Versions Compared

Old Version 3

changes.mady.by.user Péter Tölgyesi

Saved on

compared with

New Version 4

changes.mady.by.user József Markovics-Horváth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No, ISO27001 accreditation is in the scope of 2020. We also operate an ISO 27001:2013 compliant information security management system (ISMS) which is audited regularly (but not certified at the moment).

We have completed the "Cloud Security Alliance" STAR Level 1 self-report questionnaire, which can be found here: https://cloudsecurityalliance.org/star/registry/everit-kft/

We participated in Atlassian’s Marketplace Partner Security Self-Assessment program.

7. Penetration testing

Do you undertake penetration testing or similar technical security testing, code review or vulnerability assessment?

...

We regularly examine our systems to discover and identify vulnerabilities. Our systems are tested by OSCP certified experts. The tests were performed by an external 3rd party testing lab called cclab.hu.

In the last penetration testing (before version:1.1.1-AC, build:1001001, release date:2019-10-09) we have found and resolved these problems:

  • lack of CSRF protection,

  • possible Denial-of-Service (DoS) vulnerability,

  • CSRF for JSON using Flash

According to the testing we build a penetration test report which includes the risk level, the short description or category, recommendations and reference to available public vulnerability description.

To solve these (or other found) problems we generally use the OWASP's cheat sheet series: https://cheatsheetseries.owasp.org/We participated in the “Bug Bounty Blitz” program organized by the Atlassian. Since the end of September, we have been running a public “Bug bounty” program according to the Marketplace Security Bug Bounty Program.

8. Notifying Atlassian

Do you have mechanisms to notify Atlassian in case of a security breach?

...

  • Our backup data is securely stored, unauthorized access of backup data is not possible.

  • We backup customer information every 5 minutes.

  • We do not backup the customer data (worklog data) because the data is stored on Atlassian's Jira, we only sync it at intervals

  • We backup our latest deployed app and our environment at least once a day, and we keep the backups for a day