Atlassian Crowdsourced Penetration Test Results: January 2018

Similar documents
Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

RiskSense Attack Surface Validation for Web Applications

Development*Process*for*Secure* So2ware

C1: Define Security Requirements

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Application Security Approach

The Top 6 WAF Essentials to Achieve Application Security Efficacy

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Applications Penetration Testing

Vulnerability Assessments and Penetration Testing

ShiftLeft. Real-World Runtime Protection Benchmarking

Automating the Top 20 CIS Critical Security Controls

RiskSense Attack Surface Validation for IoT Systems

Security Communications and Awareness

Web Application Whitepaper

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Web Application Threats and Remediation. Terry Labach, IST Security Team

Bugcrowd v1.6 - Nov. 2, 2018

Security Communications and Awareness

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Certified Secure Web Application Engineer

Web Application Vulnerabilities: OWASP Top 10 Revisited

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Copyright

OWASP RFP CRITERIA v 1.1

Presentation Overview

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Product Security Program

Synology Security Whitepaper

ROBOCYBERWALL INC. External Penetration Test Report. September 13, 2017

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Security Solutions. Overview. Business Needs

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

THE CONTRAST ASSESS COST ADVANTAGE

Continuously Discover and Eliminate Security Risk in Production Apps

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Applications Security

ASSURANCE PENETRATION TESTING

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Trustwave Managed Security Testing

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

The Way of the Bounty. by David Sopas

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Protect Your Organization from Cyber Attacks

Unit Compliance to the HIPAA Security Rule

Computer Security Policy

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

THE ART OF SECURING 100 PRODUCTS. Nir

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CSWAE Certified Secure Web Application Engineer

Web Application Penetration Testing

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cyber Security - Information Security & Testing

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

Jeff Wilbur VP Marketing Iconix

Managed Application Security trends and best practices in application security

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Advanced Security Tester Course Outline

AppSec in a DevOps World

Skyhook designs and deploys high performance mobile location solutions, and exists to make location faster, more precise and practical.

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Professional Services Overview

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Mitigating Security Breaches in Retail Applications WHITE PAPER

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

COMP9321 Web Application Engineering

Notice for procurement of Penetration Testing Tools for Islami Bank Bangladesh Limited.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Solutions Business Manager Web Application Security Assessment

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

Information Security Policy

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

Information Security Controls Policy

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Penetration testing.

Trustwave Managed Security Testing

GDPR: An Opportunity to Transform Your Security Operations

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Transcription:

Atlassian Software Development and Collaboration Tools Atlassian Crowdsourced Penetration Test Results: January 2018 Bugcrowd Ongoing program results Report created on February 16, 2018 Report date range: January 01, 2018 - January 31, 2018 Prepared by Ryan Black, Director of Security Operations ryan.black@bugcrowd.com Steve Murphy, Account Manager stephen.murphy@bugcrowd.com

Table of contents 1 Executive summary 2 Reporting and methodology 3 4 3 Targets and scope 5 4 Findings summary 7 5 Appendix 9 6 Closing statement 11 Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 2 of 12

Executive summary Atlassian engaged Bugcrowd, Inc. to perform an Ongoing Bounty Program, commonly known as a crowd-sourced penetration test. An Ongoing Bounty Program is a cutting-edge approach to an application assessment or penetration test. Traditional penetration tests use only one or two personnel to test an entire scope of work, while an Ongoing Bounty leverages a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss in the same testing period. This report is just a summary of the information available. All details of the program's findings comments, code, and any researcher provided remediation information can be found in the Bugcrowd Crowdcontrol platform. The purpose of this engagement was to identify security vulnerabilities in the targets listed in the targets and scope section. Once identified, each vulnerability was rated for technical impact defined in the findings summary section of the report. This report shows testing for Atlassian's targets during the period of: 01/01/2018 01/31/2018. For this Ongoing Program, submissions were received from 400 unique researchers. The continuation of this document summarizes the findings, analysis, and recommendations from the Ongoing Bounty Program performed by Bugcrowd for Atlassian. Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 3 of 12

Reporting and methodology Background The strength of crowdsourced testing lies in multiple researchers, the pay-for-results model, and the varied methodologies that the researchers implement. To this end, researchers are encouraged to use their own individual methodologies on Bugcrowd Ongoing programs. The workflow of every penetration test can be divided into the following four phases: Bugcrowd researchers who perform web application testing and vulnerability assessment usually subscribe to a variety of methodologies following the highlighted workflow, including the following: Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 4 of 12

Targets and scope Scope Prior to the Ongoing program launching, Bugcrowd worked with Atlassian to define the Rules of Engagement, commonly known as the program brief, which includes the scope of work. The following targets were considered explicitly in scope for testing: All details of the program scope and full program brief can be reviewed in the Program Brief. Any associated *.atlassian.io domain that can be exploited DIRECTLY from the *.atlassian.net instance Jira Cloud Mobile App for Android Jira Cloud Mobile App for ios Confluence Cloud Mobile App for Android Confluence Cloud Mobile App for ios JIRA (bugbounty-test-<bugcrowd-name>.atlassian.net) Confluence (bugbounty-test-<bugcrowdname>.atlassian.net/wiki) JIRA Service Desk (bugbounty-test-<bugcrowdname>.atlassian.net) Confluence Team Calendars (https://www.atlassian.com/software/confluence/teamcalendars) Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) SourceTree (https://www.sourcetreeapp.com/) https://bitbucket.org/ HipChat Data Center HipChat Mobile Client HipChat Desktop Client Crowd Crucible FishEye Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 5 of 12

Bamboo Bitbucket Server JIRA Service Desk Stride Desktop Client Confluence Stride Mobile Application for ios JIRA Software Stride Mobile Application for Android JIRA Core *.atlassian.io subdomains that are used within the application Jira Portfolio Confluence Questions https://stride.video/<your-video> Stride (bugbounty-test-<bugcrowd-name>.atlassian.net) Team overview The following Bugcrowd team members were assigned to this program: TEAM ROLE NAME Application Security Engineer Application Security Engineer Director of Security Operations Director of Operations Jonathan Jay Turla Fatih Egbatan Ryan Black Abby Mulligan Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 6 of 12

Findings summary Findings by severity The following chart shows all valid assessment findings from the program by technical severity. 11 Atlassian 10 9 8 Number of submissions 7 6 5 4 3 2 1 0 Critical High Moderate Low Technical severity Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 7 of 12

Risk and priority key The following key is used to explain how Bugcrowd rates valid vulnerability submissions and their technical severity. As a trusted advisor Bugcrowd also provides common "next steps" for program owners per severity category. TECHNICAL SEVERITY EXAMPLE VULNERABILITY TYPES CRITICAL Critical severity submissions (also known as "P1" or "Priority 1") are submissions that are escalated to Atlassian as soon as they are validated. These issues warrant the highest security consideration and should be addressed immediately. Commonly, submissions marked as Critical can cause financial theft, unavailability of services, large-scale account compromise, etc. Remote Code Execution Vertical Authentication Bypass XML External Entities Injection SQL Injection Insecure Direct Object Reference for a critical function HIGH High severity submissions (also known as "P2" or "Priority 2") are vulnerability submissions that should be slated for fix in the very near future. These issues still warrant prudent consideration but are often not availability or "breach level" submissions. Commonly, submissions marked as High can cause account compromise (with user interaction), sensitive information leakage, etc. Lateral authentication bypass Stored Cross-Site Scripting Cross-Site Request Forgery for a critical function Insecure Direct Object Reference for a important function Internal Server-Side Request Forgery MODERATE Moderate severity submissions (also known as "P3" or "Priority 3") are vulnerability submissions that should be slated for fix in the major release cycle. These vulnerabilities can commonly impact single users but require user interaction to trigger or only disclose moderately sensitive information. Reflected Cross-Site Scripting with limited impact Cross-Site Request Forgery for a important function Insecure Direct Object Reference for an unimportant function LOW Low severity submissions (also known as "P4" or "Priority 4") are vulnerability submissions that should be considered for fix within the next six months. These vulnerabilities represent the least danger to confidentiality, integrity, and availability. Cross-Site Scripting with limited impact Cross-Site Request Forgery for an unimportant function External Server-Side Request Forgery INFORMATIONAL Informational submissions (also known as "P5" or "Priority 5") are vulnerability submissions that are valid but out-of-scope or are "won t fix" issues, such as best practices. Lack of code obfuscation Autocomplete enabled Non-exploitable SSL issues Bugcrowd s Vulnerability Rating Taxonomy More detailed information regarding our vulnerability classification can be found at: https://bugcrowd.com/vrt Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 8 of 12

Appendix Included in this appendix are auxiliary metrics and insights into the Ongoing program. This includes information regarding submissions over time, payouts and prevalent issue types. Submissions over time The timeline below shows submissions received and validated by the Bugcrowd team: Submissions Over Time validated received 14 12 10 8 6 4 2 0 01-02 01-06 01-10 01-14 01-18 01-22 01-26 01-30 Submissions signal A total of 64 submissions were received, with 16 unique valid issues discovered. Bugcrowd identified 4 duplicate submissions, removed 43 invalid submissions, and is processing 1 submissions. The ratio of unique valid submissions to noise was 25%. SUBMISSION OUTCOME COUNT Ratio of Unique Valid Submissions to Noise Valid 16 Invalid 43 Duplicate 4 Processing 1 Total 64 100% 75% 50% 25% 0% 25% Atlassian Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 9 of 12

Bug types overview The distribution of submissions across bug types for the Ongoing program is shown below. Atlassian Cross-Site Scripting (XSS) Server Security Misconfiguration Cross-Site Request Forgery (CSRF) Broken Access Control (BAC) Unvalidated Redirects and Forwards Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 10 of 12

Closing statement February 16, 2018 Bugcrowd Inc. 921 Front Street San Francisco, CA 94111 Introduction This report shows testing of Atlassian between the dates of 01/01/2018-01/31/2018 this Ongoing Bounty Program was performed by Bugcrowd Inc. During this time, 400 researchers from Bugcrowd submitted a total of 64 vulnerability submissions against Atlassian s targets. The purpose of this assessment was to identify security issues that could adversely affect the integrity of Atlassian. Testing focused on the following: 1. Any associated *.atlassian.io domain that can be exploited DIRECTLY from the *.atlassian.net instance 2. Jira Cloud Mobile App for Android 3. Jira Cloud Mobile App for ios 4. Confluence Cloud Mobile App for Android 5. Confluence Cloud Mobile App for ios 6. JIRA (bugbounty-test-<bugcrowd-name>.atlassian.net) 7. Confluence (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) 8. JIRA Service Desk (bugbounty-test-<bugcrowd-name>.atlassian.net) 9. Confluence Team Calendars (https://www.atlassian.com/software/confluence/teamcalendars) 10. Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) 11. SourceTree (https://www.sourcetreeapp.com/) 12. https://bitbucket.org/ 13. HipChat Data Center 14. HipChat Mobile Client 15. HipChat Desktop Client 16. Crowd 17. Crucible 18. FishEye 19. Bamboo 20. Bitbucket Server 21. JIRA Service Desk 22. Stride Desktop Client 23. Confluence 24. Stride Mobile Application for ios 25. JIRA Software 26. Stride Mobile Application for Android 27. JIRA Core 28. *.atlassian.io subdomains that are used within the application 29. Jira Portfolio Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 11 of 12

30. Confluence Questions 31. https://stride.video/<your-video> 32. Stride (bugbounty-test-<bugcrowd-name>.atlassian.net) The assessment was performed under the guidelines provided in the statement of work between Atlassian and Bugcrowd. This letter provides a high-level overview of the testing performed, and the result of that testing. Ongoing Program Overview An Ongoing Program is a novel approach to a penetration test. Traditional penetration tests use only one or two researchers to test an entire scope of work, while an Ongoing Program leverages a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss, in the same testing period. It is important to note that this document represents a point-in-time evaluation of security posture. Security threats and attacker techniques evolve rapidly, and the results of this assessment are not intended to represent an endorsement of the adequacy of current security measures against future threats. This document contains information in summary form and is therefore intended for general guidance only; it is not intended as a substitute for detailed research or the exercise of professional judgment. The information presented here should not be construed as professional advice or service. Testing Methods This security assessment leveraged researchers that used a combination of proprietary, public, automated, and manual test techniques throughout the assessment. Commonly tested vulnerabilities include code injection, cross-site request forgery, cross-site scripting, insecure storage of sensitive data, authorization/authentication vulnerabilities, business logic vulnerabilities, and more. Summary of Findings During the engagement, Bugcrowd discovered the following: 0 critical vulnerabilities 5 high vulnerabilities 10 moderate vulnerabilities 1 low severity vulnerability 0 informational findings Bugcrowd Ongoing Program Results Atlassian Crowdsourced Penetration Test Results: January 2018 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback