Icarus Labs is Atlassian's experimental security research team. It’s inspired by research groups like Google's Project Zero and Facebook’s Red Team X (which research new vulnerabilities), but for any advancements in information security's state-of-the art.
How does one simply advance the state-of-the-art? The ultimate goal is to advance information security as a technology, making what we have now seem like what we had years ago. The advancement could come from anywhere: Attacking or defending techniques, tools that are better than what we have now, or even the traditional discovery of software vulnerabilities.
At Atlassian, we focus on getting the fundamentals of security right first. We have a range of programs in place to ensure our approach to security remains wide-reaching and proactive. One thing we’ve been doing for a few years now is rewarding security researchers for identifying and reporting security flaws in our products. But, hunting vulnerabilities in our own environment isn’t enough.
The security of Atlassian products like Jira, Confluence and Trello depends on the security of many other products: third-party plugins, the browsers of our users (Chrome, Safari, Edge), the underlying Windows, macOS, or Linux operating systems, and all the software we use to make our products. As software becomes more and more dependent on other software, the risk of supply chain attacks grows, since any point in the supply chain could be the weak link that gets targeted.
We want to get ahead of these attacks and make them even harder, by finding and helping fix the security issues attackers exploit in secret.
When we do find something, we want to be open about it - being an open company is one of the things we value. Of course, we’ll publish our research on this blog, so we can share our learnings and advance security for everyone. If the research is about an organisation’s software, we’ll ask them to review a draft before we publish it. We know it can take a while to make big security changes to your software, and we also want to minimise the duration security issues are exposed for. So, we’ll give the software authors 90 days from the time we notify them to make changes and review our draft before we publish.
Some people might call all this a little too ambitious, you know. They might say that's a little too much hubris. That we'd be flying too close to the sun. But we think we're not flying close enough.
Have you heard the other warning that Icarus was given in the story? He was also warned not to fly too low, lest the raging sea's dampness clog his wings. So you see, there's also a tragic downfall in not having enough hubris.
Our aim is to never fail from lack of hubris.
Our next blog post will be the results of our first research project. The one after that will be a research diary, sharing the story of how we did it, and what it was like working on research.
After that, more research, more blog posts, maybe getting a little further from the sea might be prudent, don’t you think?
Alex Hope
0 comments