Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How many different security tools do you have?

Willy Leichter
Willy Leichter
Contributor
July 9, 2024

I'm interested in discussing how many different security tools most companies are using - things like SAST, DAST, SCA, IaC, CSPM, container, threat detection, etc. I'm curious if this number is going up and how security teams are managing these.

Answer
Watch
Like # people like this
1577 views

6 answers

5 accepted

Suggest an answer

Log in or Sign up to answer
3 votes
Answer accepted
pknowlton
pknowlton
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 10, 2024

Hi Willy,

Atlassian utilizes its array of products and tools to detect and resolve vulnerabilities effectively by employing scanners and a holistic approach whenever possible. This approach not only covers the scanners utilized but also offers a glimpse into our methodology for managing scanner logs and recognizing favorable outcomes. 


Vulnerability Identification & Remediation

  • Information on technical vulnerabilities for the IT systems in use is gathered (e.g. information from the manufacturer, system audits, CVS database) and evaluated (e.g. Common Vulnerability Scoring System CVSS)
  • Potentially affected IT systems and software are identified and assessed, and any vulnerabilities are addressed.

Atlassian recognizes that, at some level, security vulnerabilities are an inherent part of any software development process. However, we are constantly striving to reduce both the severity of and frequency with which vulnerabilities arise in our products and services. To that end, we have in place a multi-faceted approach to vulnerability management that relies on automated and manual processes. We believe that this is the most effective way to limit the chance of vulnerabilities “slipping through the cracks” and going undetected for an extended period. Below is an an overview of how we manage vulnerabilities in our products and infrastructure and how we’re constantly evolving that approach by incorporating the latest tools, methods, and thinking to ensure our handling of vulnerabilities remains effective into the future.

Continuous Asset Discovery and Attribution

  • Continuous Internal Asset Discovery - We use an in-house system to inventory all of our EC2 and Load Balancer AWS assets using AWSConfig and attribute it to the correct owner. We retain one year's worth of assets totaling 50-60 million assets.

Identifying Vulnerabilities

We use a range of best-of-breed vulnerability detection tools that are run regularly across our products and infrastructure to scan for and identify vulnerabilities automatically. This includes Atlassian Cloud & Server products, Docker application images, internal, mobile, and third-party applications, and our infrastructure on-premises and in our cloud. These tools automatically scan for and identify vulnerabilities that exist and include:

  • Host-based scans – We currently use Assetnote to perform continuous security scans of our external perimeter and Tenable.io to continuously scan both internally and externally. These tools are used to identify open ports, services, and applications running across our environment, as well as vulnerabilities on network hosts.
  • Container image scans – We use Docker containers to deploy many of our applications. We conduct a security scan of container images when they are deployed into our production or pre-production environments. We do this using a tool called Snyk.
  • Open-source dependency scans –We use Snyk to identify vulnerabilities that may exist in open-source or third-party code dependencies.
  • AWS configuration monitoring - We deploy and integrate Lacework in the Atlassian AWS Cloud environment to provide continuous configuration monitoring against established baselines for our AWS environments.
  • DAST Scanning - Atlassian uses Static Application Security Testing (SAST) using Snyk for pre-production scanning. Atlassian uses Dynamic Application Security Testing (DAST) during pre-production scanning using Burp Suite.

Additional avenues to identify vulnerabilities in combination with automated scanning:

  • Our Bug Bounty Program – We use Bugcrowd to run our Bug Bounty Program. Bugcrowd provides us with access to an expert, trusted community consisting of tens of thousands of cybersecurity researchers who are constantly testing our products and reporting back any vulnerabilities they find. Our Bug Bounty program has been recognized as the best in the industry in 2018 and 2019.
  • Customer & User Reports – Users of our products can report any bugs they encounter at any time via Atlassian Support. We will then work with them to collect all necessary details so the vulnerability can be flagged internally and fixed (subject to validation to ensure that the vulnerability is real, and not a false positive). This also includes Atlassian staff, who can raise any issues they observe within our products (either externally or internally) directly with the Security team or by raising a support ticket.
  • External Penetration Testing - We use specialist security consulting firms to conduct white-box, code-assisted penetration tests on high-risk products and infrastructure. See “Our approach to external security testing” for more detail.
  • Atlassian’s Product Security Team - We complete targeted code reviews, both manual and tools-assisted, and work closely with our product development teams to enhance their ability to self-detect and resolve vulnerabilities before the code reaches us.
  • Atlassian’s Red Team – We have an internal red team whose role is to simulate the role of adversaries attempting to identify and exploit vulnerabilities that exist within our systems, processes, and environments so that we can ensure they are identified and addressed as promptly as possible.


Tracking and Resolving Vulnerabilities

We use an internal ticketing and escalation system to track all vulnerabilities that we’ve discovered and aim to fix. Specifically, regardless of whether a vulnerability is identified through one of our scanning tools or one of the other avenues we have discussed above, a dedicated ticket is created for each vulnerability and is assigned to the relevant product team for resolution. The remediation service-level objectives (SLOs) we have published in our Security Bug Fix Policy are tracked for each vulnerability.

Our security team oversees this process and works with product and infrastructure teams to ensure the accuracy of vulnerabilities and answer remediation questions. Once a fix for a vulnerability is developed, it is tested thoroughly and then, in the case of our cloud products, incorporated into our CI/CD pipeline for deployment. For server and data center products, fixes are rolled into a new release and deployed with other fixes regularly per our standard release cadence. Vulnerability tickets from scanning tools are automatically closed when subsequent re-scans do not find the vulnerability. Product, infrastructure, or security team members close vulnerability tickets from manual findings when the fix has been made available to customers.

Preventing vulnerabilities during the development process

Container Image Scans – Atlassian deploys most of its applications using Docker container images. Docker containers provide a packaged, self-contained environment consisting of relevant system libraries, tools, configuration settings, and any other dependencies required so that our products are able to run regardless of individual machine configuration parameters. The container effectively provides a layer of abstraction, decoupling the software code from the underlying infrastructure so that our products can work without issue across different machines. While containers offer great benefits for our developers and customers in terms of deploying code that can be used in various environments, they can be a source of security vulnerabilities if the contents of the images consist of out-of-date or otherwise insecure libraries or components.

To address this, Atlassian integrates an event-driven container security scanning process that monitors deployments made through our Micros deployment platform for any containers deployed into our production environments. Additionally, developers are able to integrate a scanning process into our CI/CD pipeline for any containers that are deployed into our development environments. We use the Snyk Container engine for this purpose. Snyk provides a set of tools that undertakes a deep inspection of any container images that are deployed by our developers. This includes a detailed analysis of those images to identify their various components and determine which have known vulnerabilities.

Open source dependencies

While finding and fixing vulnerabilities in our code is essential, our products and services also rely on numerous third-party libraries. It is, therefore, equally critical that we are aware of what libraries we're using and that they're up to date with the latest security bug fixes. We use a tool called Snyk to assist us with this. Snyk provides a scanner that can identify dependencies in any of our software builds and compare these libraries to a database of known security vulnerabilities.

Any identified vulnerabilities are then automatically raised via a formal Jira ticket with the relevant product team, in accordance with the vulnerability management process we described earlier on this page.

In the Atlassian spirit of OCNB values, I hope the above helps give you some high-level insight into how we use the tools and helps you make your company's security posture more secure.

View More Comments
Reply
Willy Leichter
Willy Leichter
Contributor
July 23, 2024

Atlassian’s internal vulnerability scanning and remediation process indeed looks holistic. You said you create a dedicated ticket for each vulnerability identified by any of the scanners in place and assign it to the relevant product team for resolution. BTW, how do you handle duplicates coming from different scanners e.g. same CVEs reported by different scanners like SCA, End-point vuln scanners. 

As you may also appreciate, adding business context like criticality of the applications, network exposure, and data classification to findings helps in prioritization of the findings. Adding threat intel on exploitability of the vulnerabilities gives valuable insights into the prioritization as well. These are typically handled well by recent innovations such as Application Security Posture Management (ASPM) that can aggregate, contextualize, and prioritize the findings across the tools. AppSOC is one such ASPM platform that is integrated with Security in Jira. This is a powerful combination that can reduce or prevent developer burnout when dealing with vulnerability remediation.

Like
jeff warren
jeff warren July 23, 2024

Does Atlassian publish a shared security model per product so customers know what their responsibilities are?

Like
pknowlton
pknowlton
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 26, 2024

Hi @jeff warren , Atlassian offers a PDF whitepaper regarding the shared responsibility model for the cloud.

See: Shared Responsibility - Cloud 

Here is also a helpful page that compares Datacenter to Cloud.

See: Datacenter to Cloud Feature Comparison 

Like
0 votes
Answer accepted
Jim Knepley - ReleaseTEAM
Jim Knepley - ReleaseTEAM
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
July 10, 2024

As far as I know, only one platform comes close to unifying tools like SAST, DAST, SCA, etc.

In the environments I see there are individual tools for each... one for SAST and code quality, one for DAST (if they do it at all), one for SCA, etc. Some of them try to integrate the separate findings in a SIEM, with mixed results.

From what I observe, the total number of tools is staying fairly steady and companies are prioritizing which tools they want to spend money on. Nobody wants to spend money on the staff to be dedicated to learning and managing a new product.

Reply
Reply
0 votes
Answer accepted
jeff warren
jeff warren July 9, 2024

Do U mean security tools or security vendors that provide a stack of tools eg. Msft, crowd strike or PAN?

View More Comments
Reply
Willy Leichter
Willy Leichter
Contributor
July 10, 2024

I think both are interesting questions. If you consolidate on one big vendor, in theory all their tools play nicely together (although often, they're acquired from startups and integrations are works-in-progress...). But if you're a larger organization, and different teams use different best-of-breed security tools from multiple vendors, it gets hard to demand that everyone switch to a single vendor...

Like
0 votes
Answer accepted
Kelvin CHUA
kc
Contributor
July 9, 2024

@Willy Leichter i'm interested in this topic too. In my opinion,  especially in areas of SaaS security, SaaS security posture management (SSPM) tools that claims to provide insights to the blackbox "SaaS". Wondering if companies are already adopting it? What are the various considerations for adopting?

Reply
0 votes
Kelvin CHUA
kc
Contributor
July 28, 2024

Ride on the chat, i'm curious what are the security products or tools Enterprise are using to address the current gaps that native Atlassian Cloud does not offer? (Example DLP, i understand there are some 3rd party Marketplace Apps are used to address the gap in DLP and also understand DLP is in the Atlassian roadmap come 2025.

Reply
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events