There are a few Marketplace plugins I'm looking to install and they are not from Atlassian. How can I be sure that these plugins aren't malicious? Are all marketplace plugins vetted for malicious code? Furthermore, what capabilities do plugins have; could they read in ticket info and make external requests to a malicious server?
We do an approval per Mehmet's answer, on all Paid-via-Atlassian add-ons. That includes design, feature and quality tests. We look for unusual behaviours and unusual traffic. We also do a cursory review of other add-ons. We don't review the source code however, and I do generally suggest if your company is security conscious (and many are) you do some testing of your own in an appropriate enviroment before installing in production; in order to ensure the plugins also meet your standards.
Head of Ecosystem
To add to that last point - yes, you could write a plugin that makes malicious requests to other servers. But it really would not make it far on the marketplace, and you'd have to have a jira admin who you could fool into uploading malicious software!
Hello! My name is Genevieve Blanch, and I'm the Marketing Manager at RefinedWiki, creators of apps to give teams the tools to customize Atlassian platforms. Currently, 44% of the tech team at Re...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs