open it

Following the recent review of the Operational Security Framework (OSF) DSPANZ, together with the ATO, will begin the first review of the Security Standard for Add-on Marketplaces (SSAM). 

The review will consist of a minimum three ninety minute workshops across August and September. Following the review, we will aim to host an industry playback session in mid October. Catch up on the SSAM webinar held at Webinar Week here. Summaries from each of the workshops can be found below

Purpose of the Review


Since the SSAM was first published in 2019, we have seen an increase in digital activity and therefore a changed threat environment. There has also been changes to the OSF and other industry standards that should be reflected in the SSAM. 

Other sectors are also looking at the SSAM's applicability for their own ecosystems. The review will look to assess the gaps between the SSAM and existing standards in other sectors.

Scope of the Review


The review will cover the following areas:

  • Review existing SSAM requirements against new industry practices and/or government market processes
  • Align the SSAM with the updated DSP OSF requirements
  • Assess and review the gap between the SSAM and CDR security requirements
  • Assess and review the gap between the SSAM and e-Invoicing security processes

Working Group Members


Chair - Simon Foster (DSPANZ)
Meeting Host - Matthew Prouse (DSPANZ)
Technical Advisor - Diana Porter (Australian Taxation Office)
Secretary - Maggie Leese (DSPANZ)

DSPs Government & Observers
Bogdana Ilieva (MYOB)
David Field (OZEDI)
David Martin (Intuit)
Erika Villanueva (AssuranceLab)
Estevan Chaves (Sage)
Ian Gibson (DSPANZ)
Mark Anderson (Microsoft)
Michael Wright (Sage)
Paul Murray (AccountKit)
Paul Salcombe (Business Automation Works)
Paul Wenham (AssuranceLab)
Philip Boadi (Class)
Regan Ashworth (Xero)
Rob Cameron (FYI Docs)
Simeon Duncan (Intuit)
Cristina Blumberg (Treasury)
Karen Spicer (ATO)
Kylie Johnston (ATO)
Maddison Gilmore (ATO)
Maria Gal (ATO)
Michelle Bower (GNGB)
Natalie Plumridge (ACCC)


Working Group Outcomes



Review Report

Following the conclusion of the workshops, we worked to put together a report covering the history of the SSAM, the insights from the surveys and the results from the 2021 review.

You can read the full report here.  

Review Survey


During the review, DSPANZ ran two surveys and conducted interviews with developers to better understand the experiences of both DSPs and add-ons when implementing and complying with the API security standards included in the SSAM.

Below is a quick summary of the survey outcomes and you can read more about the survey results here

Digital Service Provider (DSP)

  • Only 30% had dedicated staff for this work
  • Majority of DSPs process self-assessments manually
  • Spending between $100,000 and $1 million annually on compliance efforts
  • Processing up to 500 security assessments each year
  • Introducing mandatory two-factor authentication (2SA) was challenging

DSPs considered the introduction of consistent ecosystem security requirements to be a positive development that has helped to secure the broader API community. Survey responses focused on communicating security requirements to third party developers, reviewing security questionnaires and change management processes with API consumers and end customers. The results showed that the annual review and certification process is very manual for most DSPs

Add-on

  • 50% of add-ons integrated with four or more different DSPs
  • Completing an average of five security assessments each year
  • 30% had independent ISO 27001 or SOC2 certifications
  • Less than one third used single sign-on provided by a DSP
  • More than 70% built their own 2SA solution
  • Surveys took hours to days to complete
  • 46% took between 3-6 months to implement the security requirements

API consumers and add-on developers found the introduction of consistent ecosystem security requirements a positive, more so than their DSP counterparts. Responses focused on the technical security requirements, the overlap with existing security certifications, providing the required documentation and change management with customers.


Online Forum

Get involved in the discussion! Post your comments and have your say!

Go To Forum

Member Directory

Browse through DSPANZ Members and learn more about them here.

Browse List