Since Atlassian started their cloud hosting services the security is always their top priority. They’re transparent with their security program and you can feel informed and safe using their products and services. Atlassian doesn't look at security as a destination to reach — it's an ongoing journey. They continually strive to improve their software development and internal operational processes with the aim of increasing the security of their software and services.
The Atlassian Cloud security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with Atlassian’s internal threat modeling process. It's designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers' data.
To establish a baseline of trust in the Marketplace across partners and apps, Atlassian is launching a series of security programs. As customer requirements change, they will evolve these programs by modifying the requirements and benefits to ensure Marketplace partners and apps meet and exceed customer security expectations and are aligned with Atlassian’s company objectives.
We, EverIT, have always been keen to build apps that meet these security requirements and we always make sure that our apps can be used safely in every team of every size and industry. That’s why besides our internal security processes we take part in every security program that Atlassian announces.
The security self-assessment program is a collaboration between Atlassian and Marketplace Partners to increase security awareness and improve security practices. The goal is to increase customer confidence in apps and provide them with the necessary information to perform security evaluations. The program involves an annual security self-assessment that Atlassian reviews and approves. During the review process, Atlassian works with the partner to pinpoint vulnerabilities and identify improvements.
The program aims to encourage security mindfulness in three main areas:
Sensitive data handling
Backup and disaster recovery.
The self-assessment consist of 13 questions. You can find our detailed answers here. Timetracker has been approved by Atlassian in 2020. January.
To increase security across the Marketplace, Atlassian has made 15 security requirements that are mandatory for all Marketplace cloud applications. We are responsible to review and update our apps to make sure that they are compliant.
Since the beginning of the development of the Timetracker Cloud version, we have been following these requirements and we regularly check if there are any new criteria that we have to meet.
There are some additional security guidelines and best practices suggested by Atlassian that are not mandatory but we still following them.
In short, the Marketplace Partner Security Self-Assessment program involves the following:
A vendor self-assessment of your cloud applications in the marketplace and your organization’s overall approach to security against the CAIQ Lite, an industry-recognized cloud security benchmark. As a Marketplace vendor, you have to complete this process using the Whistic platform.
A review by Atlassian of vendor responses to identify gaps in the vendor's security posture
Communication between Atlassian and the vendor regarding your security posture, and identifying critical control gaps and other areas for remediation.
The questionnaire consists of 73 questions that you will be required to respond to, giving Atlassian an understanding as to whether various security controls are in place. You will be required to indicate whether controls are in place, with Yes, No or N/A, and a brief explanation.
The Consensus Assessments Initiative Questionnaire (CAIQ) Lite is a streamlined, industry-recognized assessment questionnaire designed to assist organizations assess the security posture of their cloud vendors. CAIQ Lite is a shortened version of CAIQ that contains more than 300 questions.
We not only took part in the CAIQ Lite but we also filled the full CAIQ earning the CSA STAR Level 1 certification. Our assessment got approved in 2020. April. Our filled CAIQ can be found here.
A bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. The Marketplace Security Bug Bounty program is a collaboration between Atlassian and Marketplace Partners aiming to continuously improve the security posture Atlassian Marketplace apps by leveraging crowdsourced vulnerability discovery methods available through bug bounty.
The Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.
When you join the Marketplace Bug Bounty Program, your program starts as a private program, and Bugrowd invites researchers to participate.
EverIT has applied for participation in 2020. April with Timetracker. After the application, we had to create our own Blitz Program.
Since the beginning of the program, here are the results:
25 incident overall
9 was “Not applicable” as they weren’t reported for Timetracker Cloud
1 was “Not reproducible” as Bugcrowd wasn’t able to reproduce it
7 was duplication
8 was reported correctly and 7 of them are already fixed.
For Participating in the Bug Bounty and other Security Programs, we received a security badge on the Atlassian Marketplace.
The retrospective on the Marketplace Bug Bounty Blitz for all the Vendors can be found here.
As security is a top priority for Atlassian, we are sure that there will be even more requirements and programs next to the existing ones. Needless to say, we will take part in all of them and keep up the enthusiastic work to provide secure applications that can be used by every organization!
Tibor Tasi _Everit_Marketplace Partner
Calling all collaborators and Confluence users! Our Appy Hours event on September 29th features 4 presenters demoing functionality to superpower Confluence. Don't miss learning about these apps i...