[Timetracker]
In a previous blog article, published about a year ago, we started to give you a complete overview of the security protocols Atlassian uses for it’s Cloud service and the guidelines for vendors who develop app for the Atlassian Marketplace. EverIT is one of these vendors (in fact, we achieved the Silver Marketplace Partner status in February 2022). As our Timetracker Cloud application reached another important Atlassian security milestone by getting the Cloud Fortified badge recently, we thought it’s time to update you in the new Security programs we didn’t cover in our previous article.
The Cloud Fortified program was announced in July 2021 and is primarily aimed for premium and enterprise customers who have hundreds or even thousands of users, although small teams enjoy the security benefits of the program as well. (Sidenote, in case you haven’t heard of it: Teams of less than 10 people can also use some apps now free with the “Cloud apps free up to 10 users” program, which our Timetracker is also a part of, as visible on the Marketplace.)
In short, having the Cloud Fortified badge (see above) for an App shows that the App is just as, or is even more secure as the Atlassian product they compliment, meaning they meet the security criteria of large corporations as well. To join the program, vendors like us has to show to Atlassian through 4 new initiatives that our App adopts their security baseline, and provide further proofs that our App is reliable at scale and we are able to provide quick support for our users on business days. Participation in previous Atlassian security programs like the Marketplace Bug Bounty Program and Marketplace Security Self Assessment Program is also a must. We covered these two programs in the first part of this security blog post. [link]
Let’s break down the new initiatives in more detail.
This is how Atlassian defined them when they introduced the Cloud Fortified Program:
Ecoscanner: Atlassian’s Ecoscanner platform performs daily scans for all cloud apps available on the Marketplace, looking for missing security requirements, signs of expired domains and subdomain takeovers.
Vulnerability Disclosure Program: This program, running for all Cloud (and Data Center) apps by Atlassian, is hosted on Bugcrowd and provides a secure channel where external researchers can report vulnerabilities they find. Atlassian then reviews them, and if neccessary, contacts the vendors who can fix these issues.
Cloud App Security Requirements: Atlassian’ requirements for Marketplace Cloud apps is a list of 15 items, to ensure security best practices. Items from the list include a must for all authentication and authorization requests, or that an application doesn’t collect Atlassian user credentials.
Security Bug Fix Policy: This Policy outlines Atlassian’s expectation from vendors on how they handle security vulnerabilities from triaging to an expected timeline of resolution, based on the severity of the issue.
(This policy also applies for Server and Data Center apps, with different timeframes.)
Reliability at scale: To join the Cloud Fortified program, Everit had to fill out a questionnare where we showed Atlassian how we comply with all their requirements. This questionnaire was especially interested in details on how we tested our Timetracker app with thousands of users working simultaneously in mind, how we monitor the App’s performance and how we can handle scaling up real time.
Responsive support: During the application, we had to show Atlassian our incident management process and provide contacts in our company who make sure that we are providing within 24 hours support for our app on all business days of the week.
Looking Ahead
Just as we closed the first article with a promise to follow Atlassian’ journey towards achieving the best available security, so can we only double down on that pledge to always make sure our apps are safe to use for every organization.
Disclaimer:
This blog post originally appeared on EverIT's blog on 2022.02.23. EverIT has joined catworkx (part of TIMETOACT GROUP) on 2025.01.01.