You don't need to look far to find examples of tech companies getting their hands slapped for mishandling user data. Oftentimes the company itself has done nothing nefarious with the data, but through an act of negligence, a third party is able to get access to it and misuse it. In today's world, data is gold, and where there is gold, there are thieves.
Atlassian takes the responsibility of safeguarding user data very seriously. We have a number of compliance certifications in place today, and we continue to make concerted investments in this area. The high standards we have for our products extend to our ecosystem; we expect our third party developers who create apps for customers to install in their Atlassian products to take this responsibility seriously as well.
Given our large customer base and the built-in infrastructure of the Atlassian Marketplace, there are tremendous opportunities for budding entrepreneurs to build businesses on top of Atlassian. But when you're starting a new venture with limited resources, how can you possibly be expected to build your product AND keep up with all the new security threats that are discovered every day? Atlassian has an Ecosystem Security (EcoSec) team for just this purpose.
The EcoSec team is building programs to make it easy for our Marketplace partners listing commercial apps to build them securely from the start and also set them up for future success. This is a win-win for developers because it offloads some of the legwork required to stay on top of security best practices, and in doing so it unlocks potential customers who won't consider purchasing software that hasn't run through some sort of risk and compliance gamut.
In this blog, we'll take a look at a few of the things the EcoSec team is doing to programmize our approach to security.
Minimum requirements and certifications
When it comes to software that runs outside of the user's four walls, security becomes exponentially more important because of the inherent risk associated with sending information over the internet. That's why the EcoSec team created a minimum set of security requirements that all cloud apps must adhere to while being listed on the Atlassian Marketplace. These requirements address common root causes of security breaches and take the guesswork out of how to be reasonably sure that your app is secure while you are building it. Additionally, Atlassian has set SLAs for security issues to be fixed, which vary depending on the severity of the issue. This allows Marketplace partners to easily prioritize which issues should be fixed first after they have been identified.
A step beyond these minimum requirements is our cloud security self-assessment program. The program includes completing the "lite" version of an industry standard self-assessment questionnaire called CAIQ. (CAIQ Lite is 73 questions long, whereas CAIQ is 300+.) These questions are intended to identify areas for improvement in regards to data security best practices. For example, do you have a disaster recovery plan in case the servers where you host the data are destroyed? How long will it take to recover the data? The program also includes access to a platform called Whistic, which provides an easy way to interact with the questionnaires and additional support interpreting what the questions mean to prospective customers. It also can be used as a way to communicate your compliance certifications to your current and prospective customers. As a bonus, Atlassian pays for Whistic on behalf of all Marketplace partners in the program.
As we mentioned before, certain prospective buyers will require any software they purchase to go way beyond the basics in terms of security. This is where pass/fail certifications come in, such as SOC2 Type 2 and ISO 27001, which are industry standard for SaaS companies. These types of certifications are granted by independent agencies and ensure that the company is held to the highest standards with respect to privacy, security, confidentiality, processing integrity, and availability. It should be noted that these certifications are not easy to get; if they weren't the certification wouldn't be worth much. But they are essential to landing those enterprise customers we talked about earlier. Also, if you're vying for a government contract, be prepared to go through separate and additional hurdles specific to the regional authority, such as FedRAMP in the United States.
Bug bounty program
Even if you do all the right things from a security perspective while planning and building your app, no software is 100% bullet proof once it's in production. The reality is incidents can and often do happen.
One of the most effective ways to increase the security of your app is to participate in a bug bounty program. Bug bounties offer cash incentives to security researchers who find and report vulnerabilities to the participating software company. The greater the potential risk of the vulnerability reported, the greater the payout. This model of outsourcing is particularly cost-effective because instead of paying full time engineers to find these bugs, you as a company only pay when an exploitable vulnerability has been discovered. The beauty of Atlassian Marketplace's bug bounty program is that, as with Whistic, Atlassian pays the platform fees to Bugcrowd for all participating ecosystem developers, saving even more $$$.
The EcoSec team started the Marketplace bug bounty program as a trial in July 2019 with four Marketplace partners participating. Tempo, who has been in our ecosystem for many years, was one of the pilot participants in the program. They have a complex architecture which supports not only Atlassian Marketplace apps, but mobile apps, a Chrome extension, and integrations with other services like Google Calendar and Office 365 Calendar. They said of the program, “This has been a great opportunity to work with Atlassian to improve cloud security as it reveals wrong configurations, misalignment between systems, and bugs. It’s made our products better and safer.”
In just six months, the bug bounty program identified 277 vulnerabilities across 32 Marketplace apps with an average reward of $480.82 per vulnerability reported. That’s 277 issues identified before customers were impacted! On the heels of this overwhelming success, the EcoSec team has opened up the program to all Marketplace partners and is rolling it into the requirements for being a Silver, Gold, and Platinum Marketplace Partner, along with the above mentioned self-assessment program. All apps, whether for cloud, server, or Data Center, can be listed in the bug bounty. Adaptavist, another participant in the pilot program, has a bit of advice for those looking to join the program: "Make sure you spend enough time on your scope to determine what is in and out of scope. Spending that effort will guide the security researchers and Bugcrowd engineers so they don't need to rely as much on your engineers."
If you want even more detail about the thinking that went into these programs, check out this talk at AppSec California by Hari and Jana from the EcoSec team.
Whether you’re building your first app or looking for ways to increase adoption of your existing app on Atlassian Marketplace, investing in its security can have a big payout in the end. Our Ecosystem Security team is continuing to evolve our programs to ensure that the work you do in this arena is reflected in your Marketplace listings, helping you stand out in the crowd of other apps. Let us guide you!