technical security requirements, the overlap with existing security certifications, providing the required documentation and change management with customers.