Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Security Audit Report Atlassian

Security Audit Report
Atlassian
Report As Of
Thursday, February 04, 2016
Prepared By
WhiteHat Security for security@atlassian.com
Report Description
The Security Audit report provides an overview of open vulnerabilities discovered in the
assessment, including summaries, metrics, and conclusions. For those customers using both
Sentinel and Sentinel Source, this report will cover both dynamic and static test results. Note
that detailed vulnerability information is available in the vulnerability detail reports.
Notes
Sites are assessed using dynamic analysis, and vulnerabilities are rated by their risk levels.
For descriptions of dynamic analysis and risk levels, please see the Appendix.
Assets
Sites: 2
NOTICE
This document contains sensitive and confidential information regarding information security at
Atlassian. Appropriate care should be taken to secure this document from unauthorized access.
The Index of Content can be found on the last page
Copyright © 2002-2016 WhiteHat Security, Inc. All Rights Reserved
Service Level Description
The Sentinel Premium Edition Service (PE) employed on site(s) in this report tests for all types of both technical and
business logic vulnerabilities. This level of service combines automated assessment for technical vulnerabilities with custom
testing performed by the WhiteHat Security Operations Team to manually identify business logic flaws. The Sentinel PE
service provides continuous application assessments, testing for all 24+2 of the WASC classes of technical vulnerabilities.
All vulnerabilities are verified for accuracy by the operations team to ensure accurate and actionable results.
WhiteHat Security - Security Audit Report
Page 2 of 12
Issue Summary – Open Vulnerabilities
This table shows you the number of vulnerabilities for each site selected, broken out by rating.
Sites: Vulnerability Count
Site Name
Site Priority
Critical
High
Medium
Low
Note
marketplace.atlassian.com
0
0
0
0
0
0
wh.atlassian.net
3
0
2
2
0
2
0
2
2
0
2
Total
WhiteHat Security - Security Audit Report
Page 3 of 12
Issue Summary - Accepted Vulnerabilities
This table shows you the number of vulnerabilities for each site selected, broken out by rating.
Sites: Vulnerability Count
Site Name
Site Priority
Critical
High
Medium
Low
Note
marketplace.atlassian.com
0
0
0
0
1
0
wh.atlassian.net
3
0
0
1
0
0
0
0
1
1
0
Total
WhiteHat Security - Security Audit Report
Page 4 of 12
Issue Summary
This graph summarizes your sites' vulnerabilities and includes the vulnerability count for each vulnerability level.
Sites: Summary of Vulnerabilities
WhiteHat Security - Security Audit Report
Page 5 of 12
Appendix - Vulnerability Level Definitions (by Risk)
Risk Levels for the WhiteHat Sentinel Source solution are based on the OWASP risk rating methodology, which is summarized below. The
methodology is essentially based on the standard risk model (Risk = Likelihood x Impact) with several factors contributing to the likelihood and impact.
The likelihood can be broken down into Threat Agent Factors and Vulnerability Factors. By analyzing the threat agent, we estimate the likelihood of a
successful attack. By analyzing the vulnerability factors, we estimate the likelihood of the vulnerability being discovered and exploited. Because there are
so many possible threat agents and factors involved, the worst case scenario is used when determining likelihood. Factors that influence the threat
agent include: skill level, motive, opportunity, and size of the threat. Factors that influence the vulnerability include: easy of discovery, ease of exploit,
awareness, and intrusion detection.
The Impact can be broken down into the Technical Impact and Business Impact. Technical impact considers the traditional areas of security:
confidentiality, integrity, availability, and accountability. The business impact stems from the technical impact and consider things such as: financial
damage, reputational damage, non-compliance, and privacy violations.
High
Medium
Low
6-9
3-5
0-2
After scoring the Likelihood and Impact, the Risk Rating is determined using the following table:
Impact
Likelihood
Low
Medium
High
High
Medium
High
Critical
Medium
Low
Medium
High
Low
Note or Low
Low
Medium
Risk ratings are defined below:
Rating
Description
Critical
A vulnerability that could have a catastrophic impact if the attack succeeds, and the vulnerability is easy to identify and exploit.
The vulnerability likely affects all or many users. The vulnerability poses an immediately danger and should be mitigated
immediately - In some cases, the application should even be taken offline.
High
A vulnerability that is likely to have a significant impact if the attack succeeds and the vulnerability is fairly easy to identify and
exploit. The vulnerability may affect more than one user. The vulnerability should be mitigated as soon as possible.
Medium
A vulnerability that is likely to have a moderate to significant impact if the attack succeeds, but may be difficult to identify or
exploit or only affects a small number of users. The vulnerability should be mitigated relatively soon.
Low
A vulnerability that is likely to have a low to moderate impact if the attack succeeds, but is difficult to identify or exploit, or
only affects a small number of users. The vulnerability should be mitigated if there is time and whenever it is convenient (e.g.
next release)
Note
A finding that does not pose any risk for the application and does not need to be fixed. However, it is something that should
be considered to further improve security from an already acceptable level
WhiteHat Security - Security Audit Report
Page 6 of 12
Appendix - Assessment Methodology for Dynamic Analysis
WhiteHat Security combines a proprietary vulnerability scanning engine with human intelligence and analysis from its Threat Research Center to deliver
thorough and accurate assessments of web applications with its Sentinel Service.
WhiteHat Sentinel dynamic scanning services are all based on a continuously evolving top of class scanning engine with manual verification of all
vulnerabilities to ensure quality results. WhiteHat's model allows customers to keep all sites covered at all times with minimal investment of personnel,
while having access to the worlds largest team of web application security experts who keep on top of the latest web security issues, manage security
assessments for customers, and provide support and information. With Premium service the security experts in the Threat Research Center also
perform business logic assessments of sites, which may uncover additional issues which cannot be found through automatic scanning. This combination
provides the highest quality of security assessments in the industry with high scalability and ease of use, to keep customers on top of their risk posture
and help them secure their assets.
WhiteHat Security - Security Audit Report
Page 7 of 12
Sentinel Premium Edition Testing Checklist
Sentinel Premium Edition service level tests for the following list of WASC classes of Web vulnerabilities:
Authentication Tests
1. Brute Force
A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or
cryptographic key.
2. Insufficient Authentication
Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to
properly authenticate.
3. Weak Password Recovery
Validation Weak Password Recovery Validation is when a web site permits an attacker to illegally obtain, change or recover another user's
password.
4. Cross-site Request Forgery
Cross-site Request Forgery is a type of attack whereby unauthorized commands are transmitted from a user that the website trusts.
5. Credential/Session Prediction
Credential/Session Prediction is a method of hijacking or impersonating a web site user.
6. Insufficient Authorization
Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access
control restrictions.
7. Insufficient Session Expiration
Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
8. Session Fixation
Session Fixation is an attack technique that forces a user's session ID to an explicit value.
Client-side Attack Tests
9. Content Spoofing
Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not
from an external source.
10. Cross-site Scripting
Cross-site Scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user's
browser.
11. HTTP Response Splitting
HTTP Response Splitting is a technique allowing the attacker to send a single HTTP request that forces the Web server to send two HTTP
responses instead of one response, in the normal case. The attacker completely controls the second response.
WhiteHat Security - Security Audit Report
Page 8 of 12
Command Execution Tests
12. Buffer Overflow
Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of memory.
13. Format String Attack
Format String Attacks alter the flow of an application by using string formatting library features to access other memory space.
14. LDAP Injection
LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
15. OS Commanding
OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through manipulation of
application input.
16. SQL Injection
SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input.
17. SSI Injection
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will
later be executed locally by the web server.
18. XPath Injection
XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
Information Disclosure Tests
19. Directory Indexing
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is
not present.
20. Information Leakage
Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker
in exploiting the system.
21. Path Traversal
The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document
root directory.
22. Predictable Resource Location
Predictable Resource Location is an attack technique used to uncover hidden web site content and functionality.
WhiteHat Security - Security Audit Report
Page 9 of 12
Logical Attack Tests
23. Abuse of Functionality
Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents
access controls mechanisms.
24. Denial of Service
Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity.
25. Insufficient Anti-automation
Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually.
26. Insufficient Process validation
Insufficient Process Validation is when a web site permits an attacker to bypass or circumvent the intended flow control of an application.
WhiteHat Security - Security Audit Report
Page 10 of 12
About WhiteHat Security
WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure
compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-aservice, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.
Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security
for our remarkable innovations, executive leadership and our ability to execute in the application security market.
To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle,
please visit our website at www.whitehatsec.com.
WhiteHat Security - Security Audit Report
Page 11 of 12
Contents
Service Level Description
2
Issue Summary
3
Appendix - Vulnerability Level Definitions (by Risk)
6
Appendix - Dynamic Analysis Assessment Methodology
7
Appendix - Sentinel Premium Edition Testing Checklist
8
About Whitehat
WhiteHat Security - Security Audit Report
11
Page 12 of 12
Related documents
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Digital vulnerabilitz atlas of South Asia [PPT, 2.05
Abstract
Abstract
An extended misuse case notation
An extended misuse case notation
StateNet Services – Vulnerability Discovery Report
StateNet Services – Vulnerability Discovery Report
BILL ANALYSIS
BILL ANALYSIS
WP6: Water resources vulnerability to climatic change
WP6: Water resources vulnerability to climatic change
Jim Manico - Security BSides
Jim Manico - Security BSides
Download