Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Scanning Marketplace Data Center Apps for Secrets and Malware

Hello Atlassian Community! I am Srivathsav from the Atlassian Marketplace Security team. I would like to make an announcement about Ecoscanner's new capabilities.

Vulnerability scanning

As a part of our ongoing commitment to build trust with customers, Atlassian has launched new capabilities for Ecoscanner, which include the ability to scan Data Center apps on the Marketplace for hardcoded secrets and potential malware.

These previously announced features are intended to protect customer data while securing apps and the Atlassian ecosystem. This is a significant improvement to prior iterations of Ecoscanner, which were limited to cloud apps and software composition analysis (or SCA) of open-source code for Data Center apps.

Scanning for hardcoded secrets

Sensitive information – such as API keys, JWT, OAuth tokens, and credentials – must be stored and retrieved securely. Hardcoding secrets in an app can cause secrets to be leaked and also lead to malicious activities, including compromised accounts and user impersonation attacks.

Therefore, Ecoscanner leverages secret scanning technology based on proprietary software and open-source code to detect secrets, such as API keys, and validate them to avoid false positives. If a secret is discovered, a security vulnerability ticket is created and assigned to the app developers. They must then rotate the access keys, release a patch before the resolution date, and notify the customer as necessary. This helps protect partners and customers from the risk of unauthorized access.

Scanning for potential malware

Malware, like trojans or ransomware, are software threats that may cause damage or extract information from infrastructure and persistent stores when introduced.

As a result, Ecoscanner has also implemented the capability to identify malware on all Data Center apps in the Marketplace. Once detected, app developers must investigate malware threats and mitigate these risks to enhance the integrity of the apps, securing Atlassian’s Marketplace and our users' environments.

Raising risk awareness through notifications

Ecoscanner will scan Data Center apps on the Marketplace when new versions are released. Atlassian will then alert app developers once risks are identified, prompting them to investigate incidents. If the risk is considered critical, Marketplace Partners will notify affected customers.

App developers will receive AMS tickets for Data Center apps when secrets and malware are detected, which are subject to timeframes for resolution outlined in our Security Bug Fix Policy.

5 comments

Comment

Log in or Sign up to comment
Peter Van de Voorde
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 6, 2024

Hi @Srivathsav Gandrathi ,

Thanks for sharing this information, could you please share it in the Atlassian Developer Community too as there are many developers who might not be following along the full Atlassian Community but do watch the Developer community.

You can find it here: https://community.developer.atlassian.com/

Cheers,
Peter

Like # people like this
kc September 8, 2024

Thank for sharing Srivathsav. 

If the above capabilities are already available in the Atlassian Cloud version? Example for Connect Apps that are from the Atlassian Marketplace?

Like Srivathsav Gandrathi likes this
Srivathsav Gandrathi
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 10, 2024

@Peter Van de Voorde Done, posted on CDAC with references to the actual announcements, https://community.developer.atlassian.com/t/scanning-marketplace-data-center-apps-for-secrets-and-malware/83376

 

@Kelvin CHUA Such capabilities on the Marketplace cloud apps are published here: https://developer.atlassian.com/platform/marketplace/ecoscanner/ . We can't perform malware scans on Connect apps as they are hosted outside of Atlassian.

Like Peter Van de Voorde likes this
M Amine
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 19, 2024

Thank you for providing this information.

kc September 25, 2024

@Srivathsav Gandrathi  Thank and noted on the constrain of Connect Apps. Are there any plans to stop support or allow Connect Apps and encourage the developers to all migrate to Forge?

TAGS
AUG Leaders

Atlassian Community Events