Overview
You can integrate Apps and services with Druva to extend the platform’s capabilities and automate workflows. To support these integrations securely, the article outlines a structured app submission workflow and the Druva Marketplace Security Framework, which ensures that all applications follow modern security standards.
App Submission Workflow
The following workflow outlines the steps required for successful submission and approval of integrations to the Marketplace:
Environment Setup: Create your Sandbox and generate API Credentials (Client ID/Secret).
Security Review: Align your App with the Druva Security Framework.
Development: Configure your environment, and build your integration.
Documentation: Prepare architecture diagrams and security docs as per the security requirements checklist.
Validation: Perform functional testing in the Sandbox and conduct secure code scans (SAST/SCA).
Submission: Submit for final Privacy, Legal, and Technical review to integrations-team@druva.com.
App Submission requirements and checklist
The Druva Marketplace Security Framework establishes comprehensive security standards for partner or customer integrations with the Druva platform. This framework ensures that all marketplace applications maintain the highest levels of security, privacy, and compliance while delivering value to Druva customers. Druva Marketplace Security Framework is structured across four core components:
App Onboarding & Governance
This ensures each developer/partner/ customer or team clearly defines their scope, baseline security requirements, ownership, responsibilities. All required documentation and initial governance must be completed before building integrations.Secure Software Development Lifecycle (SSDLC)
App/integration must follow secure design/coding standards, testing procedures, and deployment pipelines aligned with OWASP (Open Web Application Security Project) standards and modern development, security, and operations framework.Privacy, Authorization & Data Protection
Integrations must securely handle/protect sensitive data, use strong authentication mechanisms, and comply with relevant data protection regulations.Network & Communication Security
The framework requires security/safeguard for all network-facing components, APIs, and inter-service communication to prevent unauthorized access or data exfiltration.
Based on the above components the developer is expected to ensure below requirements are submitted, while submitting the app. The requirements as classified into 2 categories:
1. MANDATORY
Determinate requirements that must be met for marketplace approval. Failure to comply may result in rejection of the integration.
2. RECOMMENDED
Strongly encouraged best practices that enhance security posture. While not strictly required for initial approval, these may become mandatory in future framework updates or for specific integration types.
Onboarding & Governance
Requirements | Category |
App/integration must be designated with key technical and security contacts details documented. | MANDATORY |
Provide architecture diagram including auth flows, APIs, data paths/flows, integration points, and security controls | MANDATORY |
Declare used services (Druva APIs, SDKs, storage endpoints, etc.) | MANDATORY |
List thrid-party libraries, software dependencies, and licenses | MANDATORY |
2. Secure Code, SSDLC & API Security
Requirements | Category |
Adhere to secure coding practices: OWASP Top 10, SANS CWE, NIST SSDF, etc. | RECOMMENDED |
Code reviews and static code analysis (SAST) review conducted | MANDATORY |
Software Composition Analysis (SCA) performed to identify vulnerable dependencies | MANDATORY |
Implement error-handling that fails securely (no sensitive information in error messages) | MANDATORY |
Implement positive security models (allowlisting known-safe input); permit only API calls or parameters that are documented, expected, and validated | MANDATORY |
Avoid insecure cryptography and open redirects | MANDATORY |
Implement CSRF protections for state-changing actions | MANDATORY |
Host all client-side code statically or use CDNs Subresource Integrity (SRI) checks. | RECOMMENDED |
Store API secrets in secure vaults or environment variables (never in code or logs); rotate API credentials periodically (every 90–180 days) | MANDATORY |
Implement client-side input validation AND API-side server validation (never rely on client-side only) | MANDATORY |
Apply output encoding to prevent client-side and server-side attacks in rendered API data | MANDATORY |
Respect rate limits and retry headers defined by Druva APIs; implement throttling and retry logic to avoid abuse/misuse | RECOMMENDED |
Implement comprehensive logging: log critical actions (timestamped and tamper-resistant) and integration telemetry | MANDATORY |
Implement automated security testing in CI/CD pipeline (SAST, DAST, dependency scanning) | RECOMMENDED |
Prevent Server-Side Request Forgery (SSRF) by validating and restricting outbound connections | MANDATORY |
Implement proper session management with secure timeouts and logout mechanisms | MANDATORY |
Use parameterized queries or prepared statements to prevent SQL/NoSQL injection | MANDATORY |
3. Authentication, Authorization & Data Privacy
Requirements | Category |
Use industry-standard protocols for secure delegated access (OAuth 2.0 / OpenID Connect / API tokens) | MANDATORY |
Encrypt data in transit using TLS 1.2 or higher (TLS 1.3 recommended) | MANDATORY |
Encrypt data at rest using AES-256 or equivalent industry-standard encryption | MANDATORY |
Never store or log secrets, access tokens, passwords, or PII in plaintext | MANDATORY |
Implement secure key management with proper key rotation, access controls, and HSM usage where applicable | RECOMMENDED |
Document all sensitive data collected, processed, and stored (PII, tokens, keys, regulated data) with data classification | MANDATORY |
Disclose data storage locations, jurisdictions, and cloud provider details (e.g., AWS, GCP, Azure) | RECOMMENDED |
List all third-party services or sub-processors that receive, process, or store user data | RECOMMENDED |
Mask or tokenize sensitive user data where feasible (e.g., credit cards, SSN) | RECOMMENDED |
Define and document data retention policies and secure deletion procedures | MANDATORY |
Comply with applicable privacy regulations (GDPR, CCPA, HIPAA, etc.) based on user locations and data types | RECOMMENDED |
Implement user consent mechanisms for data collection and processing with granular controls | MANDATORY |
Provide mechanisms for data subject rights (access, rectification, deletion, portability) | RECOMMENDED |
Use cryptographically secure password hashing (bcrypt, Argon2, PBKDF2) with appropriate work factors | MANDATORY |
4. Network & Communication Security
Requirements | Category |
Define and implement Content Security Policy (CSP) where JavaScript is embedded | MANDATORY |
Implement secure HTTP headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) | MANDATORY |
Secure update mechanism with code signing (if applicable) | RECOMMENDED |
Post-Approval Requirements & Developer Responsibilities
Once the app is approved considering the fulfillment of the above mentioned security requirements, you must ensure to maintain ongoing compliance with the following requirements:
Guideline | Details |
Marketplace apps must not impact Druva's production environment | No attack paths, data leakage, or privilege escalation allowed |
Sensitive or privileged apps must undergo full security audit | Especially if PII or customer data is processed |
App teams must maintain an escalation and contact process | Shared with Druva Security for rapid incident response |
Patch and vulnerability management must follow SLA | Security flaws must be addressed per predefined timelines |