Kantega SSO Security Practice

At Kantega SSO, we believe that privacy and security are core requirements for applications. As a security vendor for the Atlassian Marketplace, we strive to produce transparent applications to improve security and user experience for our customers. For our Data Center apps, our delivery as an integration partner ensures secure logins and identity provisioning to your Atlassian Data Center systems.

Security approaches

The following section describes how we approach security in our software development process for all our Data Center and Cloud apps on Atlassian Marketplace.

Security by Design

We believe in building software that is secure by design. This means using security as a core principle when designing and building applications, in contrast to applying security as a “feature” after the fact. We build our apps around a risk-based approach, where risk assessments are done as part of the initial development, meaning we like to address any threat or risk (like for example a connection with network calls) as part of the design. Our development teams consists of security minded people that prioritizing security amidst the need to build great functionality.

Secure coding practices

We strive to review the security implications of new features or apps on the architecture and design level if required due the level of risk, so that fundamental issues can be discovered early on. Due to capacity limitations, we do not have a 100% coverage in risk analyses, but limit it to critical components and larger changes. In addition to risk analysis and architecture reviews, we use automated detection tools and manual secure code reviews to support our developers, and manual and automated testing of our apps. Lastly, we support independent security researchers to validate our software through the Bug Bounty Program.

Software Security tools

Our tools include IntelliJ IDEA which has built-in vulnerability scanning capabilities on dependencies, in addition to quality assurance static analysis. We also use GitLab pipelines, and deploy OWASP Find Security Bugs plugin alongside the SpotBugs Maven Plugin to secure the build in CI/CD, including end-to-end test with Cypress and a unit testing suite.

Third-party components

To ensure that our components are up-to-date and to detect supply-chain risks, we are using the OWASP dependency-check plugin, which is “a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies”. The npm audit is also a tool that is being used to scan components during development.

In addition, we try to ensure transparency and openness by generating Software Bill of Materials (SBOM) with the CycloneDX standard for our software artifacts, so that anyone can review our components in their own scanning tools. To generate SBOMs, we use the cyclonedx-maven-plugin for our maven artifacts, which is linked together with the releases of our Data Center apps. For frontend artifacts, we use the cyclonedx-webpack-plugin to generate an SBOM that is bundled together with the JavaScript and CSS assets inside the JAR artifacts of our Data Center apps. Our cloud apps are submitted to Atlassian’s own https://developer.atlassian.com/platform/marketplace/ecoscanner/, which is generating reports we have to address.

Security programs

In addition to working in a security-focused team, we’re also participants in security programs to raise awareness.

Security Champions program

We’re participating in a Security Champions program with our mother company. For us, this means we have a Security Champion in our team that focuses efforts on areas ranging from increased CI/CD validation to privacy-enhancing improvements and security-oriented architecture. Our Security Champion is building and reinforcing our security culture within our team, and also shares our experiences with other teams in the organization structure, and keeping a tight dialog with our organization’s Security Manager.

Bug Bounty Program

We are participating in the Atlassian Bug Bounty Program with our apps, which is something we view as an excellent way to complement our other secure coding practices like static code analysis, architecture review and end-to-end testing.

Community and research

We are engaged in the wider security community via participation in different activities, like meetups and conferences. We have a close relationship with the academic world, where we engage with security related research projects and supervision of students working on security related research.

Incident & response

According to Atlassian, the following three points qualify as a security incident:

  1. Any actual or suspected unauthorized access, acquisition, use, disclosure, modification or destruction of end user data in your possession or control as a Marketplace Partner (or in the possession or control of your agents or contractors

  2. A security compromise of our app

  3. For Cloud apps, any issue that materially degrades Atlassian systems or networks

 

Whenever an incident occurs, we follow Atlassian’s https://developer.atlassian.com/platform/marketplace/app-security-incident-management-guidelines/.

Contact

When you experience an incident, the appropriate action is to contact us. We recommend the following methods to contact us:

 

Subscribe to Security updates

We publish notices about vulnerabilities or incidents under our Security incident notices wiki, and send email notifications to our subscribers when we have important product updates or incidents.
Subscribe to updates in the form on our website.

Privacy

We are committed to the privacy of our customers. Therefore we have always been restrictive in collecting data. Read our privacy policy for more information.