Last updatedNov 4, 2019

Security guidelines for Marketplace apps

At Atlassian, our goal is to create a high level of trust and security in the Marketplace among our users. Therefore, to improve the security of your Marketplace apps, we have created these recommended guidelines and best practices.

Authentication and authorization

  • Authenticate all requests. For Connect apps, use JWT based authentication.
  • Follow the principle of least privileged access when granting scopes to your apps.
  • Verify authorization on every request. For Connect apps, decode and verify JWT from incoming requests from Atlassian products. See Understanding JWT for Connect apps, for more details.

Input validation and output encoding

  • Treat all user input as unsafe and untrusted. Validate and sanitize all input.
  • Encode all output. Ensure data is treated as data and not as code, especially in different browser contexts.

Session cookies

  • Ensure that all session cookies have the HttpOnly and Secure flags set.
  • Ensure that session cookies have high entropy so that they can’t be guessed or brute-forced.
  • Ensure that session cookies are invalidated on logout.

Data storage

  • Encrypt data at rest, whether it is stored in an object store, such as S3, or a database.
  • Ensure that sensitive data, such as API keys, is not hardcoded in the source code. Environment variables should be used to supply keys at runtime.
  • Ensure that the keys are dynamic and rotated on a regular basis: sensitive keys should not be static.

Egress traffic

  • Ensure that all egress traffic from your app is properly filtered and access to internal resources is restricted.
  • Allowlist domains for egress traffic, if possible.

Information leakage

  • Do not expose OAuth tokens. OAuth client secrets should be treated carefully. Client secrets should not be distributed in emails, client-side Javascript, or error messages and should not be stored in public code repositories.
  • Ensure that secrets are not leaked by the Referer header to third-parties: endpoints should implement a 302 found redirect. This is particularly important when app endpoints are handling authentication tokens.
  • For any Connect apps, ensure that the shared secret is stored securely and not exposed on the client-side or server-side in error messages.

Cryptography

  • Use recommended algorithms, such as AES 256 in GCM mode. Do not create cryptographic algorithms.
  • Initialize cryptographic keys using a secure random number generator.

App server configuration

  • Ensure that HTTP methods, such as TRACE, are disabled, if not being used.
  • Ensure that the cache-control headers are properly set, to avoid caching of sensitive pages.
  • HTTPS should be enforced on all app pages.
  • TLS must be configured to support TLS version 1.2 or higher. TLS version 1.2 using AES 256 encryption or higher with SHA-256 MAC is recommended.
  • HSTS must be enabled with a maximum age of at least one year.
  • Ensure that any domains or subdomains belonging to the app are owned and are not left dangling.
  • For Connect apps, ensure that the baseUrl configured in the app’s descriptor file is valid and owned by the app.
  • Ensure that any S3 buckets containing Atlassian data are properly locked down by restricting access to only the authorized users and apps.
  • Ensure your app server is up-to-date with the latest patches.

Logging

  • Ensure that secrets and tokens are not logged.
  • Log events and activities such as PRs being merged without approval and admin actions such as creating or modifying existing users, new instances being created, admin logins, and alike.

Monitoring and alerting

  • Monitor and alert on misconfigurations in the cloud infrastructure. Examples include monitoring and alerting on open S3 buckets, lax security groups, dangling domains, and MFA disabled.
  • Monitor and alert on anomalies in logs. Examples include low privileged user performing a high privileged action and malicious traffic detected from a bad IP.

Software Development Lifecycle (SDLC) activities

  • Periodically scan for vulnerabilities in third-party dependencies using tools such as OWASP Dependency-Check, SourceClear, or Snyk.
  • Perform regular threat modeling of your apps to identify attack vulnerabilities that could have a high impact.
  • Perform static analysis of your app to identify patterns of insecure code.
  • Perform dynamic analysis using tools. such as Burp Suite or OWASP Zed Attack Proxy (ZAP). to identify any OWASP top 10 vulnerabilities.
  • Establish a vulnerability management program and adhere to strict SLAs for fixing critical vulnerabilities.
  • Establish a security champions program with your security organization to evangelize security best practices.
  • Use Secure by Default frameworks to prevent common classes of vulnerability. Note that, in some cases, default options are insecure. For example, the XML parsers in Java ship with insecure defaults. Configure these to secure options.
  • Establish a bug bounty program, with a focussed scope.

Operational activities

  • Establish an incident response plan, so you are better prepared to respond to security breaches and incidents.
  • Establish a disaster recovery and business continuity plan to minimize or eliminate interruptions to the functioning of your apps during an incident.