At Atlassian, one of our goals is to make sure customers can trust our software to be safe and secure. That is why every Data Center and server product at Atlassian is subject to a third party dependencies security scan for known vulnerabilities. This way we are able to detect potential issues early enough to reduce any risks for our customers.
Over the course of years we’ve seen the evolution of mechanisms used in Atlassian Data Center Engineering to discover security vulnerabilities. There are security scanners, Bug Bounty Program, and more. Customers rely on Atlassian software and trust us with their data every day.
Atlassian Data Center products are part of a thriving Ecosystem and the vast majority of deployments host multiple Data Center apps. The security of such a complex setup depends on the security of each of its components.
We want to share our experience in this area and help partners align with Atlassian Security Standards.
We are extending the Data Center App Approval process and introducing a third party security scanner for all Data Center apps.
Starting from February 2022, we’ll require all apps submitted for Data Center App Approval to be free from critical- and high-severity security vulnerabilities in third party dependencies (Bamboo DC Apps Program will follow these requirements once it’s launched). Learn more about the technical aspects of the security scan process and find out how to run it in your development environment.
Starting from April 2022, we’ll track vulnerabilities in the Atlassian Marketplace Security Jira project. Atlassian Marketplace Security is our one-stop-shop for vulnerability management, where partners can go to review all their vulnerabilities, statuses, due dates, sources, and severities. All issues in AMS describe the vulnerability in detail, and all questions about an issue can be addressed in the comments of the issue. Learn more about AMS, and review our Security Bug Fix Policy for Marketplace Apps.
It is critical to address vulnerabilities as soon as possible to ensure our customers can continuously trust the Atlassian Ecosystem.
If the annual review cycle of your app is scheduled for February or March 2022, the Data Center apps review team will contact you through a DCHELP ticket in the upcoming weeks and provide a list of vulnerabilities the scanner has detected. We will also reach out to partners who own apps with the highest number of detected vulnerabilities.
We want to ensure that we create enough room for you to discuss and act on the security scanner results.
Last but not least, please ensure that the security contact in your partner profile are up to date and that you follow Vulnerability review practices for Atlassian marketplace partners. It is important to complete those steps before the rollout of the security scanner integration with the Atlassian Marketplace Security Jira project.
Thank you for taking this seriously. Please review the technical aspect of dependency scanning and consider including it into the CI/CD pipeline of your Data Center app.
Thank you very much for all the feedback on this post. The sheer size of it indicates how important this process is for you. We’ve identified two major concerns in this feedback:
- The tooling that Atlassian suggested is insufficient as it provides different scan results than tooling which Atlassian uses internally to validate apps.
- Approval Process requirements after Feb 2022 need to be rephrased to clarify the expectations and address non-obvious scenarios.
We are working to address those points, and we will provide an update by December 17th. Please stay tuned!
For the last week, we have been testing alternative scanner solutions and discussing legal aspects of those approaches. We are not yet satisfied with the outcomes thus we will continue the investigation in the tooling area.
At the same time, we are drafting updates to the Approval Process documentation published on developers.atlassian.com.
Given the upcoming holiday period, we will provide another update by January 14th.
Thank you very much for your patience. For the last few weeks, we were validating available scanner solutions and came up with updates to the Approval Process documentation.
We clarified that during the Approval Process, you need to provide a scan report free of critical- and high-severity vulnerabilities in the libraries bundled with your app. You can also choose a Software Composition Analysis tool of your choice to create this report.
For more details please see Security Scanner for DC Apps documentation.
We’ll be monitoring this post to answer your questions.