I'll be honest, we don't have formal documentation that we can point you to about how we concern ourselves with secure coding for Statuspage. Also, we haven't had an external pen test for about 2 years now.
However, there are a number of things we do as an Atlassian product related to security.
1. Atlassian has an internal security team and that team runs network and XSS scanners on the product regularly.
2. We run a public bug bounty program and we conform to strict internal SLAs around addressing the issues raised. The SLAs vary based on the severity of the vulnerability.
3. We run our infrastructure on the internal Atlassian PaaS which has been built from the ground up with security in mind and which has passed many internal and external security audits. Using this PaaS means that every deploy we do spins up a new set of AWS EC2 instances, so our running instances are never long-lived. It's also the case that none of these instances have public remote access.
4. We also conform to a SOX compliant coding standard that Atlassian has adopted. All code that is deployed must go through peer code review and receive two independent approvals before being deployed.
Our developers do not receive any special secure coding training but we do have very senior engineers that have worked on products at scale on the team.
I hope this information helps a bit and I'm sorry I don't have more concrete information to share.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.