Why an App Security Charter?
We think it is important that an app is designed in such a way it can guarantee a certain level of security.
That's why Akeneo asks each partner wishing to certify their App to sign our App Security Charter.
Content of the App Security Charter
The App partner must therefore commit through the signature of this charter that he has understood and applied the recommendations indicated in each following security criteria:
1- PIM accesses scope
Context:
Related to the Akeneo App documentation on "Authorization and authentication scopes", an App suggests to the PIM user the permissions it needs to work properly.
Commitment:
The App owner commits to offering the PIM user only the PIM permissions the App needs to work properly (no unused access granted).
2- OAuth 2 security
Context:
Related to the Akeneo App documentation on oAuth2 protocol, we explain it requires good management of the security information given by the App Store.
Commitment:
The App owner commits to storing the “OAuth 2.0 client credentials” delivered by the App Store (client_secret) and the “access token” securely and to make every effort to ensure that no third party can retrieve this information.
3- Hosting
Context:
The App owner is responsible for the App hosting.
Commitment:
The App owner commits to checking that the App hosting service guarantees that no unwanted access to the App can be made.
4- Code
Context:
The App owner is responsible for the App code and code dependencies/external libraries
Commitments:
- The App owner commits to making every effort to ensure that its code does not contain any security vulnerabilities.
- The App owner commits to keeping up-to-date to the least maintained version of external libraries (not owned by the App owner) but used by the App.
- The App owner commits to fixing in the shortest possible time any security vulnerability that is communicated to him.
5- PIM data fair usage
Context:
An App with access to PIM data via its API can cause unwanted modifications to PIM data.
Commitment:
- The App owner commits to performing sufficient testing to avoid unwanted changes to PIM data that could result in product data corruption.
6- API fair usage
Context:
An App with access to PIM data via its API can cause unwanted PIM overloads.
Commitment:
- The App owner commits to respect PIM API fair usage recommendations.