Static Application Security Testing for Data Center apps

As part of our recent publication of the Security Requirements for Data Center apps, which requires developers to perform SAST Scans, and our ongoing commitment to building trust with customers, Atlassian will be introducing a new Static Application Security Testing (SAST) scanning capability for Data Center apps. This initiative is part of our ongoing effort to ensure the safety and integrity of Marketplace apps.

What is SAST scanning for Data Center apps?

Static Application Security Testing (SAST) is a method used to analyze an application's source code to identify vulnerabilities, thereby reducing the risk of exploitation in deployed applications. By integrating SAST with our Ecoscanner platform, we can now analyze source code through the decompilation of Data Center apps to identify vulnerabilities such as Remote Code Execution (RCE), file inclusions, SQL injection, and Cross-site scripting (XSS), among others.

FAQ

1. Do scanners scan all versions of a data center app? What will be the cadence of the scanning?

All newly uploaded apps (apps uploaded to the Marketplace for the first time) and incremental versions of the apps that support latest, previous, and current LTS (Long-Term Support) of Data Center product will be scanned within 24 hours of release. This ensures that any vulnerabilities in new apps or updated versions are promptly detected.

2. How will we get notified about the scan results?

When the SAST Scanner detects vulnerabilities within the code base of an app, app developers will be notified through AMS tickets. These tickets will be subject to resolution timeframes as outlined in our Security Bug Fix Policy, ensuring vulnerabilities are addressed promptly.

3. What tools are being used by Atlassian for performing SAST scans

Atlassian uses the SEMGREP Community Edition to perform SAST (Static Application Security Testing) scans on Marketplace Data Center apps.

4. What is the difference between SAST and SCA scanners?

SAST (Static Application Security Testing) and SCA (Software Composition Analysis) are both important for ensuring application security, but they focus on different aspects. SAST scans your custom codebase to identify vulnerabilities, such as insecure coding patterns, logic flaws, or potential exploits at the source code level. It analyzes the proprietary code written by developers. On the other hand, SCA focuses on third-party dependencies, libraries, and open-source components used in the application. It identifies known vulnerabilities in these components by mapping them against public vulnerability databases (e.g., CVE).

5. Can apps opt out of the scanning process?

Apps cannot opt out of scanning at this time.

6. How do we get in touch or contact Atlassian to get support with the scanning

Partners can contact Atlassian by submitting their request through our service desk.