Kantega SSO Security Practice
At Kantega SSO, we believe that privacy and security are core requirements for applications. As a security vendor for the Atlassian Marketplace, we strive to produce transparent applications to improve security and user experience for our customers. For our Data Center apps, our delivery as an integration partner ensures secure logins and identity provisioning to your Atlassian Data Center systems.
The following section describes how we approach security in our software development process for all our Data Center and Cloud apps on Atlassian Marketplace.
Security by Design
We believe in building software that is secure by design. This means using security as a core principle when designing and building applications, in contrast to applying security as a “feature” after the fact. We build our apps around a risk-based approach, where risk assessments are done as part of the initial development, meaning we like to address any threat or risk (like for example a connection with network calls) as part of the design. Our development teams consists of security minded people that prioritizing security amidst the need to build great functionality.
Secure coding practices
We strive to review the security implications of new features or apps on the architecture and design level if required due the level of risk, so that fundamental issues can be discovered early on. Due to capacity limitations, we do not have a 100% coverage in risk analyses, but limit it to critical components and larger changes. In addition to risk analysis and architecture reviews, we use automated detection tools and manual secure code reviews to support our developers, and manual and automated testing of our apps. Lastly, we support independent security researchers to validate our software through the Bug Bounty Program.
Software Security tools
Our tools include IntelliJ IDEA which has built-in vulnerability scanning capabilities on dependencies, in addition to quality assurance static analysis. We also use GitLab pipelines, and deploy OWASP Find Security Bugs plugin alongside the SpotBugs Maven Plugin to secure the build in CI/CD, including end-to-end test with Cypress and a unit testing suite.
To ensure that our components are up-to-date and to detect supply-chain risks, we are using the OWASP dependency-check plugin, which is “a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies”. The npm audit is also a tool that is being used to scan components during development.
In addition to working in a security-focused team, we’re also participants in security programs to raise awareness.
Security Champions program
We’re participating in a Security Champions program with our mother company. For us, this means we have a Security Champion in our team that focuses efforts on areas ranging from increased CI/CD validation to privacy-enhancing improvements and security-oriented architecture. Our Security Champion is building and reinforcing our security culture within our team, and also shares our experiences with other teams in the organization structure, and keeping a tight dialog with our organization’s Security Manager.
Bug Bounty Program
We are participating in the Atlassian Bug Bounty Program with our apps, which is something we view as an excellent way to complement our other secure coding practices like static code analysis, architecture review and end-to-end testing.
Community and research
We are engaged in the wider security community via participation in different activities, like meetups and conferences. We have a close relationship with the academic world, where we engage with security related research projects and supervision of students working on security related research.
Incident & response
According to Atlassian, the following three points qualify as a security incident:
Any actual or suspected unauthorized access, acquisition, use, disclosure, modification or destruction of end user data in your possession or control as a Marketplace Partner (or in the possession or control of your agents or contractors
A security compromise of our app
For Cloud apps, any issue that materially degrades Atlassian systems or networks
Whenever an incident occurs, we follow Atlassian’s https://developer.atlassian.com/platform/marketplace/app-security-incident-management-guidelines/.
When you experience an incident, the appropriate action is to contact us. We recommend the following methods to contact us:
Open an emergency support ticket at our customer portal for the appropriate app.
Send an email to email@example.com
Subscribe to Security updates
We publish notices about vulnerabilities or incidents under our Security incident notices wiki, and send email notifications to our subscribers when we have important product updates or incidents.
Subscribe to updates in the form on our website.