Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Atlassian sponsors review of open source tool osquery

osquery is an open source tool that monitors systems and exposes their configuration through SQL tables. At Atlassian, we use osquery extensively in nearly all of our infrastructure to monitor hosts for potentially malicious activity as well as aid in investigations should an incident occur. As such, it is critical to both our detection & incident response teams in keeping Atlassian and its customers secure.

With any piece of software also comes risk, as it increases the attack surface available to an adversary. At Atlassian we believe in weighing the potential risks against the benefits and this is doubly true for software such as osquery which is deployed on nearly every workstation and server across our organisation. One way to reduce risk is by performing a security assessment to improve our confidence in the software we use.

Here at Atlassian our security team has extensive knowledge and experience in Java, NodeJS, Python, Golang and a few others, but we have very little expertise in C++ which is osquery’s main language. Rather than stumble around unfamiliar territory we decided to engage well-known cybersecurity research and consulting firm Trail of Bits who already partner with Atlassian on osquery feature development. With a reputation for high quality security reviews they share publicly, they were the right partner for us to perform this review and share it with the public as a contribution to the open source community.

Without further ado, here is the full review performed by Trail of Bits on osquery: ToB_Atlassian_osquery_Final_Report-2022-01.pdf 

If you’re interested in a high-level description of the findings, the overall take was that they did not uncover any serious vulnerabilities, but found several improvements necessary to mitigate exploitation of future vulnerabilities through hardening such as sandboxing or leveraging process isolation and inter-process communication techniques.

Overall, we believe we have identified several areas for improvement and will work with the osquery project maintainers and Trail of Bits to address these findings. Since most of these findings require significant rework of the code, this will likely be a long-running effort. The lack of critical vulnerabilities and the overall project maturity leaves us confident in osquery’s security posture and we believe the balance between risk and benefit holds in this instance.

1 comment

Hi @flozza 

Good to know this Open Source, 

Let me know how we can contribue to this. 

Count me in. 


Log in or Sign up to comment
AUG Leaders

Atlassian Community Events