The security self-assessment program is a collaboration among Atlassian and the Marketplace Partners to increase security awareness and improve security practices.
The main goals of the security self-assessment program are to:
Increase customer confidence in apps
Provide customers with the necessary information to perform security evaluations
Improve security practices for cloud apps in the Marketplace
The security self-assessment program requires the partner to complete a 13 security questions asked by Atlassian. For full disclosure, Trundl’s responses are shared below -
1. Customer dataDo you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. Yes, we store some customer data.
The data is stored in the same form as we receive from Atlassian. All data is stored separately in a database for each Atlassian product instance. Access to the hosts running the app is limited to the development and the infrastructure team and they can only SSH in from a specific IP address. Only the https (secured) port is open to the access the app. What is the jurisdiction(s) of where this data is hosted? Trundl uses Amazon AWS for hosting Cloud apps to comply with all local laws. AWS has numerous security certifications and Trundl implements many further security controls to safeguard data. AWS has all access/audit log devices that we monitor regularly. The area of jurisdiction will depend on the client location and their governing policies. 2. Sensitive dataIs your application designed to store sensitive information? No, we do not store any sensitive information. 3. Security PolicyDo you have an Information Security Policy with supporting Standards and Procedures? Details of the company security program:
4. Release managementDo you have formal change control and release management processes to manage code changes? Please provide details or provide a copy of the documented process. Yes, we have a formal release management process.
5. AuditsDo you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? We perform the following internal reviews:
6. AccreditationAre you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)? No. Not exclusively but Trundl uses AWS for all hosting requirements.
7. Penetration testingDo you undertake penetration testing or similar technical security testing, code review or vulnerability assessment? Are you able to provide copies of results/findings? Yes, we perform regularly:
We follow secure coding practices. Secure coding is the practice of writing software that's protected from vulnerabilities like buffer overflow or code injection flow etc. To identify the security vulnerability classes, we use the OWASP recommendations and acknowledgements as described here: https://www.owasp.org/index.php/OWASP_API_Security_Project Also, we ensure that our testing covers the latest OWASP top 10 guidelines as recommended by Atlassian: https://developer.atlassian.com/platform/marketplace/vendor-security-guidelines/ We regularly examine our systems to discover and identify vulnerabilities. 8. Notifying AtlassianDo you have mechanisms to notify Atlassian in case of a security breach? Yes. We use a dedicated Slack Group in case of any incident e.g.:
If the detected incident/security breach concerns user information:
We ensure that customers can report security breaches or vulnerabilities to us on our support portal or on our email address. Once an issue is raised, we create a ticket in our Jira with the highest priority, notify our developers and administrators, and fix it as soon as possible. In case if the breach concerns Atlassian infrastructure, we report the issue to the ecosystem service desk, notifying the Atlassian staff about the vulnerability. We link the issue to our customer service desk issue and ensure that all the customer support team members have access to the Atlassian support issue. 9. Employee accessDo your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? For ease of resolving customer issues, our support team needs to have access to some cloud apps and may access customer data only for purposes of health monitoring and performing system or app maintenance. We exclusively do this upon customer request via our support portal. 10. ConfidentialityAre all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? Yes. 11. Managing security vulnerabilitiesDo you have a publicly documented process for managing security vulnerabilities in your application(s)? We have necessary processes and security measures in place to mitigate security vulnerabilities. As mentioned before, In case if the security breach concerns user information:
The process described above is an internal initiative and not yet published. 12. Disaster recoveryDo you have Business Continuity and/or Disaster Recovery Plans? Our disaster recovery plan covers the following: Computer Emergency Response Plan: Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences? Succession Plan: Describes the flow of responsibility when normal staff is unavailable to perform their duties. Data Study: Details the data stored on the systems, its criticality, and its confidentiality. Criticality of Service List: Lists all the services provided and their order of importance. Data Backup and Restoration Plan: Details which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done. It also describes how that data could be recovered. Equipment Replacement Plan: Describes what equipment is required to begin to provide services, lists the order in which it is necessary, and notes where to purchase the equipment. General approach: We backup our environment based on the client requirements and monitor the results. We do not backup the customer data (worklog data) because the data is stored on Atlassian's Jira, we only sync it at intervals. In case of any problem related to AWS:
13. Data recoveryDo you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect?
We can recover data from the three types of backups available.
|
Have any questions, reach out to us at contact@trundl.com