The focus of this document is to provide our Marketplace app vendors with some pointers how to be effectively prepared for responding to cyber security incidents. It is separate to our security incident management guidelines, which covers the steps you need to actually take when you experience a security incident.
When it comes to Marketplace apps, we consider any of the following circumstances to be a security incident:
In order to be effectively prepared for dealing with a security incident, ask yourself the following questions:
Below are guidelines for how to handle each of these questions.
In many cases, effectively responding to a security incident will require the involvement of stakeholders outside of your organization, which you need to identify and preferably build relationships with in advance. This could include:
When it comes to promptly and effectively detecting security incidents involving your app, one of the most critical things to be doing is making sure you are keeping logs of important information concerning your app and checking those logs regularly. This can also help during the course of an investigation about a potential incident concerning your app, and hence Atlassian may ask for this information. Examples of relevant events you should be logging include:
For all logged events, make sure the date and time the event occurred is also recorded.
If you’re using a cloud-based environment for your development activities, be aware that many popular cloud-based platforms like AWS and Azure offer built-in functionality for logging. There are also a number of cloud-based log analytics platforms that are available, such as SumoLogic and Splunk, to help identify potential issues in your logs, and bring them to your attention.
The important thing to be aware of is to enable logging, and to log as much about what’s going on in your environment as possible. Fundamentally speaking, the more information you have access to when investigating an incident, the better.
If you’re storing your logs locally, make sure to store log data to a restricted location so that only staff with an appropriate business need have access to those logs. You should also ensure access to the logs themselves by any staff is recorded and monitored.
Make sure to store logs for at least the last 12 months of events relating to your IT environment. Sometimes, an incident may only become apparent later on, so being able to review the state of things as they were at a previous point in time is crucial to aid in incident investigations.
If you aren’t using an automated analytics platform to check your logs, then they should be checked manually at regularly intervals (at least every 24-48 hours) to ensure they are being correctly populated and to identify logs are actually being correctly populated and to identify any potential security incidents involving your app.
It’s worth making sure you back up all of your source code to an appropriate version control repository, such as Bitbucket. This can enable you to roll back any changes if necessary should you experience a security incident.
There are a number of useful resources available online that can help you if need more detail with responding to a security incident: