Understanding marketplace app security in the cloud

Security assessment

As your organization moves from Atlassian Server to Atlassian Cloud, there are different considerations you need to make around marketplace apps. Traditionally, organizations do not need to worry about app security since apps are hosted on the same environment as the Atlassian products and inherit their security measures in a contained environment. With Cloud products, apps can be hosted by either the vendor or Atlassian. This means customers may have to review the security posture for each of the apps individually.

When reviewing Atlassian Marketplace apps, your organization's security posture will guide which apps will be allowed in Cloud. Topics to understand include:

App framework (Connect, Forge, 3LO)
Data residency
What data is stored in app
What security posture of vendor is
What information the app has access to on your site

The aim of this document is to help you understand each of the above points so that you can make an informed decision on the security considerations for the apps you choose to deploy on your Cloud sites.

App framework

There are three main ways to develop cloud apps and integrations with Atlassian. These frameworks each have specific considerations you should evaluate, outlined in the table below.

Framework	Considerations
Connect (most commonly used framework) Additional security info	Available through the Atlassian Marketplace May offer data residency with vendor support Requires an admin to install Vendor owns hosted location Vendor owns security Vendor owns performance
Forge Additional security info	Available through the Atlassian Marketplace Follows data residency of the Atlassian site it is hosted on Requires an admin to install Atlassian owns security Atlassian owns storage Atlassian owns compute
OAuth 2.0 (3LO) How they work	Apps are not listed in the Atlassian Marketplace Hosted by the vendor, may offer data residency Central admin console to view installed apps Allows external apps and services to access Atlassian product APIs on a user's behalf Separate admin page highlights “connected apps" where admins can allow/block 3LO apps and revoke user access Requires developers to register an account, meaning Atlassian knows who creates the apps Apps declare and receive consent on which API scopes they use *See final section for more information on 3LO apps

You can identify which framework an app uses by reaching out to the individual app vendors. In the future, this information will be displayed on the marketplace vendor’s listing.

Data stored in the app

Understanding the type of data stored by an app will help determine the associated risk profile. Apps can store a range of data (no data, metadata, personally identifiable information/user generated data), and they can store this data within the app or on the Jira/Confluence site itself.

Contact the marketplace vendors in order to gain a clearer understanding of the types of data the app will store.

What information the app has access to

When you install an app, you're prompted to approve and accept the scopes of the app. As apps are remote services that access your Atlassian products, these services are granted specific privileges to your site.

Scopes are essentially app privileges — things apps can do to interact with your product instance. An app might need permission to read, write, or delete data in order to integrate with your product instance.

A full list of scopes can be viewed on Atlassian Connect app scopes.

App scope/integration information is generated from the manifest file that the app vendor provides. See Permissions for details.

Current state

Currently, app permissions regarding Atlassian product data are granted with a simple yes or no. Data access cannot be defined more granularly. See below for an example.

Understanding marketplace app security in the cloud 2

Integration details of Zephyr Scale

The scope of an app is visible on the Marketplace listing.

Granular scopes v1 will allow developers to granularly define what access to data an app needs at the entity level when installed. It will no longer be all or nothing. For more info see Action required: Update scopes for Forge and OAuth 2.0 (3LO) apps

Future state

Atlassian is working on a new feature to help admins define and restrict access to data along with improvements to the granular scopes feature.

Access narrowing will grant administrators/users a way to reduce an app's access to data specific to projects or spaces via data classification policies
Granular scopes v2 will provide improvements to implementation based on feedback

Security posture

As marketplace vendors interact with your site, they will have access to your data in the cloud. Your organization needs to be sure that the vendor has the correct measures in place to protect themselves from harmful actors.

Vendors may be able to provide confirmation that they have completed certain security programs:

Where to find this information:

Understanding marketplace app security in the cloud 7

An additional deep dive may be required to understand how vendors keep your data secure and what measures they take. Questions could include:

How they protect their customer data (encryption in transit/at rest, key management)
How they protect against service disruption/continuity
How they onboard and vet new employees and how employees are off-boarded

Ultimately, your organization is responsible for ensuring that it has the correct processes in place to evaluate the security posture for each app/vendor.

OAuth 2.0 (3LO) apps

What are 3LO apps?

3LO apps are different from the managed apps an admin would install from the Marketplace. Although both are related to add-ons, OAuth 2.0 (3LO) apps (connected apps) require further authorization to connect to your Cloud site.

For example, Jira Cloud for Spreadsheets is an add-on that needs to perform actions on behalf of the user, so it will appear on the connected apps section of your site.

As a cloud administrator, you can use the connected apps screen to manage apps where a user has granted access to content on site using three-legged OAuth (3LO). Learn more on Manage your users third party apps

Blocking 3LO app installations

This is the admin page you will use to manage this new feature for your site.

Visit https://admin.atlassian.com
Click through to your organization or site
Select Products from the top menu
Select your site from the left hand menu
Select Connected apps from the left hand menu. It’s useful to save this URL or keep it open, as you will be coming back here.
The new User installed apps control feature will be visible at the bottom of the screen

Understanding marketplace app security in the cloud 3

Installing a 3LO app

3LO apps are installed by clicking a “distribution link”, which takes you to a consent screen to approve the installation of the app for the requested permissions/API scopes. Once you approve the app on the consent screen, the app is granted a user-specific token which it can use to call product REST APIs on the site in which it was installed.

Understanding marketplace app security in the cloud 4

Understanding what apps are installed

Site admins can see the apps that have been connected to their site. These apps are visible under Products → Site → Connected apps.

Understanding marketplace app security in the cloud 5

Revoking app access

Aside from managing single users, cloud administrators can uninstall apps from an Atlassian site. This process removes all user access to the app. Uninstalling or revoking access to the app affects users immediately. You should warn your users that they will lose access before performing this action.

Selecting Uninstall for an app removes all users' access and then uninstalls the app. Users are removed in batches, and it takes time to remove a large number of users. You can monitor the progress from the connected apps screen. Once all users are removed, the app is uninstalled.

Understanding marketplace app security in the cloud 6

Uninstall or revoke access to 3LO apps

Was this content helpful?

Connect, share, or get additional help

Atlassian Community