Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Confluence
/
Security audit - Cloud (14/07/2022)
Updated Apr 05, 2023

    Security audit - Cloud (14/07/2022)

    Report from Arcan Security on July 14th, 2022

    The text below is a summary of the security audit performed by Aracan Security. See the full report.

    Introduction

    This document reports the security audit results of the Confluence and Jira plugins “Requirement Yogi Cloud” and “Requirement Yogi for Jira Cloud” developed by the company Requirement Yogi.

    ArcanSecurity did the audit between the 19th of April 2022 and the 21st of April 2022.

    Requirement Yogi provided three accounts: Super Admin, Admin and User.

    N.B: the results come from 3 days of audit. Thus, they may be only a subset of what an attacker with no time limit can find.
    N.B.2: the results have been updated after a verification audit performed early July.

    Risk analysis summary

    The main risks which the auditor was asked to focus on were:

    • Data leak of a customer,

    • Unauthorized changes or deletion of customer’s data - Privilege escalation,

    • Availability of the platform.

    During the audit, the auditor has determined four scenarios that could impact the company Requirement Yogi:

    • A user dumps data linked to another customer or a space he does not have access to,

    • A user changes data linked to another customer or a space he does not have access to,

    • A user performs a restricted action for which he does not have the granted rights,

    • An attacker performs a distributed denial of service on the platform.

    Risk assessment

    Probability of the risk

    Probability of the risk

    Impact

    Description

    4

    Strong

    The environment or context of the company means that, if nothing is done, such a threat will certainly materialize in the short term.

    3

    Average

    The environment and the context of the company mean that, if nothing is done, such a threat will materialize in the short term.

    2

    Low

    Even in the absence of any security measure, the environment and the context mean that the probability of occurrence of such a threat, in the short or medium term, is low.

    1

    Unlikely

    Regardless of any security measures, the probability of occurrence of such a threat is extremely low and negligible.



    Impact of the risk

    Impact of the risk

    Impact

    Description

    4

    Strong

    Unsustainable financial, legal, commercial or image impact.

    3

    Average

    Significant financial, legal, commercial or image impact

    2

    Low

    Weak financial, legal, commercial or image impact.

    1

    Minimal

    Financial, legal, commercial or image impact without significant impact.



    Summary

    Scenario

    Probability

    Impact

    Risk

    Action to lower the risk

    Scenario

    Probability

    Impact

    Risk

    Action to lower the risk

    An attacker performs a distributed denial of service on the platform.

    2

    3

    6

    Implement a rate-limiting system

    A user changes data linked to another customer or a space he does not have access to.

    1

    4

    4

    Harden the overall system

    Secure the API

    Make the API more consistent

    A user dumps data linked to another customer or a space he does not have access to.

    1

    3

    3

    Harden the overall system

    Secure the API

    Make the API more consistent

    A user performs a restricted action for which he does not have the granted rights.

    1

    3

    3

    Harden the overall system

    Secure the API

    General overview

    Strength

    Good understanding of the cybersecurity risks

    Follow the guidelines from Atlassian

    Secure development

    Possible improvements

    Make the API more consistent

    Integrate all the good practices in the whole stack of the system

    Address the current flaws

    Conclusion

    During the audit, no critical or high vulnerabilities were found by the auditor.

    By focusing on the security picture only, the plugin Requirement Yogi Cloud is at a good level.

    An attacker will certainly take a considerable amount of time to find and exploit a potential vulnerability in the API. Thus, an attacker would try gaining access to the system by other meanings, like stealing the AWS credentials, doing a phishing attack on employees or other.

    Among that, let’s not forget that on a bigger picture, the system needs some work to make the API fully consistent, less verbose, and more robust against denial of service.

    By taking all of the steps mentioned in the given roadmap, the probability of an attack could be reduced, and so the risk too.



    SAS ARCANSECURITY au capital de 30 000€ - 535 Route des Lucioles, Les Aqueducs B3, 06560 Valbonne, France

    Tél. +33 4 83 43 25 44 - e-mail: contact@arcansecurity.com – www.arcansecurity.com
    N°TVA : FR01 828 428 367





    Teams
    , (opens new window)

    Legal
    Results will update as you type.
    • Support times - SLA Statement
    • License
      • Privacy Policy
      • Security Policy
        • Security audit - Cloud (03/03/2025)
        • Security audit - Cloud (19/12/2023)
        • Security audit - Cloud (14/07/2022)
        • CAIQ Lite – Requirement Yogi Cloud
      • Terms of Use
      • EULA
      • Source Code Agreement
      • Security Overview
    • Requirement Yogi Legal Information
      Calendars
    You‘re viewing this with anonymous access, so some content might be blocked.
    {"serverDuration": 58, "requestCorrelationId": "56613398294a4f1faf01fc380709a20c"}