Today, we’ve published new security requirements for cloud apps, which will take effect on October 31, 2022. All Marketplace apps and Trello apps will be expected to meet the new requirements by this date.
These security requirements set the standard for all cloud apps in the Atlassian Marketplace. For developers, these docs lay out how to build a secure Atlassian app. For customers, these requirements provide assurance that all Atlassian Marketplace apps are following security practices necessary to keep their data and business safe.
We periodically review and update our security requirements to make sure our policies reflect the latest vulnerabilities, technology changes, and customer needs. But we also see this as an opportunity to make our security documentation a better resource for developers who build on our platform.
The new requirements set the bar for security at a level that better meets the needs of our mutual customers. Additionally, we’ve added implementation details for different development scenarios to help developers determine how the new requirements apply to their apps. The security requirements now include sections for different development platforms and frameworks, which include specific guidelines for meeting each requirement. Whether you’re building with Forge, Connect, or Trello, we want to help developers clearly understand how the requirements apply.
What’s changed?
- We’ve added several new security requirements to make best practices standard for all cloud Marketplace apps. These include but are not limited to: exercising the principle of least privilege by not requesting more data access or permissions than your app needs and validating all untrusted data. Check the docs to see all new additions.
- We’ve updated all requirements. We’ve refreshed all requirements to bring them inline with the latest industry recommendations. There are too many updates to list here, so we recommend reading over the docs carefully.
- We’ve organized requirements into 5 categories, to reflect the important areas developers should be thinking about: Authentication and Authorization, Data Protection, Application Security, Privacy, and Vulnerability Management.
- We’ve added sections for different development platforms to show how implementation details differ depending on your use case.
Platform-specific requirements
While it’s possible to build a secure app on any of the Atlassian developer platforms that are available, the implementation details do vary. We wanted to make it easier for developers to understand which security requirements may be partially or fully met by the platform they build with, as well as any additional steps that may be needed to meet a given requirement.
For example, the Data Protection requirement below is labeled platform provided
for apps built on Forge, because Forge apps allow app data to be hosted in the Atlassian platform. If data does not leave the Atlassian product, no further action is needed.
Any Atlassian End User Data stored by an application outside of the Atlassian product or users' browser must ensure full disk encryption at-rest.
If a developer is building a Forge app or a Connect app that does egress data and store it externally, it is the developer’s responsibility to encrypt End User Data stored outside of the Atlassian product or user’s browser.
The framework supported
label indicates requirements that can be met using the provided functionality of the ACE or ACSB frameworks, for example, validating JWTs server-side for every authenticated request.
Trello
We’ve also included Trello Apps (Power-Ups) in the cloud app security requirements for the first time. Previously, Trello apps were covered under a separate policy. By creating one standardized set of requirements, we hope to make it easier for developers building for multiple cloud products to understand the best way to build secure apps.
Our approach to app security
Today we’re publishing updates to our security requirements, but this work is not an isolated initiative. It’s important to look at the big picture and how these updates fit into our broader approach to Marketplace trust.
We know app security is a top priority for customers, particularly as they move to Cloud. Customers store important data in their Atlassian products, and they rely on Marketplace apps to protect that data. Our cloud security requirements set the baseline for all Marketplace apps.
But app trust is more than just following the requirements – it’s a combination of security practices, operational practices, data protection and privacy, and in some cases, compliance certifications. It’s important for customers to be able to understand how apps are interacting with their data and which additional safeguards partners put in place to provide a high level of trust.
In the future, we plan to increase transparency to customers about how apps operate, and we’re also working on ways for partners to communicate their trust postures to customers. Over time, we will provide more capabilities through the platform and more enablement through the program to help partners provide an even higher level of security. We believe this is good for customers – and it’s good for partners too.
Next steps
App publishers will have until October 31, 2022 to bring Marketplace apps and Trello Apps into compliance with the new security requirements.
We’ve compiled a list of common questions on the FAQs page. If you have additional questions about how the security requirements apply to specific scenarios, or you would like to request an exception due to extenuating circumstances, please file a DEVHELP ticket.
Marketplace security is an important goal that we all contribute to – partners and Atlassian – through a shared responsibility model. It is also a long-term effort. As we continue to advance our policies and practices around Marketplace security, we’re working to support partners every step of the way.
Let’s keep the conversation going. Share your feedback and your questions in the developer community.