Last updated Jul 20, 2022

Rate this page:

FAQ: Security requirements for cloud applications

What are the security requirements for cloud apps?

The security requirements for cloud apps are a combination of security best practices and application security defenses that prevent security vulnerabilities from being introduced in applications.

What is the purpose of the security requirements?

Our goal is to create a high level of trust and security in the Marketplace for our users. We use the requirements as the first step to improve security in Marketplace apps. It isn't our intention to place onerous security burdens on Marketplace Partners or create any surprises. Instead, we want to work with Marketplace Partners and provide the resources necessary to achieve these mutually beneficial security goals.

How were these security requirements chosen?

The list of requirements reflects common security issues affecting Marketplace cloud apps. These are verifiable defenses, which we can validate manually or automatically.

How often does Atlassian update security requirements for cloud applications?

We intend to update security requirements annually in April to make sure our policies reflect the latest vulnerabilities, technology changes, and customer needs. The updated requirements will be effective by the end of October in order to give partners and developers enough time to make changes.

What happens if I do not meet a security requirement?

When Atlassian detects that an application is not meeting a security requirement, we will create a vulnerability ticket in our vulnerability management system, Atlassian Marketplace Security (AMS). From there, we will track your progress in addressing the vulnerability, and provide support, when needed.

What is the current scope of these requirements?

The current scope of these requirements are Connect apps, Forge apps, Forge apps that egress data, and Trello Apps (Power-Ups).

How do I encrypt data at rest?

You are responsible to ensure encryption of data at rest for any data that is not stored in the Atlassian infrastructure. This includes Forge apps that egress data to external data stores. View more on the data storage of Forge's shared responsibility model here. At a minimum, We require you to enable Full Disk Encryption (disk level) on your server to ensure at-rest encryption is enabled for End User Data stored outside of the Atlassian product or user’s browser and they have some level of protection. If the data is stored in managed services like S3, this requirement asks you to enable at least the default encryptions offered by any managed service. The encryption requirement is met for any data stored inside the Atlassian product (e.g. entity/content properties).

Does the authentication requirement disallow the usage of anonymous access in Connect apps?

No. If an app’s authentication type is set to none in the app descriptor, and if all endpoints serve only static content, then this requirement does not apply.

Yes. Apps cannot collect or store credentials belonging to Atlassian user accounts, such as user passwords or user API tokens. When apps utilize Atlassian API tokens, it undermines several of the trust and security controls that Atlassian has in place to protect customers and partners. For example, in case of an account compromise, it is extremely difficult for Atlassian to identify that the REST API activity is originating from a specific app instead of from a specific customer.

In instances where a product REST API does not support JWT authentication, you may contact us. We will work internally to add JWT authentication. We will not create a vulnerability ticket in these instances.

What is the difference between requirements and guidelines?

Security requirements are mandatory defenses that apps must implement. The Security Guidelines are recommendations to improve the security of your app: they are not mandatory.

Are the requirements mandatory for all apps?

Yes. All cloud apps must meet the security requirements. This includes free apps.

Are apps permanently delisted for not meeting the security requirements?

No. Once the security requirements are met, the app can be relisted on the Marketplace.

How do I make sure my app meets the requirements?

You can use open-source tools to check if your app meets the requirements. Please refer to Additional Information: Security requirements for advice on how to check whether your app is compliant.

My app does not meet a requirement, but I have a workaround. Will I be penalized?

If the workaround mitigates the security vulnerability, then you will not be penalized. The Atlassian security team will evaluate this on a case-by-case basis. Refer to security bug fix policy to learn more about the process.

Does Atlassian have role-based access controls of least privilege?

Forge has role-based access controls as seen in our Security Practices trust centre. However, Atlassian does not provide or enforce role-based access controls for partners building Forge apps.

If I store data about a data subject, can you process/access requests from them?

You will have access to UGC/Personally Identifiable Information (PII), which is controlled and declared through scopes and permissions in the Forge manifest/Connect descriptor. However, you are still responsible for cleaning up anything that is stored outside of the Atlassian systems from these responses.

If I store data about a data subject, can you process erasure requests from data subjects?

If you poll us at least every 7 days, you should be able to process deleted accounts within the timeframes required by GDPR (2-4 weeks). View User privacy guide for more information.

How does this impact the listing process?

The requirements do not impact the listing process. Apps will not be tested prior to listing but are subject to continuous review by the Atlassian security team. Any security gaps identified will be addressed by following the security bug fix policy.

How can I provide feedback about the requirements?

If you have any questions or feedback about the security requirements, please use the "Give docs feedback" provided above.

Rate this page: