We’re investing in enterprise-ready improvements. Learn more about our pricing update →

🔎 Struggling to manage Confluence pages? Stay organized with Pages Manager! Learn more >

Excel‑like Bulk Issue Editor for Jira Now Runs on Atlassian! Read all about it >

Get Started
Get Started
All Posts

Are we asking too little of Atlassian Marketplace Apps?

Aug 25, 2025 • 4 min read

Topic

  • Security & Compliance

Tags

Author

Poju Yap

In This Blog

The app marketplace has grown up. Have our expectations grown with it?

The Atlassian Marketplace today is not the same place it was five years ago. What began as a space for handy scripts and UI add-ons has evolved into a critical part of how companies customize Jira and Confluence for real business needs, especially in cloud environments.

But there’s a problem. While the ecosystem has matured, too often the buying behavior has not.

Ask yourself:

  • Are you still evaluating apps like isolated tools rather than strategic cloud extensions?
  • Are security and compliance checklists stuck in the “does it install?” mindset?
  • Are you asking the right questions about architecture, hosting, data access, and ongoing security?

If not, it might be time for a reset.

We’ve moved beyond “It works”

For years, installing an app on Jira or Confluence often boiled down to “does it solve my problem?” And to be fair, that was enough when most tools ran on on-prem servers, or when data concerns were limited to internal firewalls.

But in a world where your teams rely on cloud apps every day, the stakes are different. Your apps are now part of your company’s digital infrastructure. That means:

  • They touch sensitive customer and operational data
  • They can introduce performance and availability risks
  • They may become part of your compliance obligations

Saying “it works” is no longer the bar. Now, we need to ask: Is it secure, compliant, transparent, and sustainable?

The New Standard: What Buyers Should Expect in 2025 and Beyond

Here’s what modern, security-aware buyers are starting to demand, and what all of us should be asking of our app vendors:

Built for the Cloud, not just ported to it

Look for apps built on Atlassian Forge, which run entirely within Atlassian’s infrastructure. This reduces third-party hosting risks and makes data residency easier to manage.

Full Atlassian-hosted architecture

Apps that Run on Atlassian are hosted, operated, and monitored entirely within Atlassian’s cloud; offering better alignment with platform-level security and support.

Proactive, Not Passive, Security

Ongoing testing like participation in the Marketplace Security Bug Bounty program shows a vendor’s commitment to keeping your environment secure over time, not just at launch.

Clear communication

Vendors should offer public-facing trust pages, incident disclosure policies, and transparent documentation. If you can’t easily find this, it’s a red flag.

What happens when we don’t raise the bar?

When buyers continue to accept apps with vague hosting models, unknown support quality, or minimal security testing, the result is:

  • Increased audit and review overhead
  • Higher procurement friction
  • Greater likelihood of shadow IT
  • Unclear ownership when incidents occur

More importantly, it sets a precedent where good-enough is good enough, and vendors stop striving for better.

What happens when we do raise the bar?

On the flip side, when buyers demand higher standards, good things happen:

  • Atlassian expands and enforces programs like Cloud Fortified and Runs on Atlassian
  • Vendors adapt to build more secure, cloud-native apps
  • Admins and IT leaders spend less time reviewing and more time enabling teams
  • Teams consolidate on trusted vendors, reducing risk and complexity

Ricksoft’s Perspective: We’re in this with you

At Ricksoft, we don’t just meet these higher standards, we believe in them.

We’ve transitioned several of our most popular apps to the Forge architecture, earned the Runs on Atlassian and Cloud Fortified badges, and actively participate in Atlassian’s Bug Bounty program.

This isn’t about chasing labels. It’s about building the kind of trust that buyers, admins, and compliance teams deserve.

You can explore our security practices and qualifying apps on our Security & Compliance Hub or visit our Trust Center for third-party verified controls.

Demand better, build better

If you’re an app buyer, it’s time to raise the bar.
If you’re a vendor, it’s time to build to that higher bar.

The ecosystem depends on both.

So the next time you’re evaluating an app on the Marketplace, don’t just ask if it works. Ask if it’s ready for your cloud environment. Because in 2025, that’s the only kind of app that should make the cut.

Related Articles