Page Comparison

Subject

Question

Response

Further Comments

Documentation and resources

• Security, Data, and Permissions Information:
  https://docs.warsawdynamics.com/content/37018/external_share_for_confluence_documentation/115671146

• EULA: https://docs.warsawdynamics.com/content/37018/external_share_for_confluence_documentation/115671210

Admin Details

Software /  App Name(s)

External Share for Confluence

Vendor Name

Warsaw Dynamics

Vendor on Marketplace

https://marketplace.atlassian.com/vendors/1220579/warsaw-dynamics

Vendor Head Office

Bluszczańska 34/12
00-712 Warszawa, Poland

Bug Bounty Programs

Bugcrowd

Part of the initial invite-only Marketplace Apps Bugcrowd Program from Atlassian:
https://www.bugcrowd.com/press-release/bugcrowd-announces-industrys-first-platform-enabled-cybersecurity-assessments-for-marketplaces/

https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program/

Other programs we are part of

Cloud Fortified apps program

Atlassian Cloud Fortified Apps Program

Cloud Fortified Apps is the program for a new designation of apps designed to serve our largest customers and those with more business-critical operating requirements when it comes to apps.

For more information: https://developer.atlassian.com/platform/marketplace/cloud-fortified-apps-program/

Development Practices

Development environment

Environments:

• Development- dedicated for development team

• Staging - as close as possible to production environment for operational support and pre-release testing

• Production- protected environment dedicated for production with limited and controlled access

Development process/philosophy

Agile / Kanban

• Jira ticket with analysis and expectation

• Planning using Jira and Confluence

• Dedicated branch for change (e.g.: feature/hotfix)

• Pull request review for changes and merge to release branch.

• Planning of release

• Release and hot-run support and monitoring

Main Development Tools used

• Documentation: Confluence

• Issue tracking: Jira,

• Git repository: Bitbucket

• CI/CD: Bitbucket Pipeline

• Provisioning and Configuration: Bitbucket Pipeline / bash / supervisord

GIT Branching strategy

GitHub Flow Methodology

Automated code Reviews

Yes

• Typescript instead of JS

• ESLint / TSLint

• EditorConfig

Test Management Platform

Zephyr Scale

Code Review

Pull Request reviewed by Senior developer

Release Quality Gates

• Pull Request reviewed by senior developer / architect

• Testing on Development

• Testing on Staging

Supply Chain Vulnerability Monitoring

• OWASP dependency-check-maven

Processes & Organization

Do you follow OWASP guidelines

Yes

Do you have a Security Vulnerability Communication Process

Yes

Is logging available to capture user access activity?

Yes

• For security and monitoring reasons, we are collecting activity evidence within our systems, which can be used to rebuild activity in case if it is needed. It is not used for any other reason.

• Retention policy (related logs are deleted) are automatically deleted in 60 days.

Do you allow 3rd Party audits

No

Have you had 3rd Party audits

No

Has your company ever had a security vulnerability?

Yes

All communicated to us by responsible disclosure and verified & fixed within hours.

Have you provided notification to customers affected by severe or critical vulnerabilities

Yes

Do you provide "Safe harbour" to security researches evaluating you product

Yes

Using the Bug Crowd program.
For more information:
https://docs.bugcrowd.com/researchers/reporting-managing-submissions/disclosure/disclose-io-and-safe-harbor/

Does your organization maintain and update an incident response policy?

Yes

Has your company ever experienced a security breach involving client data?

No

Was notification provided to state agencies/law enforcement authorities?

N/A

Do you store customer data?

No

• We store only shared link configuration, which is required data to render the shared page. We do not cache or store any data related to the Confluence instance (i.e. pages). All the Confluence-related data is processed on the client side.

Do you have Disaster Recovery plan

No

• Our infrastructure consists of PostgreSQL, Ngnix and Java is required to start application.

• We make whole database (DB) backup every 24 hours.
  DB backup is stored encrypted in Wasabi storage.

• Manual infrastructure recovery from DB backup can be done within 2 hours.

App specific Questions

What data does your app submit to you (Old Street Solutions)?

• The only data that we store is Atlassian licensing information (SEN, technical contact, etc.).

• Issue data is used for on the fly processing

Does your App transfer any data to a 3rd party?

No

Where is app hosted?

OVH data-center. Warsaw, Poland.

• https://www.ovh.com/world/network-and-security-solutions.xml

• https://corporate.ovhcloud.com/en/trusted-cloud/security-certifications/

Does your App need "Internet" access?

No for External Share for Confluence Server and Data Center

Can you provide a "Pen" test report for your plugin?

N/A

Are we allowed to Pen test your App on our instance?

Yes (notification required)

We will allow for pen tests, however it is important that you notify us upfront, as we can get false positive reports, and those can results in functionality limitations because of our proactive reactions.

Do you store any User passwords?

No

External user can create account in our service. We store salted and hashed password (Argon2)

Where does your App store it's configuration/data?

• PostgreSQL Database on OVH

How do you send emails?

We use Mailgun

• https://www.mailgun.com/security/

• https://security.mailgun.com/

What Security Scopes to access our Confluence or Jira, do you require for the App to function?

"ACT_AS_USER","READ","WRITE","DELETE"