[Timetracker], [Security]

At 2020, Atlassian is in the process of revamping the Cloud Security Program. Throughout this fiscal year, Atlassian has communicated its cloud-first vision and strategy.

To establish a baseline of trust in the Marketplace across partners and apps, Atlassian is launching a series of security programs. As customer requirements change, they will evolve these programs by modifying the requirements and benefits to ensure Marketplace partners and apps meet and exceed customer security expectations and are aligned with Atlassian’s company objectives.

We collected for you in a timeline what, when and where you should do in order to meet all these new requirements

January 2020 

The Cloud Security requirements going live gradually. First, you have to meet these 15 criteria. These are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications.

When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. Please refer to enforcement procedure on how Atlassian plans to enforce these requirements.

February 2020 

Start of the planning process for automated scanning to identify apps which don’t meet cloud app security requirements (subject to change)

28th of February 2020 

Until this date, you had to finish the 5 steps of your Marketplace Partner Security Self-Assessment program.

Update: Atlassian reopened it on 5th of May.

These Steps are:

  1. Open a Ticket, to tell the Atlassian that you want to do the program.

  2. You have to check the CAIQ Lite Questionnaire filling guide

  3. You have read the filling guide made by Atlassian

  4. Fill the CAIQ Lite online using Whistic. They partnered with them to provide you with a tool to seamlessly fill out and maintain a database of standard security questionnaires that can be shared with your customers, one of which is CAIQ Lite.

After these steps, Atlassian will evaluate it and provide you a result with improvement ideas (if needed). They aim to complete this before March 31, 2020 (for pilot participants). You will receive a color according to your result and list what your document was missing.

  • Green for a ‘Well Developed’ approach to cyber security with no critical control gaps;

  • Orange for a ‘Somewhat Developed’ security posture; and

  • Red for vendors assessed as ‘Starting Out’ on their security journey.

16th of March 2020 

Start of the Atlassian Bug Bounty program. A bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.

In June 2019, Atlassian and four partners in the Top Vendor Program (Adaptavist, ALM Works, K15t, and Tempo) engaged in a trial bug bounty program. This trial was such an overwhelming success that Atlassian is expanding the program to all Atlassian Marketplace vendor partners.

Atlassian is going to conduct a short-term Bug Bounty Blitz on Bugcrowd ( initially running for 6 weeks, but has the potential to run longer if we see sustained success ) for all interested marketplace partners ( every partner is eligible to participate ) where in, Atlassian will not only cover the platform costs, but also cover the rewards for any valid and accepted security vulnerability submitted for the apps listed in scope of this event. On top of these rewards, Atlassian will also give out bonuses to further incentivize security researchers to find more impactful vulnerabilities in our marketplace apps.

You can find everything that you need to know about it here.

July 2020 

Start of the new Marketplace Program. The badging will be completely revamped on the Atlassian Marketplace. This means Atlassian will remove the Top Vendor badge on app tiles and app listings by the end of 2020. The Top Vendor badge is replaced with program tier badging in the Marketplace partner profile. Even for acquiring the Silver badge, participating in the Cloud Security program is required.

New Atlassian Partner Program requirement sheet
New Atlassian Partner Program requirement sheet
New Atlassian Partner Program requirement sheet

2021 Q1 (Plans) 

Adding new trust signals for the apps on the Marketplace:

  • App-level: This app is participating in the payed Bug Bounty Progra

  • App-level: This app has passed the CAIQ Lite test

  • App-level: This app has passed the vulnerability test

  • Partner-level: The Marketplace Partner has complied with the SOC2 requirements

  • Partner-level: The Marketplace Partner has complied with the ISO27001 requirements

Benefits of participating in Cloud Security Program 

  • According to all the available information, it seems that at some point in the future Atlassian will make the Cloud Security Program mandatory.

  • Reduces the security risk of your app

  • Additional badges and markers on the Marketplace which can increase sales/revenue

  • Several companies already have policies that they can not purchase a cloud application without proven security background.

  • The new Top Vendor Program’s levels also require you to participate in the Cloud Security Program

 

Disclaimer:
This blog post originally appeared on EverIT's blog on 2020.05.07. EverIT has joined catworkx (part of TIMETOACT GROUP) on 2025.01.01.