Guidance

Trello security review

Created:  11 Jun 2018
Updated:  11 Jun 2018
Trello logo
A security review of the Trello Kanban-style collaboration tool, based on the NCSC's SaaS security principles.

Trello is a collaboration tool which uses Kanban-style boards to organise projects and teams. 

 

How Trello performs against the SaaS Principles

Question

Answer

Detail

Does the SaaS provider protect external data in transit using TLS?

Yes

According to their security page, all Trello traffic runs over TLS.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Trello meets the recommended cryptographic profiles for TLS as published by the NCSC. Trello currently gets an 'A+' rating from SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Unknown

At this time, it is unknown whether Trello protects internal data in transit using encryption.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Unknown

At this time, it is unknown whether Trello protects internal data in transit using correctly configured certificates.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes

According to their documentation, Trello's API makes use of OAuth.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes

Multiple permission levels exist in Trello and can be applied on a per-board basis.

If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

Trello allows users to enable multifactor authentication on their accounts via SMS and OTP through Authenticator apps.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Unknown

At this time, it is unknown whether Trello collects logs of events.
Does the provider make logs available to the client?

No

Trello currently advertises no way of providing logs to a client.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

 

HackerOne is currently used by Trello for reporting and patching of vulnerabilities.
Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Partially Most information gathered has been obtained by various documentation articles, interacting with the service or running external tests. Trello currently does not publish detailed descriptions of their security architecture.

 

Exporting data

Trello supports exporting board data in the JSON format

Was this guidance helpful?

We need your feedback to improve this content.

Yes No