Security and trust have become increasingly important requirements for our customers in Cloud. We’re working to make it easier for you to build and maintain secure apps for Atlassian products. In this session, Engineering Team Lead Dugald Morrow and Principal Product Manager Joël Kalmanowicz will explain how security and trust have been baked into the Forge framework and the benefits the platform can offer you and your users. Learn how much less work it can be to build trusted apps customers will love on Forge by going deep on the safeguards we’re putting in place. Developers or attendees with some software security experience will get the most out of this session.

1. Trusted by Default
The Forge Security & Privacy Model
JOËL KALMANOWICZ | PRINCIPAL PRODUCT MANAGER
DUGALD MORROW | SENIOR ENGINEERING TEAM LEAD

3. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

4. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

5.
Matters
Trust

6. It would be amazing if Atlassian provided a
platform for deploying your apps, so that us
developers could worry less about security and
customers could have more trust in apps’
performance, security, and handling their data.
VITALII ZURIAN | CO-FOUNDER | LIZARD BRAIN

7. Certifications PlatformDevelopers
Sources of Trust

8. Certifications PlatformDevelopers
The people writing
code, hosting, and
running it
Sources of Trust

9. Certifications PlatformDevelopers
Third-party review:
SOC2, ISO, etc.
People writing code,
hosting, and running it
Sources of Trust

10.
hosting, and running it
People writing code,
Certifications PlatformDevelopers
Third-party review:
SOC2, ISO, etc.
Distributing code,
Sources of Trust

11.
hosting, and running it
Certifications PlatformDevelopers
Third-party review:
SOC2, ISO, etc.
People writing code, Distributing code,
Sources of Trust

12. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

13. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Control &
transparency
Data
management

14. Challenges in Building Trust
Simple,
secure auth

15. Challenges in Building Trust
Secure storage
Simple,
secure auth

16. Challenges in Building Trust
Secure storage
JWT
Simple,
secure auth

17. Challenges in Building Trust
Secure storage
JWT
Token exchanges
Simple,
secure auth

18. Challenges in Building Trust
Performance &
reliability
Secure storage
JWT
Token exchanges
Simple,
secure auth

19. Challenges in Building Trust
Performance &
reliability
Varies
Simple,
secure auth

20. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Varies
Customer trust

21. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Data
management
Varies
Customer trust

22. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Data isolation
Data
management

23. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Data storage
Data isolation
Data
management

24. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Data storage
Data isolation
Data egress
Data
management

25. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Control &
transparency
Data
management
Data storage
Data isolation
Data egress

26. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Control &
transparency
API restrictions
Data
management

27. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Control &
transparency
API restrictions
User consent
Data
management

28. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

29. Forge Security Model

30. Forge Security Model
Hosted Apps

31. Forge Security Model
PermissionsHosted Apps

32. Forge Security Model
Managed auth
PermissionsHosted Apps

33. Forge Security Model
EnvironmentsManaged auth
PermissionsHosted Apps

34. Forge Security Model
Permits
EnvironmentsManaged auth
PermissionsHosted Apps

35. Hosted Apps
Forge Security Model
Secure &
trusted
Environments
Permissions
Managed auth
Permits

36. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

37. Node Runtime
App IsolateLifecycle Service
Invocation ServiceTrigger Service
Permissions
GraphQL Gateway
API Gateway
App Bundle
Product Server
(e.g. Jira)
Product Session
(Browser)
Micros AWS Account Forge AWS Account n
VPC
CLI
(developer’s machine)
Forge Architecture

38. Forge Architecture
Runtime
<<Node>>
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Events
(via Forge Services)
UI responses
Node Runtime
App IsolateLifecycle Service
Invocation ServiceTrigger Service
Permissions
GraphQL Gateway
API Gateway
App Bundle
Product Server
(e.g. Jira)
Product Session
(Browser)
Micros AWS Account Forge AWS Account n
VPC
CLI
(developer’s machine)

39. Forge Architecture
Forge Services
Atlassian Products
and Services

40. Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI

41. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations

42. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
Hosted

43. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
Hosted
Reliable

44. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
Hosted
Managed APIs
Reliable

45. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
UI responses

46. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
UI responses

47. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
UI responses

48. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Events
(via Forge Services)
UI responses

49. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

50. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

51. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

52. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

53. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

54. Forge AWS Account
App Sandbox
Node Runtime
App Isolate
App Bundle
Runtime
<<Node>>

55. Node Runtime
App Isolate
App Bundle
App Sandbox
Forge AWS Account

56. Node Runtime
App Isolate
App Bundle
App Sandbox
Forge AWS Account

57. Node Runtime
App Isolate
App Bundle
App Sandbox
Forge AWS Account

58. Node Runtime
App Isolate
App Bundle
App Sandbox
Forge AWS Account

59. Node Runtime
App Isolate
App Bundle
Snapshot
App Sandbox
Forge AWS Account

60. Snapshot Creation
Polyfills
Webpack
App code + Forge API +
Snapshot

61. Snapshot Creation
Polyfills
Webpack
Snapshot
App code + Forge API +

62. Snapshot Creation
Polyfills
Webpack
Snapshot
App code + Forge API +
.asRequestUser()

63. Snapshot Creation
Polyfills
Webpack
Snapshot
App code + Forge API +
console.log()

64. Isolate
Polyfills
App code Polyfill API

65. Isolate
Runtime
Polyfills
App code Polyfill API
Implementation

66. Isolate
Runtime
Polyfills
App code
Atlassian Logging
Service
console.log
Polyfill API
Implementation

67. Isolate
Runtime
Polyfills
App code
hasDataEgressPermit(url)
fetch(url)
Polyfill API
Implementation

68. Data Isolation

69. Data Isolation
Customer A Customer B
App

70. Data Isolation
Customer A Customer B
App
data = global.cache[issueKey];
data.status = foo;
data = global.cache[issueKey];
data.status = bar;

71. Invocation Service
Node Runtime
App Bundle
App Isolate
CALL WITH CONTEXT1
CREATE FROM SNAPSHOT2
INVOKE FUNCTION3
Data Isolation

72. Invocation Service
Node Runtime
App Bundle
App Isolate
CALL WITH CONTEXT1
CREATE FROM SNAPSHOT2
INVOKE FUNCTION3
Data Isolation
1
2
3

73. Data Isolation
Invocation Service
Node Runtime
App Bundle
App Isolate
CALL WITH CONTEXT
INVOKE FUNCTION
1
3
CREATE FROM SNAPSHOT2 CREATE FROM SNAPSHOT2
1
2
3

74. Data Isolation
Customer A Customer B
App
Snapshot
App

75. Data Isolation
Customer A Customer B
App
Snapshot
App
data = global.cache[issueKey];
data.status = foo;
data = global.cache[issueKey];
data.status = bar;

76. Managed Requests
Isolate
Runtime
App code Forge API

77. Managed Requests
Isolate
Runtime
App code Forge API
Implementation

78. Managed Requests

79. Managed Requests
Secure Simple

80. Managed Requests
Secure SimpleTrust

81. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

82. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

83. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

84. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

85. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests
.withJiraPermit()

86. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

87. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests

88. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests
.request(‘/rest/api/3/issue/FOO-123');
.withJiraPermit()

89. api
.asRequestUser()
.withJiraPermit()
.request(‘/rest/api/3/issue/FOO-123');
Managed Requests
.request(‘/rest/api/3/issue/FOO-123');

90. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

91. Runtime
<<Node>>
Trusted User Interface
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Events
(via Forge Services)
UI responses

92. Forge Services
Atlassian Products
and Services
Events
Invocations
UI responses
<json>
<user>
Trusted User Interface
Runtime
<<Node>>

93. App
<in runtime>
User eventsUI responses
<json>
Trusted User Interface
App UI
<Forge UI>

94. App
<in runtime>
Sandboxed
Trusted User Interface
App UI
<Forge UI>
User eventsUI responses
<json>

95. Declarative UI
Sandboxed
Trusted User Interface
App
<in runtime>
App UI
<Forge UI>
User eventsUI responses
<json>

96. No iframes
Declarative UI
Sandboxed
Trusted User Interface
App
<in runtime>
App UI
<Forge UI>
User eventsUI responses
<json>

97. No iframes
Trusted
Declarative UI
Sandboxed
Trusted User Interface
App
<in runtime>
App UI
<Forge UI>
User eventsUI responses
<json>

98. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

99. Permits
transparency of risk

100. Permits
transparency of risk

101. Permits
“democratized app installations”

102. Permits
Permissions for apps

103. Permits
Require consent
Permissions for apps

104. Permits
Scopes++
Permissions for apps
Require consent

105. Permits
Scopes++
Permissions for apps
Require consent
“consent to risk”

106. App Permit
0..*
“consent to risk”
PermitsModel

107. App Permit
0..*
Options
0..*
Permits Model

108. Data egressAPI enrollment
Permit Categories

109. Permits: API Enrollments
Product APIs
Jira, Confluence, etc

110. Permits: API Enrollments
Product APIs
Jira, Confluence, etc
OAuth scopes
app & user

111. Permits: API Enrollments

112. Permits: API Enrollments
Permit
Jira
Confluence

113. Permits: API Enrollments
Scopes
app
app
Permit
Jira
Confluence

114. Permits: API Enrollments
Permit Scopes
Jira
Confluence
app
user
app
user

115. Permits: API Enrollments
GrantedPermit Scopes
Jira
Confluence
app
user
app
user

116. Permits: API Enrollments
GrantedPermit Scopes
Jira
Confluence
app
app
user
user

117. Permits: API Enrollments
Granted
Installation in Jira
Installation in Confluence
Permit Scopes
Jira
Confluence
app
user
app
user

118. Permits: API Enrollments
GrantedPermit Scopes
Jira
Confluence
Installation in Jiraapp
First user request to Jirauser
Installation in Confluenceapp
user First user request to Confluence

119. Permits: Data Egress

120. Permits: Data Egress

121. Permits: Data Egress
Network Egress Web Trigger Response
User Agent Egress Entity Egress

122. Permits: Data Egress
Network Egress Web Trigger Response
User Agent Egress Entity Egress

123. Permits: Data Egress
Network Egress
Origin(s)

124. Permits: Data Egress
Network Egress Web Trigger Response

125. Permits: Data Egress
Network Egress Web Trigger Response
Context selection

126. Permits: Data Egress
Network Egress Web Trigger Response
Context selection
API enrollment

127. Permits: Data Egress
Network Egress Web Trigger Response
Origin(s)
Context selection
API enrollment

128. Permits: Data Egress
Network Egress Web Trigger Response
User Agent Egress

129. Permits: Data Egress
Network Egress Web Trigger Response
User Agent Egress
Origin(s)

130. Permits: Data Egress
Network Egress Web Trigger Response
User Agent Egress Entity Egress

131. Permits: Data Egress
Network Egress Web Trigger Response
Entity EgressUser Agent Egress
Issues
Spaces
Boards
etc

132. Permits: Data Egress
Network Egress Web Trigger Response
Entity EgressUser Agent Egress
PRIV-123
PUB-456

133. Permits: Data Egress
Network Egress Web Trigger Response
Entity EgressUser Agent Egress
Entitity type(s)

134. Permits: Declaration
App manifest

135. Permits: Declaration
permits:
- jira-api:
app-scopes:
- read
write
confluence-api:
user-scopes:
- write
network-egress:
origins:
- https://api.nasa.gov/
App manifest

136. permits:
- jira-api:
app-scopes:
- read
write
confluence-api:
user-scopes:
- write
network-egress:
origins:
- https://api.nasa.gov/
Permits: Declaration
4 permits

137. Permits: Declaration
permits:
- jira-api:
app-scopes:
- read
write
confluence-api:
user-scopes:
- write
network-egress:
origins:
- https://api.nasa.gov/
Read & write as app user

138. Permits: Declaration
permits:
- jira-api:
app-scopes:
- read
write
confluence-api:
user-scopes:
- write
network-egress:
origins:
- https://api.nasa.gov/
Write to Confluence
with impersonation

139. Permits: Declaration
permits:
- jira-api:
app-scopes:
- read
write
confluence-api:
user-scopes:
- write
network-egress:
origins:
- https://api.nasa.gov/
NASA integration

140. Permit Examples

141. App Permit
0..*
Options
0..*
Permit Examples

142. Permits Example: Update issue app
App Permit
0..*
Options
0..*
Update issue app

143. Permits Example: Update issue app
App Permit
0..*
Options
0..*
Update issue app jira-api

144. Permits Example: Update issue app
App Permit
0..*
Options
0..*
Update issue app Scopes: read, writejira-api

145. Permits Example: Update issue app
App Permit
0..*
Options
0..*
Update issue app Scopes: read, writejira-api

146. Permits Example: Ping issue app
App Permit
0..*
Options
0..*
Ping issue app

147. Permits Example: Ping issue app
App Permit
0..*
Options
0..*
Scopes: readjira-api
Ping issue app

148. Permits Example: Ping issue app
App Permit
0..*
Options
0..*
Ping issue app
URLs: slack.com
Scopes: readjira-api
network-egress

149. Permits Example: Row totals
App Permit
0..*
Options
0..*
Row totals app

150. App Permit
0..*
Options
0..*
Scopes: readconfluence-api
Permits Example: Row totals
Row totals app

151. Permits Example: Row totals
App Permit
0..*
Options
0..*
Scopes: readconfluence-apiRow totals app

152. Apps with no Permits

153. Apps with no Permits
“consent to risk”

154. Apps with no Permits
“consent to risk”

155. No API access
Apps with no Permits

156. No API access No data egress
Apps with no Permits

157. No API access No data egress User Interfaces
Apps with no Permits

158. No API access No data egress User Interfaces109876543210
Apps with no Permits

159. Apps with no Permits

160. Completely trusted app capabilitiesApps with no Permits

161. Completely trusted app capabilities
API read access No data egress User Interfaces

162. Completely trusted app capabilities
API read access No data egress User Interfaces

163. Completely trusted app capabilities
API read access No data egress User Interfaces

164. Completely trusted app capabilities
API read access User InterfacesNo data egress
Isolated data store

165. Completely trusted app capabilities
API read access User Interfaces
No data egress Isolated data store

166. Summary
Hosted apps
Trusted UX
“trusted baseline”

167. Summary
Hosted apps
Trusted UX
“trusted baseline”
Data egress
API access
“consent to risk”

168. Summary
“trusted baseline”
Trusted UX
Hosted apps
Local data store Data egress
API access
“consent to risk”
Read API access

169. Summary
Trusted UX
Hosted apps
Local data store Data egress
API access
“consent to risk”
“trusted baseline”
Read API access

170. Data egress
API access
“consent to risk”
Trusted UX
Hosted apps
Local data store
“trusted baseline”
Read API access
Summary
“democratized app installation”

171. Agenda
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

172. Forge and Connect
Connect Forge

173. Connect Forge
Sandboxing:
Forge and Connect

174. Comparison with Connect
iframe + app servers
Connect Forge
Sandboxing:

175. Connect Forge
iframe + app servers Hosted functionsSandboxing:
Comparison with Connect

176. Connect Forge
iframe + app servers Hosted functions
Opaque
Sandboxing:
Data egress:
Comparison with Connect

177. Connect Forge
iframe + app servers Hosted functions
TransparentOpaque
Sandboxing:
Data egress:
Comparison with Connect

178. iframe + app servers Hosted functions
Transparent
Connect Forge
Opaque
Sandboxing:
Data egress:
DiverseFlexibility:Functionality:
Comparison with Connect

179. iframe + app servers Hosted functions
Transparent
Connect Forge
Opaque
Sandboxing:
Data egress:
Diverse SpecificFunctionality:
Comparison with Connect

180. Recap
Why Trust Matters
Development Challenges
Security Model
Architecture
User Interface
Permits
Forge and Connect

181.
hosting, and running it
Sources of Trust
Certifications PlatformDevelopers
Third-party review:
SOC2, ISO, etc.
People writing code, Distributing code,

182. Challenges in Building Trust
Simple,
secure auth
Performance &
reliability
Control &
transparency
Data
management

183. Hosted Apps
Forge Security Model
Secure &
trusted
Environments
Permissions
Managed auth
Permits

184. Runtime
<<Node>>
Forge Architecture
Forge Services
Atlassian Products
and Services
App Developer
CLI
Events
Invocations
API Calls
API Calls
Webhooks
(via Forge Services)
UI responses

185. Node Runtime
App Isolate
App Bundle
Architecture: App Sandbox
Forge AWS Account

186. Trusted User Interface
No iframes
Sandboxed
Trusted
Declarative UI
App
<in runtime>
User eventsUI responses
<json>
App UI
<Forge UI>

187. Data egress
API access
“consent to risk”
Permits: Summary
Hosted apps
Trusted UX
“trusted baseline”

188. iframe + app servers Hosted functions
Transparent
Connect Forge
Opaque
Sandboxing:
Data egress:
Diverse SpecificFunctionality:
Comparison with Connect

189. Thank you!
JOËL KALMANOWICZ | PRINCIPAL PRODUCT MANAGER
DUGALD MORROW | SENIOR ENGINEERING TEAM LEAD

190. Discussion

191. Snapshot Creation
Polyfills
Webpack
App code + Forge API +
Snapshot

192. Permits: Data Egress
Network Egress Web Trigger Response
Entity EgressUser Agent Egress
Entitity type(s)