Our Approach to Vulnerability Management

                  “Optimizory” recognizes that, at some level, security vulnerabilities are an inherent part of any software development process. However, we are constantly striving to reduce both the severity and frequency with which vulnerabilities arise in our own products and services.

 Vulnerability management is the process of identifying, evaluating, treating, and reporting security vulnerabilities in systems and the software that runs on them. This, implemented alongside other security tactics, is vital for organizations to prioritize possible threats and minimize their "attack surface."

Security vulnerabilities are technological weaknesses that provide attackers with the opportunity to breach a product and the sensitive information it stores. To maintain the security of the system, the process of identifying and addressing vulnerabilities needs to be carried out continuously. This is because new systems are regularly added to networks, systems are updated, and new vulnerabilities are discovered over time.

Security vulnerabilities are a significant threat to the safety and privacy of application users. To ensure that our application(s) are secure, it is essential to manage security vulnerabilities systematically. In our organization, we strongly recommend utilizing the Connect Security Requirements Tester (CSRT) as a tool to assist with the process of ensuring the security requirements are met. The purpose of this tool is to help you scan your Atlassian Connect app for compliance against the Atlassian Connect Security Requirements and potential security misconfigurations.

The following document outlines a process for managing security vulnerabilities using CSRT.

Step 1: Identify potential security vulnerabilities

The first step is to identify potential security vulnerabilities in the application. This can be done by using manual testing.

CSRT can help identify potential vulnerabilities by analyzing the application's source code and identifying vulnerabilities based on common attack patterns and best practices.

Step 2: Prioritize identified vulnerabilities

After identifying potential vulnerabilities, the next step is to prioritize them. Prioritization should be based on the severity of the vulnerability, the likelihood of it being exploited, and the potential impact on the application and its users.

CSRT can assist with prioritization by providing a severity rating for each identified vulnerability based on its risk level.

Step 3: Remediate vulnerabilities

The third step is to remediate identified vulnerabilities. Remediation may involve modifying the application's source code, implementing security controls, or changing application configurations.

CSRT can help with remediation by providing guidance on how to fix identified vulnerabilities and recommending best practices to prevent similar vulnerabilities from occurring in the future.

Step 4: Validate remediation

After remediation, it is important to validate that the vulnerability has been successfully remediated. This can be done using manual or automated testing.

CSRT can help with validation by retesting the application to confirm that the vulnerability has been remediated and providing feedback on the effectiveness of the remediation.

Step 5: Monitor for new vulnerabilities

Once the application has been remediated and validated, it is important to continue monitoring for new vulnerabilities. This can be done using ongoing manual or automated testing.

CSRT can help with ongoing monitoring by providing regular vulnerability scans and reports on the application's security posture.

 

This tool assumes our connect app is reachable by the machine running the tool. If our connect app is not reachable, the tool will fail to produce any meaningful results. The following internet addresses are required to be accessible for this tool to work:

  1. Our connect app's descriptor URL

2. All URLs referenced inside our connect app descriptor

This tool will make network requests from our computer and we make ensure this is allowed from our organization if running this from a monitored network.

Conclusion:

Managing security vulnerabilities is an essential aspect of ensuring the safety and privacy of application users. CSRT can be an effective tool for managing security vulnerabilities by identifying potential vulnerabilities, prioritizing them, providing guidance on remediation, validating remediation, and ongoing monitoring for new vulnerabilities. By following this process, we can ensure that our application is secure and protect our users from potential threats.