Several months ago, we announced new security requirements for cloud apps, which take effect today (October 31). As of today, all Marketplace apps and Trello Apps (Power-Ups) are expected to meet the new requirements.
Maintaining a secure Marketplace is a collective effort, shared by Atlassian and partners. The new requirements reflect the most current best practices for building secure apps and provide platform-specific guidance. They set Atlassian's baseline standard for cloud app security, and will be updated annually to ensure alignment with industry standards.
The new requirements apply across five categories: Authentication & Authorization, Data Protection, Application Security, Privacy, and Vulnerability Management. They benefit both developers and customers by providing guidelines for building secure apps and elevating the trust posture of our cloud ecosystem.
Read on to find out more about the changes that take effect today, and how we will validate that apps are following security requirements moving forward.
Recap of what changed last quarter
As a reminder, the following section recaps what changed with the most recent update to the security requirements.
- We’ve added several new security requirements to make best practices standard for all cloud Marketplace apps. These include but are not limited to: exercising the principle of least privilege by not requesting more data access or permissions than your app needs and validating all untrusted data. Check this page to see all new additions.
- We’ve updated all requirements. We’ve refreshed all requirements to bring them in line with the latest industry recommendations. The updates are extensive, so we recommend reading over the docs carefully.
- We’ve organized requirements into 5 categories, to reflect the important areas developers should be thinking about: Authentication and Authorization, Data Protection, Application Security, Privacy, and Vulnerability Management.
- We’ve added sections for different development platforms to show how implementation details differ depending on your use case.
- We've added platform specific requirements to make it easy for developers to understand which security requirements may be partially or fully met by the platform they build with, as well as any additional steps that may be needed to meet a given requirement. We've also included Trello apps (Power-Ups) in the cloud app security requirements for the first time vs. covering them under a separate policy.
Validating security requirements
In order to validate that apps are meeting security requirements, we are launching new security scanners and performing new security tests. These validation activities uplevel trust in the Marketplace, protect customers, and help partners focus on security activities deemed important by Atlassian.
Scanning
Today, the Ecoscanner platform performs security checks across all Connect cloud apps on a daily basis to help determine if these apps are meeting our requirements.
In the next few weeks, we will be expanding this platform to perform security checks across all Forge apps, as well. These scanners will test for a subset of our requirements. Additionally, these scanners will automatically scan the latest version of each Forge app.
With this announcement, Atlassian is launching and open sourcing a new tool called the Forge Security Requirement Tester (FSRT). We decided to open source our scanners to let partners know how they work and what we’re checking for, and to make sure we’re setting clear and actionable expectations.
This tool will scan Forge apps for missing security requirements similar to the way the Connect Security Requirement Tester (CSRT) scans Connect apps for missing security requirements. The Ecosystem Security team will continue to maintain, grow, and open source new functionality for both CSRT and FSRT with the goal of validating each security requirement for every app. It is important to note that we cannot open source each scanner that we use for Marketplace apps since we license some scanners ourselves; but we will open source everything that we can.
The following tables outline which requirements CSRT covers today, and which requirements FSRT will cover when they launch in the next few weeks.
Connect Security Requirement Tester (CSRT)
| Requirement Number | Description | Severity |
| 3 | The application must use TLS to encrypt all of its traffic and TLS version 1.2 (or higher) are required. | High |
| 3 | HSTS must be enabled with a minimum age of at least one year. | Medium |
| 6.1 | An application must maintain control of each domain. | Critical |
| 6.2 | An application owner must maintain valid TLS certificates of the domains where an application is hosted, and the domain must be signed by a trusted Certificate Authority. | High |
| 6.3 | An application's DNS configuration for subdomains must reference services that are in use. | Critical |
Forge Security Requirement Tester (FSRT)
| Requirement Number | Description | Severity |
| 1 | An application must authenticate and authorize every request on all endpoints exposed. | High |
| 5 | An application must securely store and manage secrets, which include OAuth tokens, Trello tokens, sharedSecret, API keys, and encryption keys. They cannot be stored in places that are easily accessible. | High |
| 9 | An application must not use versions of third-party libraries and dependencies with known critical or high vulnerabilities. When vulnerabilities in these libraries and dependencies are discovered, an application owner must remediate them as quickly as possible. | High/Critical* *This depends on the specific vulnerability |
REQUIREMENT NUMBER: These numbers correspond to the numbers outlined in the security requirement for cloud apps documentation. SEVERITY: Atlassian scores vulnerabilities associated with each security requirement. The severity indicates the timeframe for resolution associated to each vulnerability, which you can learn more about by reading our Security Bug Fix Policy for Marketplace Apps documentation.
Testing
In addition to new scanners, we'll also be introducing security tests performed by Atlassian on both Connect and Forge apps to ensure that apps are maintaining strong security practices. We are performing security tests to expand our coverage and validation of the security requirements by testing for requirements and common vulnerabilities that we currently do not scan for.
During these tests, we will evaluate whether apps are meeting our security requirements, maintaining healthy and active bug bounty programs , and eliminating common vulnerabilities. Apps will be selected at random for security tests. As a reminder, apps are encouraged, but not required, to have a Marketplace Security Bug Bounty Program.
As always, vulnerabilities discovered through scanning and testing will be reported in Atlassian's Marketplace Security (AMS) Jira Project. Partners are required to address all vulnerabilities and will be expected to meet the Security Bug Fix Policy For Marketplace Apps. If Atlassian determines that a partner's bug bounty program(s) is not meeting expectations or effectively promoting researcher activity, we will reach out to that partner directly.
Prioritizing customer trust
There are multiple practices and programs that go into building trustworthy apps, and meeting security requirements for cloud applications is an important first step. We know that as a partner you have your hands full with running a business and supporting customers amongst many other responsibilities, but we are here to help support your efforts to keep apps and customer data secure. If you ever have questions about vulnerabilities, comment on your AMS ticket and one of our Security Engineers will provide support.
Timing and next steps
The security tests outlined above will begin immediately. In addition, we are planning to launch FSRT in the next few weeks so that you can run scans yourself before we start ticketing in Atlassian Marketplace Security (AMS).
Make sure you're meeting our security requirements for cloud applications, and be ready to respond to new tickets in AMS.
We’ve compiled a list of common questions on the FAQs page. If you have additional questions about how the security requirements apply to specific scenarios, or you would like to request an exception due to extenuating circumstances, please file an ECOHELP ticket.
Thank you to all of our partners who provided feedback on our new security requirements and are helping to contribute a Marketplace that upholds app security and customer trust through our shared responsibility model. We're happy to listen to any feedback and answer your questions in the developer community.