Hindsight Software is the first and only BDD tool vendor within the Atlassian Marketplace to have passed Atlassian's Cloud Security program.
Some of the measures we have introduced over the years to further security include:
Developer training on the OWASP top 10
Encryption in transit; We use HTTPS between micoservices
Encryption at rest; We use encrypted disks for out databases
Dependency analysis using GitHub and npm audit to identify vulnerable code libraries
Anchore for checking docker image compliance against the CIS Docker benchmark
AWS GuardDuty and AWS Security Hub for monitoring threats and CIS AWS benchmark compliance
Despite all of the above, we believe our duty to protect our customers security shouldn’t end there. That is why earlier this year our security initiative took another large step forward with the launch of our Bug Bounty program. Our bug bounty program rewards security researchers with a cash ‘Bounty’ for being the first to find a confirmed security issue. The bounty ranges from $1,500 to $100 depending on the severity of the vulnerability found.
What about pen tests?
We arrange for external penetration tests of Behave Pro, but what happens between these tests? Bad actors don’t sit idle and we are constantly releasing new code to production to give you great features, which is where the bug bounty program really proves its value. As part of our on-going commitment, our ‘always on’ bug bounty program means that security researchers are constantly trying to find security issues between our penetration tests.
Atlassian have always been great proponents of bug bounty programs to complement existing security reviews and penetration testing, and they have now formally brought this initiative to the Atlassian Marketplace for Cloud Apps with the Marketplace bug bounty program.
Atlassian Marketplace Bug Bounty Program
At the start of July on the Atlassian Marketplace the ‘Top vendor’ badges was replaced by a new badge, ‘Cloud Security Participant’, to identify vendors and Apps that take security seriously and participate in Atlassian’s security programs. Any App with an active bug bounty program that has been running for at least 4 weeks and has 100+ security researchers is eligible for this new badge.
To encourage other App vendors who hadn’t taken the opportunity to start a Bug Bounty Atlassian arrange a six week ‘Blitz’ starting at the end of May where Atlassian would pay for the Bug Bounties instead of the vendor. Already having out Bug Bounty program up running we still benefited from the Blitz with Atlassian paying enhanced bounties for Behave Pro.