Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue
nameSecurity Audi

The text below is a summary of the security audit performed by Aracan Security. You can also download the full report.

Tip

Report from Arcan Security on July 14th, 2022

The text below is a summary of the security audit performed by Aracan Security. See the full report.

View file
namepentest_report_requirement_yogi_cloud_2022_07_14.pdf

Introduction

This document reports the security audit results of the Confluence and Jira plugins “Requirement Yogi Cloud” and “Requirement Yogi for Jira Cloud” developed by the company Requirement Yogi.

...

N.B: the results come from 3 days of audit. Thus, they may be only a subset of what an attacker with no time limit can find.
N.B.2: the results have been updated after a verification audit performed early July.

Risk analysis summary

The main risks which the auditor was asked to focus on were:

...

  • A user dumps data linked to another customer or a space he does not have access to,

  • A user changes data linked to another customer or a space he does not have access to,

  • A user performs a restricted action for which he does not have the granted rights,

  • An attacker performs a distributed denial of service on the platform.

Risk assessment

Probability of the risk

Impact

Description

4

Strong

The environment or context of the company means that, if nothing is done, such a threat will certainly materialize in the short term.

3

Average

The environment and the context of the company mean that, if nothing is done, such a threat will materialize in the short term.

2

Low

Even in the absence of any security measure, the environment and the context mean that the probability of occurrence of such a threat, in the short or medium term, is low.

1

Unlikely

Regardless of any security measures, the probability of occurrence of such a threat is extremely low and negligible.

...

Impact of the risk

Impact

Description

4

Strong

Unsustainable financial, legal, commercial or image impact.

3

Average

Significant financial, legal, commercial or image impact

2

Low

Weak financial, legal, commercial or image impact.

1

Minimal

Financial, legal, commercial or image impact without significant impact.


Summary

Scenario

Probability

Impact

Risk

Action to lower the risk

An attacker performs a distributed denial of service on the platform.

2

3

6

Implement a rate-limiting system

A user changes data linked to another customer or a space he does not have access to.

1

4

4

Harden the overall system

Secure the API

Make the API more consistent

A user dumps data linked to another customer or a space he does not have access to.

1

3

3

Harden the overall system

Secure the API

Make the API more consistent

A user performs a restricted action for which he does not have the granted rights.

1

3

3

Harden the overall system

Secure the API

General overview

Strength

Good understanding of the cybersecurity risks

Follow the guidelines from Atlassian

Secure development

Possible improvements

Make the API more consistent

Integrate all the good practices in the whole stack of the system

Address the current flaws

Conclusion

During the audit, no critical or high vulnerabilities were found by the auditor.

...

Expand
titleSAS Arcan Security

SAS ARCANSECURITY au capital de 30 000€ - 535 Route des Lucioles, Les Aqueducs B3, 06560 Valbonne, France

Tél. +33 4 83 43 25 44 - e-mail: contact@arcansecurity.com www.arcansecurity.com
N°TVA : FR01 828 428 367