The Guardian SecureApp™ Scheme applies to digital products and services that are primarily software-based and exposed through web, SaaS or API interfaces. The Scheme is structured into three modules which can be applied individually or in combination, and certification is granted at one of three assurance levels based on the risk profile of the product.
Products and services eligible for certification fall into one or more of the following categories:
Web Application Security
Browser-based or web-fronted applications accessed by end-users, administrators, partners or other stakeholders over HTTP/HTTPS or equivalent protocols.
Typical security controls emphasised: input validation, authentication and session management, access control, secure communication, output encoding, protection against common web attacks (e.g. injection, XSS), secure configuration, error handling and logging.
Examples include:
SaaS / Multi-Tenant Platform Security
Hosted, subscription-based services delivered over the internet, typically operating on a multi-tenant or logically partitioned architecture.
Typical security controls emphasised: tenant isolation and segregation, access provisioning and identity management, data-at-rest and in-transit protection, change and release management, backup and recovery, monitoring and incident handling.
Examples include:
API / Microservices Security
Programmatic interfaces and microservices exposed for internal or external consumption, including REST, GraphQL, gRPC or similar API styles, service meshes and internal service-to-service communications.
Typical security controls emphasised: authentication and authorisation for APIs, input/output validation, rate limiting and abuse prevention, secure API gateways, protection against OWASP API Security Top 10 issues, secure inter-service communication, logging and traceability at service level.
Examples include:
Hybrid or integrated solutions that include elements of more than one module (e.g. a SaaS platform with exposed APIs and web admin console) may be certified under multiple modules. The Scheme permits:
- A single module at a defined assurance level (e.g. Module A – Level 1);
- Multiple modules at the same assurance level (e.g. Modules A+B – Level 2);
- Multiple modules at different assurance levels where justified by the risk profile (e.g. Module A – Level 2, Module C – Level 3).
For multi-module certifications, the certificate and public directory entry clearly indicate all modules and assurance levels granted.
Certification under each module is granted at one of three assurance levels, which define the minimum depth of evaluation and strength of evidence required:
| Assurance Level | Intended Use Cases | Evaluation Emphasis |
|---|---|---|
| Level 1 – Basic Assurance | Lower-risk applications: informational sites, internal tools, non-sensitive data, limited public exposure | Verification of baseline security controls; high-level vulnerability assessment and configuration review; limited sampling and testing depth |
| Level 2 – Enhanced Assurance | Medium-risk applications: business-critical applications, authenticated user access, moderate sensitivity of data and transactions | Structured testing against OWASP ASVS and/or OWASP API controls; review of secure development lifecycle (SDL/SDLC) practices; verification of vulnerability management, patching and logging |
| Level 3 – High Assurance | High-risk applications: high-value or regulated transactions, highly sensitive or safety-critical information, significant business or societal impact | In-depth technical testing including targeted penetration testing; detailed review of threat modelling; extensive sampling; strong evidence of mature SDL/SDLC and formal vulnerability management |
Each certificate issued under the Scheme includes a clear and unambiguous scope statement specifying, at a minimum:
- Product or service name, version / release family, or other unique identifier;
- The applicable module(s) (Module A, B and/or C);
- The assurance level granted (Level 1, 2 or 3);
- The main security-relevant functionalities and components included in the evaluation;
- The intended deployment model and exposure (e.g. internet-facing, intranet-only, partner network);
- Any significant exclusions, assumptions or limitations.
The Scheme does not by itself provide certification of:
- Underlying cloud or data-centre infrastructure as a whole (e.g. IaaS providers), except where explicitly included in the scope;
- General organisational management systems (e.g. ISO/IEC 27001, ISO 9001), unless explicitly incorporated into the product scope;
- Purely physical products without a security-relevant digital component;
- Services where the applicant has no effective control over the design, configuration or operation of the security-relevant components.
The technical security requirements against which products are evaluated are derived from the following publicly available, non-proprietary standards:
Standards and Frameworks Applied within the Scheme
| OWASP ASVS (Application Security Verification Standard) | Primary criteria for web applications and SaaS front-ends (Modules A and B) |
| OWASP API Security Top 10 | Primary criteria for APIs and microservices (Module C) |
| OWASP Top 10 | Minimum baseline for all internet-exposed components across all modules |
| NIST Cybersecurity Frameworks | Secure development, vulnerability management, logging, monitoring and incident handling |