Last updatedNov 4, 2019

Security considerations for cloud apps

Connect framework for cloud-based apps

Apps built for our cloud products use the Connect framework. Connect apps (cloud) are very different from P2 apps (server). Your Connect app interacts with the Atlassian cloud instance using only API requests and webhooks (event-based APIs).

Connect security pros

  • Use scopes to limit the access your app has to the customer instance. For example, access to the administrative API is provided by a scope. If your app doesn’t need administrative API features, don’t request the administrative API scope. This will flag that your app has lower access requirements.
  • When you find a vulnerability in your Connect app, correct it and push an automatic update to all customers.

Connect security cons

  • Your cloud-based app introduces infrastructure to worry about, with additional attack vectors.
  • Areas of concern include:
    • dealing with cloud infrastructure such as AWS, Azure, or Google Cloud Platform.
    • hardening servers which run your app.
    • using technologies such as Docker or Kubernetes.
    • logging information and alerting on logs.