At 2020, Atlassian is in the process of revamping the Cloud Security Program. Throughout this fiscal year, Atlassian has communicated its cloud-first vision and strategy.
To establish a baseline of trust in the Marketplace across partners and apps, Atlassian is launching a series of security programs. As customer requirements change, they will evolve these programs by modifying the requirements and benefits to ensure Marketplace partners and apps meet and exceed customer security expectations and are aligned with Atlassian’s company objectives.
We collected for you in a timeline what, when and where you should do in order to meet all these new requirements
The Cloud Security requirements going live gradually. First, you have to meet these 15 criteria. These are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications.
When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. Please refer to enforcement procedure on how Atlassian plans to enforce these requirements.
Start of the planning process for automated scanning to identify apps which don’t meet cloud app security requirements (subject to change)
Until this date, you had to finish the 5 steps of your Marketplace Partner Security Self-Assessment program.
Update: Atlassian reopened it on 5th of May.
These Steps are:
Open a Ticket, to tell the Atlassian that you want to do the program.
You have to check the CAIQ Lite Questionnaire filling guide
You have read the filling guide made by Atlassian
Fill the CAIQ Lite online using Whistic. They partnered with them to provide you with a tool to seamlessly fill out and maintain a database of standard security questionnaires that can be shared with your customers, one of which is CAIQ Lite.
After these steps, Atlassian will evaluate it and provide you a result with improvement ideas (if needed). They aim to complete this before March 31, 2020 (for pilot participants). You will receive a color according to your result and list what your document was missing.
Green for a ‘Well Developed’ approach to cyber security with no critical control gaps;
Orange for a ‘Somewhat Developed’ security posture; and
Red for vendors assessed as ‘Starting Out’ on their security journey.
Start of the Atlassian Bug Bounty program. A bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.
In June 2019, Atlassian and four partners in the Top Vendor Program (Adaptavist, ALM Works, K15t, and Tempo) engaged in a trial bug bounty program. This trial was such an overwhelming success that Atlassian is expanding the program to all Atlassian Marketplace vendor partners.
Atlassian is going to conduct a short-term Bug Bounty Blitz on Bugcrowd ( initially running for 6 weeks, but has the potential to run longer if we see sustained success ) for all interested marketplace partners ( every partner is eligible to participate ) where in, Atlassian will not only cover the platform costs, but also cover the rewards for any valid and accepted security vulnerability submitted for the apps listed in scope of this event. On top of these rewards, Atlassian will also give out bonuses to further incentivize security researchers to find more impactful vulnerabilities in our marketplace apps.
You can find everything that you need to know about it here.
Start of the new Marketplace Program. The badging will be completely revamped on the Atlassian Marketplace. This means Atlassian will remove the Top Vendor badge on app tiles and app listings by the end of 2020. The Top Vendor badge is replaced with program tier badging in the Marketplace partner profile. Even for acquiring the Silver badge, participating in the Cloud Security program is required.
Adding new trust signals for the apps on the Marketplace:
App-level: This app is participating in the payed Bug Bounty Progra
App-level: This app has passed the CAIQ Lite test
App-level: This app has passed the vulnerability test
Partner-level: The Marketplace Partner has complied with the SOC2 requirements
Partner-level: The Marketplace Partner has complied with the ISO27001 requirements
According to all the available information, it seems that at some point in the future Atlassian will make the Cloud Security Program mandatory.
Reduces the security risk of your app
Additional badges and markers on the Marketplace which can increase sales/revenue
Several companies already have policies that they can not purchase a cloud application without proven security background.
The new Top Vendor Program’s levels also require you to participate in the Cloud Security Program
+36 20 248 7670
Copyright © 2019 Everit Kft. – All rights reserved.