...
Access to the hosts running the app is limited to the development and the infrastructure team using a PPK mechanism
There are contractual NDA's in place for all employees and contractors of Everit
Standard Linux audit logging is enabled (history) and reviewed on a regular basis
Everit uses Amazon AWS for hosting Cloud apps to comply with all local laws. AWS has numerous security certifications and Everit implements many further security controls to safeguard data. AWS has numerous monitoring and alert tools that we are using.
Other details are described in our Data security and Privacy policy
4. Release management
Do you have formal change control and release management processes to manage code changes?
...
No, ISO27001 accreditation is in the scope of 20202023. We also operate an ISO 27001:2013 compliant information security management system (ISMS) which is audited regularly (but not certified at the moment).
We have completed the "Cloud Security Alliance" STAR Level 1 self-report questionnaire, which can be found here: https://cloudsecurityalliance.org/star/registry/everit-kft/
We participated in Atlassian’s Marketplace Partner Security Self-Assessment and Bug Bounty program.
7. Penetration testing
Do you undertake penetration testing or similar technical security testing, code review or vulnerability assessment?
...
code reviews for code changes
penetration tests for our cloud apps
secure coding education and review every half a year
We consequently follow secure coding practices. Secure coding is the practice of writing software that's protected from vulnerabilities, like buffer overflow or code injection flow, etc.
...
We regularly examine our systems to discover and identify vulnerabilities. Our systems are tested by OSCP certified experts. The tests were performed by an external 3rd party testing lab called cclab.hu.
In the last penetration testing (before version:1.1.1-AC, build:1001001, release date:2019-10-09) we have found and resolved these problems:
lack of CSRF protection,
possible Denial-of-Service (DoS) vulnerability,
CSRF for JSON using Flash
According to the testing we build a penetration test report which includes the risk level, the short description or category, recommendations and reference to available public vulnerability description.
To solve these (or other found) problems we generally use the OWASP's cheat sheet series: https://cheatsheetseries.owasp.org/We participated in the “Bug Bounty Blitz” program organized by the Atlassian. Since the end of September of 2020, we have been running a public “Bug bounty” program according to the Marketplace Security Bug Bounty Program.
8. Notifying Atlassian
Do you have mechanisms to notify Atlassian in case of a security breach?
Yes. we We use a dedicated Slack Group in case of any incident e.g.:
...
Our backup data is securely stored, unauthorized access of backup data is not possible.
We backup customer information every 5 minutes.
We do not backup the customer data (worklog data) because the data is stored on Atlassian's Jira, we only sync it at intervals
We backup our latest deployed app and our environment at least once a day, and we keep the backups for a day