Security Initiatives for Data Center Apps

Automated security scanners are a key part of any application security program. They can help us identify common security gaps before an app hits production, thereby improving the overall security posture of an app, in accordance with Shift-left Security principles.

Towards this goal, Atlassian performs different types of security scans on the Data Center marketplace apps:

• Static Application Security Testing (SAST) Scanner: SAST is essential for identifying security vulnerabilities in the source code during the development phase
• Software composition analysis (SCA) Scanner: SCA identifies all the open source dependencies in a codebase, and maps that inventory to a list of currently known vulnerabilities
• Malware Scanner: Malware scanner scans apps to ensure that their codebase does not include any malware or malicious aspects
• Secret Scanner: Secret scanner detects hard-coded secrets such as API keys, credentials, and tokens within app binaries (JAR files)

Atlassian’s implementation of the above scanners currently uses opensource tools. Atlassian may change or add implementations based on features or future needs. More information can be found in the pages linked above.

You can view all critical or high-severity vulnerabilities tracked in the Atlassian Marketplace Security (AMS) Jira project. The AMS Jira project is our go-to place for:

• Vulnerability management
• Details on:
  • Vulnerabilities
  • Statuses
  • Due dates
  • Sources
  • Severities
• Asking or addressing questions in the issue's comments

Learn more about:

• Marketplace vulnerability management
• Our Security Bug Fix Policy