Maintaining Jira Security When Using Third-Party Apps

Compliance with data privacy regulations and security standards are among the top priorities for modern businesses. While large enterprise-level solutions like Jira software are usually quite adept at meeting the ever-rising demands, the availability of third-party apps on the Atlassian Marketplace can potentially lead to certain risks and vulnerabilities.

In this article, we will talk about a proven method for screening third-party apps. 

The first screening

Think of the first screening as a general introduction to the vendor. This is an initial step in your security research. Think of it as a background check that most businesses do before their first interaction with a potential vendor. 

What is the Jira security tab?

The Security tab is a relatively new addition to the Atlassian Marketplace. The tab is designed to help Atlassian customers choose a reliable vendor.

In essence, the tab is a simpler way of checking such things as:

• What data is stored and processed by the vendor
• What are the Data Residency options?
• The permission an app from the marketplace will require to function
• Any compliance certifications
• The Privacy policy and the Data Processing Agreement (DPA)
• The fact of participating in Atlassian’s Bug Bounty program
• Etc. 

Browsing through the security tab is a nice first step toward ensuring the vendor meets your expectations and security requirements.

Pro tip: Keep an eye on when the information in the Security tab has been updated. 

Atlassian Security Programs

Atlassian has dedicated security programs for vendors. These programs are designed to verify whether vendors can offer reliable, scalable, and secure solutions to their clients. 

• Cloud Fortified: A Cloud Fortified badge indicates that an app participates in all six of Atlassian’s cloud app security programs and undergoes additional checks for service reliability and performance.
• Bug Bounty: The Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.

Legal documentation

In our experience, many clients ask us about the information that is already covered in legal documents. While this is a common practice (and it definitely yields certain benefits), I’d still suggest a thorough check of the vendor’s legal documentation. 

Why? Well, this way, you will be much more closely familiar with their offerings. You can ask better and more precise questions when you contact the vendor through email or their vendor portal. Secondly, you will familiarize yourself with legal documents rather than taking a vendor’s word. 

These documents can be found on either the app’s main page on the marketplace under the Privacy and Security section or on their landing page. You can also request them directly from the support team.

• Privacy policy
• Data Processing Agreement
• Data Breach Policy
• Security Policy
• Service Agreement

The second screening

In most cases, the first screening should be enough to give an adequate idea regarding the vendor’s compliance with your security requirements. That being said, some businesses will require additional screening. 

The second screening will involve a much more thorough review of legal documentation and closer interactions with the vendor. 

Requisition information regarding the Vendor’s certifications is probably the next logical step. 

I’d suggest paying the most attention to the following two certifications:

1. SOC2: SOC 2 is a security and compliance standard that offers guidelines for service organizations to protect sensitive data from unauthorized access, security incidents, and other vulnerabilities. It is part of the System and Organization Controls (SOC) suite of services developed by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report is often requested by customers and business partners of outsourced solution providers to provide assurance that those organizations have adequate systems and controls in place to protect critical business information.
2. ISO 27001: Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company and that this system respects all the best practices, principles and security tools enshrined in this International Standard.

Note

Request if the vendor has done security testing over the past year. If it was in place – look for a report and check the following:

• Whether the known vulnerabilities have been fixed,
• If not, what was their severity

A Security Questionnaire template

Below are two security questionnaires you can copy to streamline your screening process with Atlassian Marketplace vendors.

Information on data transmission and data storage:

• Where are the cloud service servers located, and who operates them?
• Do you take backups?
  • And if yes, where are the cloud computing provider’s backup servers located, and who operates them?
• How is the data stored? Is it encrypted/unencrypted? 
• How does the data transmission take place? Is it encrypted/unencrypted? 
• How long do you retain the data (main data and the backup) after the app is removed from Jira Cloud?
• Are there any security measures in place that ensure the stored data is not accessible to other customers?
• Who can access the data (customer, employee, authorities, administrator, etc.)?
• Are data accesses/changes logged?
  • Do you keep audit logs for 1 year? (e.g. Who did what, who has access to what)
• What measures are taken to prevent data loss?
• Do you have a stated need for all permissions requested?
  • Can you explain why you need the access you asked for?

Information on security mechanisms:

• Do you have a Security team?
  • If so, could we please have the security team’s contact information?
• Is there an IT security concept? How often is this updated?
• What security measures are in place (virus scanner, firewall, protection against DDOS, etc.)?
• Is there an emergency concept in case of data loss, server failure, or data theft?
• Did you get a breach in the last 3 years?
  • If yes, could you share details and/or a report of that with us?
• Is multi-factor authentication (MFA) required for employees/contractors to log on to production systems via internal network and remote access?
  • How do they access your services – do you have authentication for everyone?
• Have you conducted any external pen tests?
  • If yes, which Pen test provider did you use?
  • If yes, how many vulnerabilities were found in your last report, and how long did it take to fix them?
• Do you have any certifications? (Ex iso27001, pic dss, soc report, etc.)
• Do you have a security awareness program in place? (Phishing, training in security awareness for your employees)

Managing security in Jira with a checklist

If you are already managing your security processes in Jira – an app like Smart Checklist can be a valuable asset. 

1. You can ensure that not a single step throughout the entire security screening process is skipped – list them in your Jira issues.
2. You can configure and reuse your checklists as templates. This works with Automation for Jira as well.
3. You can make your own checklist templates immutable, ensuring that your team will have an easier time going through a security or compliance audit. 

You can turn the following checklist into a template with Smart Checklist for Jira. You can simply copy-paste this checklist after installing the app:

Add checklists to your Jira tasks

Try it free

Article by Oleksandr Siryi