General

When building an app with Atlassian Forge, developers have to comply with various guidelines and meet specific responsibilities that emerge from the https://developer.atlassian.com/platform/forge/shared-responsibility-model. The shared responsibility model for Atlassian Forge extends the more general https://developer.atlassian.com/developer-guide/cloud-shared-responsibility-model/.

On this page we will provide some extended information on how we comply with those responsibilities regarding Agile Hive for Jira Cloud.

Forge Shared Responsibility Model

As of 26 Sep 2023, the Shared Responsibility Model for Forge apps (available at https://developer.atlassian.com/platform/forge/shared-responsibility-model) includes the categories and responsibilities listed below.

Responsibility	Custom UI	UI kit	Web triggers
App elements
Authentication of requests to the app	Atlassian	Atlassian	You
Authorization of requests to the app	Atlassian & You	Atlassian & You	You
Input validation and output encoding	You	Atlassian & You	You
Application logic	You	You	You
Application framework	Atlassian & You	Atlassian	Atlassian
Data storage	Atlassian & You	Atlassian & You	Atlassian & You
Software development lifecycle (SDLC) activities	Atlassian & You	Atlassian & You	Atlassian & You
Tenant safety	Atlassian	Atlassian	Atlassian
Operational elements
Logging	Atlassian & You	Atlassian & You	Atlassian & You
Monitoring and alerting	Atlassian	Atlassian	Atlassian
Network security	Atlassian	Atlassian	Atlassian
Runtime/Server security	Atlassian	Atlassian	Atlassian
Vulnerability management and disclosure	Atlassian & You	Atlassian & You	Atlassian & You
Bug bounty	Atlassian & You	Atlassian & You	Atlassian & You
Security incident response	Atlassian & You	Atlassian & You	Atlassian & You
Disaster recovery	Atlassian & You	Atlassian & You	Atlassian & You
Security features
User identity and access management	Atlassian	Atlassian	Atlassian
DoS protection	Atlassian	Atlassian	Atlassian
Abuse prevention	Atlassian & You	Atlassian & You	Atlassian & You

Addressing responsibilities in Agile Hive development

In the sections below we provide additional details on specific responsibilities from the Forge Shared Responsibility Model as of 26 Sep 2023.

Authorization of requests to the app

Atlassian documentation

Ensure that every request made to the application is sufficiently authorized.

Your responsibilities

You must use asUser() whenever you are performing an operation on behalf of a user. This ensures your app has at most the permissions of the calling user.
Before making calls asApp(), you must verify expected permissions (for example, from product context) with the permissions REST APIs before making the request.

Atlassian's responsibilities

Obtain user consent for asUser() calls before invoking your Forge application.
Ensure that only users with access to the site can interact with apps.

How we address those responsibilities

The asUser option is used as the standard method to make requests. This ensures that we minimise risks regarding violations to permissions set in Jira. The asApp option is only used where absolutely necessary (some Jira API endpoints are only functional via asApp requests) and requires additional security review.

Data storage

Atlassian documentation

Ensure that data is appropriately stored and read by your app.

Your responsibilities

Ensure that sensitive security data, such as pre-shared keys, API keys, or encryption keys are not hardcoded in the source code. Secure storage, such as encrypted environment variables, should be used to supply keys at runtime.
Ensure that keys are rotated on a regular basis. You should rotate sensitive API keys at least every 90 days.
Ensure that authorisation controls exist to segregate data access between different user roles within the same tenant.

Atlassian's responsibilities

Encrypt data at rest for data stored within Forge app storage.
Segregate data storage to prevent cross-tenant access. This includes Forge app storage.

How we address those responsibilities

We currently do not store keys or secrets of any kind and do not store any data on external systems. Additionally, an automated scanner checks the code base for any potential keys or secrets.

Software development lifecycle (SDLC) activities

Atlassian documentation

Apply secure software development practices when building and maintaining your app.

Your responsibilities

Periodically scan for vulnerabilities in third-party dependencies using tools, such as OWASP Dependency-Check or other similar tools.
Perform regular threat modeling to identify and prioritize threats that may impact the security of your app.
Perform static analysis of your app to identify patterns of insecure code.

How we address those responsibilities

We use Dependency-Track and better-npm-audit to continually check our app for vulnerable components.

Threat modeling is part of the annual security analysis carried out by the designated security champions of our company.

During development, sonarlint is used for static code security analysis.

Logging

Atlassian documentation

Your responsibilities

Ensure your application does not log personally identifiable information (PII), authentication tokens, and user-generated content (UGC), or confidential data.

Atlassian's responsibilities

Maintain robust logging that includes an audit trail of actions performed by an app.
Restrict access to logs based on organization permissions.

How we address those responsibilities

Logging is strictly limited to non-sensitive data and ensured by review.

Vulnerability management and disclosure

Atlassian documentation

Your responsibilities

Mitigate application security vulnerabilities within the set timelines.
Promptly notify Atlassian of security vulnerabilities discovered in your app in accordance with the Marketplace partner agreement.

Atlassian's responsibilities

Disable applications that haven't mitigated vulnerabilities within the set timelines.
Mitigate security vulnerabilities in the platform within the Security bug fix policy.
Communicate with Marketplace partners about vulnerabilities in the platform or applications that may affect their apps.

How we address those responsibilities

Security vulnerabilities are treated as highest priority tickets and released on fix. Notifications to Atlassian are part of the security incident response plan.

Security incident response

Atlassian documentation

Your responsibilities

Establish a security incident response plan , so you are better prepared to respond to security breaches and incidents.
Promptly notify Atlassian upon discovery of any security incident in accordance with the Atlassian developer terms.
Keep developer account contact information up to date for security incidents.

Atlassian's responsibilities

Maintain a security incident response plan that includes the ability to detect and respond to apps.
Identify, detect, and respond to security incidents.

How we address those responsibilities

We have a security incidence response plan that matches the requirements outlined by Atlassian and is designed to be compliant with the ISO 27001 standard.

Link to this page: https://seibert.biz/ahc-forge-shared-responsibility-model