The aim of these security requirements is to set a consistent standard for consumers of Xero’s APIs and increase the protection of client data. This standard is based on the DSPANZ Security Standard for Add-on Marketplaces
Implementation considerations
Timeline - When do these requirements apply?
These requirements apply from:
1 July 2020 for those connections in place as at 31 December 2019.
1 January 2020 for all other connections.
Responsibility - Which party needs to undertake a given action and when?
Consumers of the Xero Accounting API, Payroll APIs, Fixed Assets API, Projects API, Files API, Bank feeds API or WorkflowMax API with more than 1,000 connections to small businesses and all consumers of the Xero Practice Manager, Xero HQ, and Xero Tax APIs must provide a completed self-assessment on an annual basis to Xero.
Xero will, as part of their annual certification with government agencies, provide:
a list of the applicable API consumers with more than 1000 small business connections or at least one connection to the Xero Practice Manager, Xero HQ, and Xero Tax APIs
the date the self-assessment has been completed;
confirmation that the self-assessment has been approved by Xero; and
details of any outstanding matters
Non-compliance - What happens if I don’t comply and what opportunities do I have to remediate?
Where a consumer of Xero’s APIs does not adequately comply with these specifications Xero will issue them written notice giving them 30 days to advise the treatment plan and up to a further 60 days to complete the required work.
1. Encryption Key Management
Ensure effective key management is implemented to protect client data.
Verify that your app meets these requirements for OAuth token management.
OAuth 2.0 must be used. OAuth 1.0a is not compliant with this standard.
OAuth tokens or customer-identifying information must not be exposed within your app or shared with other parties.
Token management once a user completes the OAuth authorization workflow:
Encrypt and store the refresh token in persistent memory.
Encrypt the refresh token with a symmetric algorithm (3DES or AES). AES-128 or greater is preferred.
Store your AES key in your app, in a separate configuration file.
2. Encryption in Transit
Ensure that sensitive client data in your app is protected during the transport process.
TLS version 1.2 using AES 256 or higher with SHA-256 is mandatory.
Web application endpoints that receive sensitive customer information and/or authentication tokens in URL parameters must not return HTML content via an HTTP Response Body. This is to prevent sensitive customer information from being accidentally leaked to 3rd parties in the subsequent HTTP Referer request headers. Instead, the web application endpoints should implement a 302 Found redirect. This is particularly important when application end points are handling authentication tokens
3. Authentication
Ensure that users who access your app are authenticated.
Ensure that strong customer authentication is enabled (minimum two step authentication or single sign on). Use of Sign in with Xero is strongly recommended.
4. Indirect access to data
Ensure that unauthorised third-parties are unable to access customer data.
Third party access to customer data must be clearly stated within applicable policies and/or terms and conditions, and have a justifiable business need. Note:
Third party access may include access via an external API, or through data that is stored.
Justifiable business needs may include (but are not limited to) the utilisation of third party services, which is functionally required. For example, the use of third party biometric services.
5. App server configuration
Ensure that your app server is secure.
Ensure your server’s configuration follows industry accepted hardening practice for example:
National Institute of Standards and Technology – Guide to General Server Security
Relevant vendor recommendations
6. Vulnerability management
Ensure that your app is secure against common vulnerabilities.
Follow an industry accepted standard for secure code development such as OWASP Top 10 to protect against vulnerabilities such as:
Cross Site Request Forgery
Cross Site Scripting (including reflected and stored cross site scripting)
SQL Injection
XML Injection
Authentication, Sessions Management and Functional level access control (if any)
Forwards or Redirects in use have been validated
All app session cookies have the following attributes set: Secure and HTTPOnly
7. Encryption at rest
Ensure that sensitive client data in your app is protected while at rest.
Encryption at rest using NIST Cryptographic Mechanisms is mandatory for data repositories that hold or manage sensitive commercial or personal information. Examples may include; full-disk, container, application or database level encryption techniques.
We define sensitive commercial or personal information as information which if disclosed could cause harm to the individual or organisation.
Examples include:
Personal - date of birth, tax file number, address, income, biometric, credit history etc.
Commercial - financial, transactions, accounts, trade secrets etc
8. Audit logging
Ensure appropriate audit logging functionality is implemented and maintained.
Audit logging should include both application level (access logs) and event based actions. You should consider your environment and what logging should be implemented and ensure that the logging records include the following where applicable:
Date and time of the event
Relevant user or process
Event description
Success or failure of the event
Event source e.g. application name
ICT equipment location and identification
Audit logs must be retained for as long as appropriate to enable future investigation. In most cases logs should be kept for a minimum of one year. Logs must be immutable and secure.
9. Data hosting
Ensure client data is not hosted in high risk areas.
Consideration needs to be given to country, legal, contractual, access, sovereignty and counter-party risks.
10. Security monitoring practices and breach reporting
Ensure you have security monitoring practices in place to detect and manage threats.
You need to be able to demonstrate that you scan your environment for threats and that you take appropriate action where you detect anomalies. Monitoring can be at the: network / infrastructure, application or transaction (data) layer.
Where anomalies are detected you must report these to Xero, providing enough information to enable further monitoring and/or preventative action.