Hello Atlassian Community! I am Srivathsav from the Atlassian Marketplace Security team. I would like to make an announcement about Ecoscanner's new capabilities.
As a part of our ongoing commitment to build trust with customers, Atlassian has launched new capabilities for Ecoscanner, which include the ability to scan Data Center apps on the Marketplace for hardcoded secrets and potential malware.
These previously announced features are intended to protect customer data while securing apps and the Atlassian ecosystem. This is a significant improvement to prior iterations of Ecoscanner, which were limited to cloud apps and software composition analysis (or SCA) of open-source code for Data Center apps.
Sensitive information – such as API keys, JWT, OAuth tokens, and credentials – must be stored and retrieved securely. Hardcoding secrets in an app can cause secrets to be leaked and also lead to malicious activities, including compromised accounts and user impersonation attacks.
Therefore, Ecoscanner leverages secret scanning technology based on proprietary software and open-source code to detect secrets, such as API keys, and validate them to avoid false positives. If a secret is discovered, a security vulnerability ticket is created and assigned to the app developers. They must then rotate the access keys, release a patch before the resolution date, and notify the customer as necessary. This helps protect partners and customers from the risk of unauthorized access.
Malware, like trojans or ransomware, are software threats that may cause damage or extract information from infrastructure and persistent stores when introduced.
As a result, Ecoscanner has also implemented the capability to identify malware on all Data Center apps in the Marketplace. Once detected, app developers must investigate malware threats and mitigate these risks to enhance the integrity of the apps, securing Atlassian’s Marketplace and our users' environments.
Ecoscanner will scan Data Center apps on the Marketplace when new versions are released. Atlassian will then alert app developers once risks are identified, prompting them to investigate incidents. If the risk is considered critical, Marketplace Partners will notify affected customers.
App developers will receive AMS tickets for Data Center apps when secrets and malware are detected, which are subject to timeframes for resolution outlined in our Security Bug Fix Policy.
Srivathsav Gandrathi
5 comments