Jira
Jira Service Management
Confluence
Jira Align
Whitepapers
Videos
Guides
Webinars
Case studies
All resources
Security vulnerabilities are an unfortunate but inherent part of the software development process—no company or software solution is immune to them. While critical CVEs often warrant immediate attention, it is essential to understand them in context. A strong culture of security, a proactive approach to identifying and mitigating vulnerabilities, and a transparent process for communicating about vulnerabilities and how to fix them all contribute to a company’s overall security posture.
Atlassian’s Approach to Vulnerability Management
Before a software solution can receive authority to operate, the company must provide thorough security documentation, and part of that is detailing its processes and procedures for identifying and addressing vulnerabilities. Atlassian’s approach is both comprehensive and multi-faceted and makes use of both automated and manual processes.
While the list below is very high-level, some critical approaches Atlassian takes to identify, track, and resolve vulnerabilities include:
-
Scanning for vulnerabilities
Atlassian uses several best-in-class scanning tools to identify vulnerabilities, including Assetnote for perimeter scanning, Tenable for internal scanning, Snyk to scan Docker containers, and Lacework to monitor its AWS environments.
-
Additional ways to identify vulnerabilities
Other methods Atlassian uses to identify vulnerabilities include a bug bounty program, external penetration testing, manual and tools-assisted code reviews, its own internal Red Team, and customer and user reports.
-
Tracking and resolving vulnerabilities
Atlassian uses an internal ticketing system to track vulnerabilities while fixes are being developed. In accordance with their bug fix policy, they set service level objectives for each one based on severity, with Data Center critical, high, and medium vulnerabilities to be fixed in 90 days.
Once a fix is developed, Atlassian thoroughly tests it. Fixes for Data Center products are rolled into a new release and deployed as part of the regular release cadence.
As with everything trust-related, Atlassian strives to be transparent. You can find more in-depth information on the Atlassian Trust Center's Approach to Vulnerability Management page.
Keeping Apprised of CVEs—Atlassian Data Center Security Bulletins and Advisories
Atlassian’s primary way of communicating with its customers about vulnerabilities, including sharing fixes and workarounds, is through its monthly security bulletins and ad hoc critical security advisories.
-
Data Center Monthly Security Bulletins
Security Bulletins include a list of lower-impact vulnerabilities (relative to Critical Security Advisories) that have been resolved, the affected and fixed versions, and a vulnerability summary. If you are using an affected version of a product, the guidance is typically to update your system to a fixed version.Security Bulletins go out on the third Tuesday of each month. To ensure you are on the email list for these, you must subscribe to Tech Alerts.
-
Data Center Critical Security Advisories
If a CVE is of high enough priority and impact, Atlassian will issue a security advisory outside its monthly schedule. These security advisories contain a summary of the vulnerability, NVD severity rating, affected products and versions, fixed versions, and instructions for mitigating the issue, where applicable.
Security advisories are issued on Tuesdays as needed. Again, to ensure you are on the email list for these, it’s essential to subscribe to Tech Alerts.
In addition, Atlassian maintains a comprehensive, public-facing, and searchable list of all CVEs, including priority and affected products, in the Atlassian Vulnerability Disclosure Portal.
Application Security—a Mutual Responsibility
In the realm of cybersecurity, responsibility for ensuring the security of products and managing vulnerabilities extends beyond third-party solution providers like Atlassian to encompass a shared effort involving customers. This collaboration necessitates regular updates and patching of solutions, alongside a robust process for addressing emergent critical vulnerabilities. The significance of these measures is amplified in Federal agencies, where considerations such as the Authority to Operate (ATO) and oversight from agencies like CISA (Cybersecurity and Infrastructure Security Agency) are paramount.
Federal agencies operate within a high-security environment governed by principles like the principle of least privilege (PoLP). Under this framework, systems or infrastructure engineers entrusted with the necessary permissions for software updates or implementing fixes may face challenges due to their broad range of responsibilities and toolsets. This multifaceted workload often leads to a lack of specialized subject matter expertise, hindering effective management of solutions like those provided by Atlassian.
The complexity is even greater in agencies that rely on an array of purpose-built and third-party point solutions for discrete processes. In these cases, updates to Atlassian solutions can trigger compatibility issues and operational disruptions that reverberate across the broader IT environment. Consequently, the interplay between CISA oversight, ATO requirements, and the intricate technological landscape underscores the need for meticulous planning and execution in managing cybersecurity within Federal agencies.
How Isos Technology Can Help
Isos Technology helped one Air Force Wing and its subordinate units servicing 2000+ users to resolve a critical CVE with virtually no downtime, while other organizations within the DoD were down for much longer. As an Atlassian Platinum Solution Partner, we have strong, open communication channels with the company and extensive bench strength across all its solutions. Because we had been supporting the wing with professional and managed services, we also had deep knowledge of their Atlassian instance and how it interacted with other solutions. This allowed Isos Technology to act fast and remediate the vulnerability while maintaining access to critical systems once the CVE guidance was issued.
Whether you are looking to optimize your Atlassian solutions, get up-to-date on the latest versions, or put processes in place to respond to vulnerabilities, Isos Technology has the experience, skills, team, and clearances to help.
