When installing Marketplace apps, many companies are concerned about the risk of using a new app or vendor. These guidelines prepare you for some of the more stringent security and risk checks that customers complete as a part of their procurement process. These guidelines address your security practices and aren’t intended to cover the security of your app.
This checklist contains the recommended steps for companies who want to maintain a strong security profile. This is not a comprehensive list, but rather a set of practices we believe are important. You should evaluate these recommendations in the context of your organization and its resources.
We also recommend that you visit the Atlassian Trust site, where we describe Atlassian's core pillars of security, reliability, privacy, and compliance. We aim to be as transparent as possible by publishing details of our security practices such as information about our bug bounty, how we deal with security incidents, and alike.
Consider workstation and account security before you start building apps. Compromise of workstations and accounts is one of the bigger security threats; as a malicious actor could use these to get access to your code repositories, your infrastructure, or your workstations directly. From a compromised workstation or account, bad actors could access your customers' data, modify your codebase, or gain access to your other services. To address these issues:
Most vendors creating Marketplace apps for our cloud products use platforms such as AWS, Azure, or Google Cloud Platform. These services should be protected in the same way as workstations but some extra steps are required because these servers are internet-facing and running your app. If a malicious actor was to gain access to the cloud account or the infrastructure it could give them access to the customer data you store or to your app. To address these issues:
One of the more difficult activities on this list is developing secure code. New vulnerabilities are found every day, making staying on top of app security a continuous endeavor. Thankfully there are tools and techniques to help you keep up with these changes, and the core principles of remediating these issues do not change often. To address this issue:
At Atlassian we use BugCrowd for managing our bug bounty program. This security testing program enables third-party security researchers to report vulnerabilities in our tools and earn money doing so. Read more about Atlassian's approach to external security testing and the benefits we believe it brings to our organization.
As of July 2019, we extended the bug bounty program to Marketplace vendors. As part of this initiative, you get your own program instance on the BugCrowd platform, at no cost, and are only responsible for bounty payouts for vulnerabilities reported to you. You can scale or pause the program at any time depending on your resources.
When you have implemented best-practice security controls and documentation, consider a security audit. Audits are conducted by a third-party. The audit report will tell you where you're doing well, and more importantly, identify areas that need improvement. Consider sharing this report with prospective customers, during their procurement process, to help them evaluate your security controls. There are also certifications available, including some that are country-specific. We recommend that you investigate the two globally recognized certifications: