How many different security tools do you have?

Hi Willy,

Atlassian utilizes its array of products and tools to detect and resolve vulnerabilities effectively by employing scanners and a holistic approach whenever possible. This approach not only covers the scanners utilized but also offers a glimpse into our methodology for managing scanner logs and recognizing favorable outcomes. 

Vulnerability Identification & Remediation

• Information on technical vulnerabilities for the IT systems in use is gathered (e.g. information from the manufacturer, system audits, CVS database) and evaluated (e.g. Common Vulnerability Scoring System CVSS)
• Potentially affected IT systems and software are identified and assessed, and any vulnerabilities are addressed.

Atlassian recognizes that, at some level, security vulnerabilities are an inherent part of any software development process. However, we are constantly striving to reduce both the severity of and frequency with which vulnerabilities arise in our products and services. To that end, we have in place a multi-faceted approach to vulnerability management that relies on automated and manual processes. We believe that this is the most effective way to limit the chance of vulnerabilities “slipping through the cracks” and going undetected for an extended period. Below is an an overview of how we manage vulnerabilities in our products and infrastructure and how we’re constantly evolving that approach by incorporating the latest tools, methods, and thinking to ensure our handling of vulnerabilities remains effective into the future.

Continuous Asset Discovery and Attribution

• Continuous Internal Asset Discovery - We use an in-house system to inventory all of our EC2 and Load Balancer AWS assets using AWSConfig and attribute it to the correct owner. We retain one year's worth of assets totaling 50-60 million assets.
  
  

Identifying Vulnerabilities

We use a range of best-of-breed vulnerability detection tools that are run regularly across our products and infrastructure to scan for and identify vulnerabilities automatically. This includes Atlassian Cloud & Server products, Docker application images, internal, mobile, and third-party applications, and our infrastructure on-premises and in our cloud. These tools automatically scan for and identify vulnerabilities that exist and include:

• Host-based scans – We currently use Assetnote to perform continuous security scans of our external perimeter and Tenable.io to continuously scan both internally and externally. These tools are used to identify open ports, services, and applications running across our environment, as well as vulnerabilities on network hosts.
• Container image scans – We use Docker containers to deploy many of our applications. We conduct a security scan of container images when they are deployed into our production or pre-production environments. We do this using a tool called Snyk.
• Open-source dependency scans –We use Snyk to identify vulnerabilities that may exist in open-source or third-party code dependencies.
• AWS configuration monitoring - We deploy and integrate Lacework in the Atlassian AWS Cloud environment to provide continuous configuration monitoring against established baselines for our AWS environments.
• DAST Scanning - Atlassian uses Static Application Security Testing (SAST) using Snyk for pre-production scanning. Atlassian uses Dynamic Application Security Testing (DAST) during pre-production scanning using Burp Suite.

Additional avenues to identify vulnerabilities in combination with automated scanning:

• Our Bug Bounty Program – We use Bugcrowd to run our Bug Bounty Program. Bugcrowd provides us with access to an expert, trusted community consisting of tens of thousands of cybersecurity researchers who are constantly testing our products and reporting back any vulnerabilities they find. Our Bug Bounty program has been recognized as the best in the industry in 2018 and 2019.
• Customer & User Reports – Users of our products can report any bugs they encounter at any time via Atlassian Support. We will then work with them to collect all necessary details so the vulnerability can be flagged internally and fixed (subject to validation to ensure that the vulnerability is real, and not a false positive). This also includes Atlassian staff, who can raise any issues they observe within our products (either externally or internally) directly with the Security team or by raising a support ticket.
• External Penetration Testing - We use specialist security consulting firms to conduct white-box, code-assisted penetration tests on high-risk products and infrastructure. See “Our approach to external security testing” for more detail.
• Atlassian’s Product Security Team - We complete targeted code reviews, both manual and tools-assisted, and work closely with our product development teams to enhance their ability to self-detect and resolve vulnerabilities before the code reaches us.
• Atlassian’s Red Team – We have an internal red team whose role is to simulate the role of adversaries attempting to identify and exploit vulnerabilities that exist within our systems, processes, and environments so that we can ensure they are identified and addressed as promptly as possible.

Tracking and Resolving Vulnerabilities

We use an internal ticketing and escalation system to track all vulnerabilities that we’ve discovered and aim to fix. Specifically, regardless of whether a vulnerability is identified through one of our scanning tools or one of the other avenues we have discussed above, a dedicated ticket is created for each vulnerability and is assigned to the relevant product team for resolution. The remediation service-level objectives (SLOs) we have published in our Security Bug Fix Policy are tracked for each vulnerability.

Our security team oversees this process and works with product and infrastructure teams to ensure the accuracy of vulnerabilities and answer remediation questions. Once a fix for a vulnerability is developed, it is tested thoroughly and then, in the case of our cloud products, incorporated into our CI/CD pipeline for deployment. For server and data center products, fixes are rolled into a new release and deployed with other fixes regularly per our standard release cadence. Vulnerability tickets from scanning tools are automatically closed when subsequent re-scans do not find the vulnerability. Product, infrastructure, or security team members close vulnerability tickets from manual findings when the fix has been made available to customers.

Preventing vulnerabilities during the development process

Container Image Scans – Atlassian deploys most of its applications using Docker container images. Docker containers provide a packaged, self-contained environment consisting of relevant system libraries, tools, configuration settings, and any other dependencies required so that our products are able to run regardless of individual machine configuration parameters. The container effectively provides a layer of abstraction, decoupling the software code from the underlying infrastructure so that our products can work without issue across different machines. While containers offer great benefits for our developers and customers in terms of deploying code that can be used in various environments, they can be a source of security vulnerabilities if the contents of the images consist of out-of-date or otherwise insecure libraries or components.

To address this, Atlassian integrates an event-driven container security scanning process that monitors deployments made through our Micros deployment platform for any containers deployed into our production environments. Additionally, developers are able to integrate a scanning process into our CI/CD pipeline for any containers that are deployed into our development environments. We use the Snyk Container engine for this purpose. Snyk provides a set of tools that undertakes a deep inspection of any container images that are deployed by our developers. This includes a detailed analysis of those images to identify their various components and determine which have known vulnerabilities.

Open source dependencies

While finding and fixing vulnerabilities in our code is essential, our products and services also rely on numerous third-party libraries. It is, therefore, equally critical that we are aware of what libraries we're using and that they're up to date with the latest security bug fixes. We use a tool called Snyk to assist us with this. Snyk provides a scanner that can identify dependencies in any of our software builds and compare these libraries to a database of known security vulnerabilities.

Any identified vulnerabilities are then automatically raised via a formal Jira ticket with the relevant product team, in accordance with the vulnerability management process we described earlier on this page.

In the Atlassian spirit of OCNB values, I hope the above helps give you some high-level insight into how we use the tools and helps you make your company's security posture more secure.