Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Understanding Third-Party App Security in the Atlassian Ecosystem

Dimitris Sylligardakis
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 28, 2024

Hello Trust and Security Community,

Following my previous post (Security Best Practices for Jira: Permissions, Workflows, and Third-Party Apps), the fourth instalment in the Infosec and Compliance themed series will focus on understanding third-party app security in the Atlassian ecosystem. So, buckle up and get ready for the ride!

What risks do third-party apps in the Atlassian ecosystem pose?

Third-party apps in the Atlassian ecosystem can significantly boost functionality and productivity of your everyday work platforms like Jira, but they also come with potential security risks. 

Some of these risks include:

Data breaches: Unauthorised access to sensitive data can occur if an app has vulnerabilities or if the app developer doesn’t follow stringent security practices.

Malware: Malicious software can be introduced into your system through poorly vetted apps, leading to data loss or system damage.

Compliance violations: Using apps that don’t comply with industry regulations can result in legal and financial repercussions, especially in industries like finance, healthcare, or government.

Data Privacy: Apps may collect and misuse personal data, leading to privacy violations.

Dependency risks: Relying on third-party apps can create dependencies that might become problematic if the app is discontinued or no longer supported.

How can I vet third-party apps for security before integrating them into my Atlassian environment?

Vetting third-party apps is crucial to maintaining the security of your main work platforms such as Jira. Here are some of the key steps to take before installing an app: 

Check Atlassian Marketplace listings: Start by reviewing the app on the Atlassian Marketplace. Look for:

  • Vendor information: Ensure the vendor is reputable and has a history of providing reliable apps.
  • User reviews and ratings: Read through user reviews and ratings to gauge the app's reliability and security.
  • Security badges: Look for security badges such as the Atlassian Cloud Fortified badge, which indicates that the app has met specific security standards.

Review documentation and privacy policies: Read through the app’s documentation and privacy policy to understand how your data will be used, stored, and protected. If in doubt, reach out to the developer for clarity.

Assess app permissions and access: Dig into the permissions the app requests. Ensure they’re necessary for the app’s functionality and do not overreach or put your sensitive data at risk.

Vendor security practices: Investigate the vendor’s security practices:

  • Compliance Certifications: Check if the vendor complies with standards like ISO 27001, SOC 2, or GDPR.
  • Security Audits: Determine if the vendor undergoes regular security audits and penetration testing.

Test in a sandbox environment: Before full deployment of an app into your Jira or Confluence instance, test the app in a sandbox environment to ensure it works as intended.

Monitor and review: Continuously monitor the app’s performance and security, as well as reviewing any change to the app’s security policies and updates in case they.

What should I do if I discover a security issue with a third-party app?

If you discover a security issue with a third-party app, take the following steps:

  • Report the issue: Immediately report the issue to the app vendor through their support channels. Provide detailed information to help them understand and address the problem. All reputable app vendors will work with you to resolve the issue with as little impact as possible.
  • Disable the app: Temporarily disable the app to prevent further risk while the issue is being investigated and resolved.
  • Notify Atlassian: Inform Atlassian about the security concern through their support or security channels. This helps maintain overall ecosystem security.
  • Conduct an internal review: Assess the impact of the security issue on your system and data. Take necessary steps to mitigate any damage.
  • Stay informed: Look out for updates from the vendor regarding the resolution of the issue and apply any patches or updates promptly.

Are there any tools or services available to help with app security in the Atlassian ecosystem?

Yes! There are a multitude of tools and services that can help enhance app security in the Atlassian ecosystem:

  • Security apps: Consider using security-focused apps available on the Atlassian Marketplace that provide additional layers of protection to your Confluence or Jira instance, such as data encryption, access controls, and activity monitoring.
  • Atlassian Access: Leverage Atlassian Access for centralised security management, including SSO, user provisioning, and enhanced authentication.
  • Third-party security services: Consider engaging third-party security services for regular security assessments, vulnerability scanning, and penetration testing of your Atlassian environment.
  • Community and support: Participate in the Atlassian Community forums and support channels to stay updated on best practices, security advisories, and peer recommendations.

If you follow these guidelines, you’re one step closer to effectively managing the security risks associated with third-party apps in the Atlassian ecosystem, ensuring a safe and productive environment for your organisation.

Have any tips on ensuring the third-party apps you use won’t put your organisation at risk? Let me know in the comments!

3 comments

Comment

Log in or Sign up to comment
Morgan Watts
Contributor
May 30, 2024

Thanks for the post :D I've been enjoying these. 

 

Like Dimitris Sylligardakis likes this
Johnathon Sloss
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 16, 2024

Taking notes and leaving comments on security information im interested in coming back to. Interested and still learning, thank you for useful information, tools, and tips. 

ksm July 23, 2024

Thanks @Dimitris Sylligardakis  for this useful post. It seems the consumers must prove the apps individually🤔. Actually, I was looking for information regarding the process that Atlassian uses to access/evaluate third-party apps before registering them on their Marketplace. Is there any?

TAGS
AUG Leaders

Atlassian Community Events