Jira Align and Enterprise Insights Security: Protection against SQL injection attacks
Summary
This article aims to help cover security concerns as the following:
Documentation of the mechanisms implemented within the JA application to ensure the validity of data input
Confirmation that the JA application includes measures designed to protect against SQL injection attacks
Environment
Jira Align
Solution
Jira Align:
Atlassian has multiple controls in place to thwart SQL Injection attacks. Firstly in our security testing methodologies: In our SDLC, we use Snyk both for Source Composition Analysis (SCA) and Static Application Security Testing (SAST) to detect both SQL Injection in our own code as well as in third-party libraries. We also use Burp for Dynamic Application Security Testing (DAST) to detect any SQL Injection at runtime/deployment. We have annual Third-party penetration testing and an ongoing Bug Bounty Program which could also detect such issues
Enterprise Insights:
The security standards for Enterprise Insights (EI) are consistently aligned with the guidelines set by the Security team. When it comes to validations, EI can be accessed as a read-only database, eliminating the need for specific input validations at the application layer. Additionally, it's worth noting that the source data for EI has already undergone validation, as highlighted in the Security response