• Reviewed

    • Security Policy and Managing Vulnerabilities v20230706

    Owned by Kristof Muhi Goose
    Jul 06, 2023
    4 min read

    Our dedication to securing our services begins with a comprehensive Security Policy and a proactive approach to managing vulnerabilities.
    Our Security Policy is woven around standards that include secure coding practices, regular updates, robust data protection measures, stringent access control, and a responsive incident management process.

    To maintain the robustness of our codebase, we employ both automated and manual methods to identify vulnerabilities, incorporating advanced tools and manual expertise.

    We believe in transparency and ensure relevant parties, including vendors and customers, are notified in the event of a vulnerability discovery and its subsequent resolution.

    This two-pronged strategy - a well-defined Security Policy and active vulnerability management - ensures we consistently maintain the highest security standards and build trust with our customers and partners.

    We consistently adhere to the high standards and guiding principles established by Atlassian.
    https://www.atlassian.com/trust/security
    https://www.atlassian.com/trust/security/ismp-policies

    Security Policy Standards:

    1. Coding Standards: People, process and tooling! Training, reviews and automations ensure we have rigorous coding standards in place. Our teams are expected to follow secure coding best practices to minimize the introduction of security vulnerabilities. This includes, but is not limited to, proper input validation, output encoding, secure error handling, and adherence to the principle of least privilege (SSDLC: Secure SDLC)

      1. For example we use CodeQL for static security vulnerability check for our repositories! https://github.com/goose-wrappers/better-goals/actions/runs/5163360726/jobs/9301639639

    2. Regular Updates and Patching: All third-party software, libraries, and dependencies must be kept up-to-date to protect against known vulnerabilities. Regular patch management processes are in place to ensure timely updates.

    3. Access Control: Access to all systems are strictly controlled, following the principle of least privilege. Multi-factor authentication is enforced wherever possible!

    4. Incident Response: Our internally defined incident response process ensures quick and effective response to any security incident we have reported through the respective channels (Either ecosystem.atlassian.net/ or through our support portal Goose Wrappers Support )

    Security Procedures:

    1. Code Reviews: All code changes must undergo a security-focused code review before being merged into the main codebase.

    2. Security Testing: Regular security testing must be performed, including automated security scans (using SAST/DAST tools) and manual penetration testing. (see in our GitHub setup)

    3. Vulnerability Management: All identified vulnerabilities should be triaged and fixed based on their severity. Critical vulnerabilities should be patched immediately, while others are tracked and fixed in the subsequent development cycles. (see below)

    4. Security Training: Regular security training sessions should be conducted for the developers and other staff to keep them updated about the latest threats and secure coding practices.
      We continuously incorporate new and modern practices from industry leads, and for example, Atlassian practices: https://www.atlassian.com/trust/security/ismp-policies#audit-and-compliance-management

    5. Disaster Recovery and Business Continuity: Regular backups and system redundancies should be maintained to ensure business continuity in the event of a disaster. A defined DR plan should be in place and tested regularly. This can be found in detail here: https://goose-wrappers.atlassian.net/wiki/pages/createpage.action?spaceKey=GW&title=Disaster%20Recovery%20Plan&linkCreation=true&fromPageId=4816897

    Managing Security Vulnerabilities

    1. Vulnerability Identification

    To identify vulnerabilities in our codebase, we employ both automated and manual methods of detection:

    • Automated Detection: We integrate Static Application Security Testing (SAST) tools into our Continuous Integration/Continuous Delivery (CI/CD) pipeline. These tools automatically inspect our source code for common security vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure use of cryptography. We also utilize Dynamic Application Security Testing (DAST) tools to identify vulnerabilities in our running application by simulating attacks. Additionally, we use software composition analysis (SCA) tools to identify known vulnerabilities in our dependencies.

    • Manual Detection Internal: Besides automated checks, our developers and security team perform manual code reviews with a security-first mindset. They examine the code for potential security flaws that automated tools might miss. We also conduct regular penetration tests where our security team or hired external experts try to exploit potential vulnerabilities in our system.

    • Manual detection through Atlassian or Customers: All these channels have an automated delivery system, and all team members will be notified via internal chat and email about vulnerability exposure.

      • When Atlassian Atlassian identifies a vulnerability relevant to our services, they reach out to us through their Ecosystem portal at ecosystem.atlassian.net. This ensures a streamlined communication process, where vulnerability information can be relayed directly from Atlassian's security team to ours. Once we receive a notification from Atlassian, our automated systems alert our entire team via internal chat and email, guaranteeing immediate attention to the reported vulnerability.

      • Customer We value our customers' insights and understand that they play a critical role in maintaining the security of our application. Customers can report any discovered vulnerabilities directly through our Support Portal by creating a ticket here: Goose Wrappers Support. This action triggers automated alerts to our team, similar to the process initiated by Atlassian's notifications.

    2. Vulnerability Remediation and Deployment

    Once a vulnerability is detected, it is documented, assessed for severity, and then addressed based on its risk level:

    • Our team remediate the vulnerability, ensuring to thoroughly test the fix to confirm the issue has been resolved without introducing new issues, with proper code review (security first mindset) manual and automated security testing.

    • Changes are reviewed on the Pull Request, it is followed by automated and manual testing.

    • Upon successful validation, the fix is deployed to the production environment using our established CI/CD pipeline through GitHub actions, ensuring minimal impact on our service availability.

    Upon detection and remediation of a vulnerability, we ensure to notify relevant parties:

    • Notifying Atlassian and customer: If the vulnerability is linked to an Atlassian product or service, we report it to Atlassian through regular channels: https://ecosystem.atlassian.net/servicedesk/customer/portal/34 and email. We will provide a detailed and comprehensive report on the vulnerability and our remediation measures we are taking and with potential resolution dates.

    • Since we do not store any data about our customers, all notifications goes through the related channel through Atlassian.

    • We are in the process setting up status page through Atlassian Statuspage Features & Benefits | Atlassian to create more visibility to our customers.

    Â