Last updated Jun 5, 2020

Security guidelines for Marketplace Partners

When installing Marketplace apps, many companies are concerned about the risk of using a new app or partner. These guidelines prepare you for some of the more stringent security and risk checks that customers complete as a part of their procurement process. These guidelines address your security practices and aren’t intended to cover the security of your app.

Security checklist

This checklist contains the recommended steps for companies who want to maintain a strong security profile. This is not a comprehensive list, but rather a set of practices we believe are important. You should evaluate these recommendations in the context of your organization and its resources.

We also recommend that you visit the Atlassian Trust site, where we describe Atlassian's core pillars of security, reliability, privacy, and compliance. We aim to be as transparent as possible by publishing details of our security practices such as information about our bug bounty, how we deal with security incidents, and alike.

Workstation and account security

Consider workstation and account security before you start building apps. Compromise of workstations and accounts is one of the bigger security threats; as a malicious actor could use these to get access to your code repositories, your infrastructure, or your workstations directly. From a compromised workstation or account, bad actors could access your customers' data, modify your codebase, or gain access to your other services. To address these issues:

Infrastructure security

Most partners creating Marketplace apps for our cloud products use platforms such as AWS, Azure, or Google Cloud Platform. These services should be protected in the same way as workstations but some extra steps are required because these servers are internet-facing and running your app. If a malicious actor was to gain access to the cloud account or the infrastructure it could give them access to the customer data you store or to your app. To address these issues:

  • During the setup of an account, follow your cloud provider’s recommended security steps.
  • Enforce multi-factor authentication for all accounts.
  • Disable unnecessary services on servers, in order to reduce the attack opportunities.
  • Implement a patch management system to keep operating systems and software up to date.
  • Encrypt data at rest, AES256 or equivalent is recommended.
  • When backing up data, apply the same security controls to protect backups as you do for your databases.
  • Log information that could make you aware of security breaches. Examples of the information to log include:
    • Pull requests merged without approval.
    • 2FA devices added or removed from your account.
    • Administrative actions such as creating or modifying users.
    • Instances being created.
    • The user agent strings or IP addresses (and therefore countries) of user logins, especially admin users.
  • Do not log sensitive data. Make sure you don't log API tokens, passwords, or unnecessary personal information.
  • Review logs regularly. If possible automate this process and trigger alerts when certain conditions are found.

Development

One of the more difficult activities on this list is developing secure code. New vulnerabilities are found every day, making staying on top of app security a continuous endeavor. Thankfully there are tools and techniques to help you keep up with these changes, and the core principles of remediating these issues do not change often. To address this issue:

Policy, processes, and documentation

Provide policy documents so your customers know what you do and how you do it. We recommend that you have a privacy policy and a security policy. Without these you will probably struggle to secure larger, more risk-averse customers as their procurement teams look for these documents as they evaluate new tools and partners. These are the policies, processes, and documentation that you should consider implementing:

Must have:

  • Privacy policy
  • Security policy
  • End user license agreement (EULA)

Recommended:

Bug bounty

At Atlassian we use BugCrowd for managing our bug bounty program. This security testing program enables third-party security researchers to report vulnerabilities in our tools and earn money doing so. Read more about Atlassian's approach to external security testing and the benefits we believe it brings to our organization.

As of July 2019, we extended the Bug Bounty Program to Marketplace Partners. As part of this initiative, you get your own program instance on the Bugcrowd platform, at no cost, and are only responsible for bounty payouts for vulnerabilities reported to you. You can scale or pause the program at any time depending on your resources.

Certifications

When you have implemented best-practice security controls and documentation, consider a security audit. Audits are conducted by a third-party. The audit report will tell you where you're doing well, and more importantly, identify areas that need improvement. Consider sharing this report with prospective customers, during their procurement process, to help them evaluate your security controls. There are also certifications available, including some that are country-specific. We recommend that you investigate the two globally recognized certifications:

  • SOC2, a useful certification that is completed by most cloud-based companies.
  • ISO 27001, a great certification to aim for but companies usually start with SOC2 due to the scope and complexity of this certification.

Rate this page: