Last updatedMay 12, 2019

Preparing for a security incident

The focus of this document is to provide our Marketplace app vendors with some pointers how to be effectively prepared for responding to cyber security incidents. It is separate to our security incident management guidelines, which covers the steps you need to actually take when you experience a security incident.

When it comes to Marketplace apps, we consider any of the following circumstances to be a security incident:

  • Any actual or suspected unauthorized access, acquisition, use, disclosure, modification, or destruction of end user data in your possession or control as a Marketplace Vendor (or in the possession or control of your agents or contractors).
  • A security vulnerability or compromise of your Marketplace app.
  • An issue that materially degrades Atlassian systems or networks.

What things do I need to consider to be prepared for a security incident?

In order to be effectively prepared for dealing with a security incident, ask yourself the following questions:

  • Do I know who I need to contact should I experience a security incident?
  • Are we keeping logs about the right things concerning our app?
  • Are we storing our logs in the correct way and checking them regularly?
  • Am I backing up my app code to an appropriate location?

Below are guidelines for how to handle each of these questions.

Do I know who I need to contact should I experience a security incident?

In many cases, effectively responding to a security incident will require the involvement of stakeholders outside of your organization, which you need to identify and preferably build relationships with in advance. This could include:

  • An incident response partner or cyber security adviser who can help guide you through the process of investigating a security incident involving your app and provide you with technical support, should you need it.
  • Legal advisers who can help you with knowing your legal responsibilities in the case of a particular incident, particularly if end user data has been compromised and there’s a possibility you may be subject to mandatory breach notification obligations as a result.
  • Atlassian for any security incidents involving Marketplace apps, you will need to lodge an app security incident ticket here.

Are we keeping logs about the right things concerning our app?

When it comes to promptly and effectively detecting security incidents involving your app, one of the most critical things to be doing is making sure you are keeping logs of important information concerning your app and checking those logs regularly. This can also help during the course of an investigation about a potential incident concerning your app, and hence Atlassian may ask for this information. Examples of relevant events you should be logging include:

  • Information about any administrative tasks performed by users of the app (if practical) or by your developers.
  • Application errors.
  • Application code and configuration changes.
  • Application and related systems start-ups and shut-downs.

For all logged events, make sure the date and time the event occurred is also recorded.

Are we storing our logs in the correct way and checking them regularly?

If you’re using a cloud-based environment for your development activities, be aware that many popular cloud-based platforms like AWS and Azure offer built-in functionality for logging. There are also a number of cloud-based log analytics platforms that are available, such as SumoLogic and Splunk, to help identify potential issues in your logs, and bring them to your attention.

The important thing to be aware of is to enable logging, and to log as much about what’s going on in your environment as possible. Fundamentally speaking, the more information you have access to when investigating an incident, the better.

If you’re storing your logs locally, make sure to store log data to a restricted location so that only staff with an appropriate business need have access to those logs. You should also ensure access to the logs themselves by any staff is recorded and monitored.

Make sure to store logs for at least the last 12 months of events relating to your IT environment. Sometimes, an incident may only become apparent later on, so being able to review the state of things as they were at a previous point in time is crucial to aid in incident investigations.

If you aren’t using an automated analytics platform to check your logs, then they should be checked manually at regularly intervals (at least every 24-48 hours) to ensure they are being correctly populated and to identify logs are actually being correctly populated and to identify any potential security incidents involving your app.

Am I backing up my app code to an appropriate location?

It’s worth making sure you back up all of your source code to an appropriate version control repository, such as Bitbucket. This can enable you to roll back any changes if necessary should you experience a security incident.

Where do I go if I need further information on responding to a security incident?

There are a number of useful resources available online that can help you if need more detail with responding to a security incident: