DEV Community

Cover image for Atlassian Security Best Practices
GitProtect Team for GitProtect

Posted on • Originally published at gitprotect.io

Atlassian Security Best Practices

Information technology systems play a crucial role in the functioning of modern organizations, providing the infrastructure necessary for daily operations and enabling businesses to achieve their goals and objectives. With the rise of digital technologies, however, comes the increased threat of cyber attacks and data breaches, which can have catastrophic consequences for enterprises. So, to mitigate these risks and ensure the security of IT systems and sensitive information, it is crucial for organizations to implement and follow best practices in IT security.

In this article we will examine these practices. Moreover, we will look at important measures such as network security, access control, and data backup and recovery, and explain why each of them is critical for ensuring the confidentiality, integrity, and availability of organizational data. To do so we will analyze Atlassian security best practices. We’ll explore what policies they follow, what standards they have in place, and how this affects us – users of such applications as Jira, Bitbucket or Confluence.

Security of modern software

Nowadays, almost everything is in the cloud. And the reason for that is simple – web applications are a popular and convenient way for organizations to deliver services and share information with customers, partners, and employees.

However, with the convenience of web-based services also comes increased security risks. It happens due to the fact that such software is accessible from anywhere in the world and can be vulnerable to hacking, phishing, and other cyber attacks.

What is the first critical step in preventing threats?

Securing the underlying infrastructure of web applications, such as servers and networks, is a critical first step to prevent such threats. It includes implementing firewalls, intrusion detection systems and other security measures to prevent unauthorized access to sensitive information. Additionally, enterprises should also ensure that their web applications follow secure coding practices and conduct regular penetration testing and vulnerability assessments to identify and eliminate potential weaknesses.

Why do DevOps need security training?

Regular security training for developers or even end-users is also important, as it helps to raise awareness of security risks associated with web applications. It also ensures that all stakeholders understand the importance of protecting sensitive information. Furthermore, organizations should consider the implementation of two-factor authentication and encryption to protect sensitive information transmitted over the Internet. A proper backup plan and disaster recovery procedures can minimize the impact of data breaches and other security incidents.

Which place security occupies in the application lifecycle?

From a software development perspective, security should be integrated into the application lifecycle from the very beginning, rather than treated as an afterthought. It includes implementing secure coding practices into the development process, conducting regular security testing and vulnerability assessments, and ensuring that applications are built with safety in mind.

It’s worth always remembering that code should be developed with an awareness of the latest security threats and vulnerabilities and in accordance with best practices and standards, such as OWASP guidelines.

Which types of vulnerabilities should you pay attention to?

The main areas or types of vulnerabilities that software developers need to pay special attention to includes Remote Code Execution (RCE), Cross-site Scripting (XSS), SQL Injection (SQLi) or XML External Entity Attacks (XXE).

These are just some of them, but they are so common that it is a permanent part of any software security training. So, how you deal with all of these and secure against them is just a question.

Atlassian security best practices

According to Atlassian, more than 65,000 companies around the world rely on Jira Software to manage their projects. And yet this is not their only product. Around 180k customers in over 190 countries, 83% of Fortune 500 companies and 10m monthly active users – these are the numbers associated with Atlassian products.

When you have customers like Coca-Cola, Samsung or Hitachi on your roster then you have to take care of the safety of your own products. And this cannot be denied to them. Atlassian’s concern for the security of its systems is guided by the concept of ‘continuous assurance’. What exactly does this mean? In addition to the standard periodic penetration testing, there is an always-on testing model in place, which uses the IT community to find bugs and vulnerabilities. To achieve this, Atlassian offers a so-called Bug Bounty program. If anyone finds a vulnerability or security hole, they can report it via the bugcrowd.com platform and receive a financial reward: $200 – $10,000 per vulnerability. Just imagine, currently around 1,900 vulnerabilities have already been discovered this way!

4 levels of safety

Summarizing the philosophy and Atlassian security best practices, we can distinguish 4 levels of attention to safety:

  • Internal Security Review – refers to the company’s internal practices, standards or regular tests, carried out by company employees
  • External Penetration Testing– refers to penetration tests and audits, performed by external consulting firms
  • Atlassian’s Red Team – an internal team that takes on the role of hackers and simulates various attacks in an attempt to detect security vulnerabilities
  • Bug Bounty – as mentioned above, a system of rewards for community

Any gaps or vulnerabilities found through the above methods are immediately placed in vulnerability tracking Jira project and assigned to the relevant engineering team to fix as fast as possible.

How does Atlassian identify vulnerabilities?

Also infrastructure helps in that area. They use tools to automatically scan for and identify vulnerabilities. How is it organized? Let’s see:

  • Network scans – to identify any active service, open port or any, potentially harmful, application
  • Continuous asset discovery – this includes continuous verification of infrastructure resources and network analysis
  • AWS Configuration Monitoring – to monitor AWS environments and their configurations

As you can see, Atlassian pays a lot of attention to security – and this is good news, because probably most of us have used, still use, or will use their products in the future. It’s also worth examining their approach and best practices, as it may allow us to improve our own procedures to make our applications more secure.

In addition to general security best practices for all products, you may also be interested in how this applies to us in particular applications. And so, for example, we can create and customize permissions everywhere. This approach may not be anything special or new, but this fairly simple tool allows us to have a lot of control and restrict access depending on our needs.

Encryption

Another basic and also crucial aspect is encryption. All data is encrypted using industry-standard AES 256 encryption. As for Bitbucket security, there is of course support for 2FA, while in the Bitbucket Cloud Premium version this form of verification is even enforced. It is also possible to use IP whitelists. Atlassian also offers to configure and track audit logs, which is also a good idea and good practice.

Last but not least, Atlassian products are ISO 27001, ISO 27018, SOC2, SOC3 and GDPR compliant. This kind of information can be extremely important for their customers who care about holding certain standards and therefore having the right certifications.

An extra level of security – DevOps backup

Using third-party software can bring many benefits. Such tools can save time, money and increase our efficiency, allowing us to focus on more important and strategic tasks. What’s more, using third-party tools can help us stay on top of the latest technological innovations. How? The authors of these tools probably know this particular feature better than we do.

GitProtect.io Backups for Jira Cloud and GitProtect Backup for Bitbucket is one such tool worth looking at, and for a very simple reason. In short, it is a backup and recovery tool. We can use it to create backup and restoration plans in a simple and effective way. And why is it worth it? Because by using it, we always have at hand the ability to react and restore our systems instantly. Modern services need to be available practically all the time, and the failure of an external provider can cause problems for our customers. We should be ready for that!

An important note related to today’s topic is that GitProtect.io meets security and shared responsibility model requirements. It has recently passed SOC 2 and ISO 27001 audits. So, as you can see, the company takes security seriously.

Top comments (0)