Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security Risk? Bitbucket integration with Vanta

Toan Duong
Toan Duong September 9, 2024

Hi All, 

We are working with a vendor on a compliance project. One of their tools integrates with Bitbucket and checks for misconfigured settings/etc. I was wondering if anyone has come across this and could offer some advice as far as security risks regarding the integration? We obviously don't want to make something more secure by opening up another hole :)

From their website:

Overview
Automates the collection of evidence for your code repository configurations, pull request workflows, and security issue tracking.

Automation
Automates 11 tests and 7 controls

Permissions
Vanta requires read-only access to your account information, team membership, repositories, issues, pull requests.

We also request permission to administer your repositories to check branch protection. There is currently no read-only access for this.

 

Any insights are helpful. Thank you!

Answer
Watch
Like Be the first to like this
719 views

2 answers

1 vote
Aron Gombas _Midori_
Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 10, 2024

We are using Vanta and allowed them to access our Bitbucket Cloud workspace. It is obviously a security risk, but as @marc -Collabello--Phase Locked- noted these tools need access to check for misconfigured settings and such. We just accepted it and trust them.

Note that Vanta will ask for access to a lot of other possibly even more critical systems in your infrastructure, not only e.g. Jira Cloud, but even on the PaaS level (AWS)!

View More Comments
Toan Duong
Toan Duong September 10, 2024

Yes, we are aware that they will have access to more critical systems. As far as Bitbucket goes, do you know if their integration actually has access to the code files? 

Like
Reply
0 votes
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 9, 2024

Obviously adding Vanta is an additional security risk.  However maybe Vanta catches other security risks and implements required audit controls.  This might be a net positive.

View More Comments
Toan Duong
Toan Duong September 10, 2024

Yep. We are trying to assess pros/cons of this integration. Thank you for your input. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events