Question 1) Does vendor have a Internal Audit group or Compliance group? Please list name or names of people in that group.

A possible answer: Atlassian does not have a compliance group and will not list people in it. It is not their goal to come across as a secure company. They rather want to be a secure and serious company. The do more than 150M USD in turnover per year and have more than 5 million people using their software. They employ over 700 people and live their values. They have an Atlassian foundation to better the world. But they do not have a dedicated compliance group. I assume, that their answer would be: We don't need it. Every employee is an auditor. We all follow our value "Open company, no bullshit".

Question 2) Do you employ a QA process with the development of the code? Explain.

A possible answer: Atlassian is the leading role model for good software development in the industry. They publish a lot of info about their QA and development processes. Here is a good example of how they have all their software integrated to make every change visible and traceable, even on a management level:
English version (development cycle): http://youtu.be/OMLh-5O6Ub8
German version (management & requirements view): http://youtu.be/9TbbD0jB5LE
Atlassian openly communicates about their QA-processes. See here: http://blogs.atlassian.com/2013/12/introducing-atlassian-qa/ http://blogs.atlassian.com/2013/12/jira-qa-process/ http://blogs.atlassian.com/2008/01/setting_up_a_qa_team/

Question 3) Are periodic assessments performed to confirm that customer systems are deployed and maintained within the corporate security standards and policies? If so, how often? Please provide evidence of review if it exists.

A possible answer: Atlassian uses their hosting plattform Cloud and their internal systems do maintain a continous deployement development cycle and make sure, that all releases, that are deployed in behind-the-firewall-products are well tested and robust. They publicly collect bugs and issues and react very fast to security problems that may occur.

Question 4) How often do you do vulnerability scans both external and internal? What is your process for remediating the vulnerabilities identified?

A possible answer: These two links answer the questions in detail: https://confluence.atlassian.com/display/Support/Atlassian+Security+Policies https://confluence.atlassian.com/display/DOC/Confluence+Security+Overview+and+Advisories

If some of these infos do not cover all of your information needs, please feel free to contact us with more specific questions.

  • No labels

This content was last updated on 12/19/2014.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.

Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.