...
...
...
...
...
...
Tip | ||
---|---|---|
| ||
The text below is a summary of the security audit performed by Aracan Security. See the full report. |
Introduction
This document reports the security audit results of the Confluence and Jira plugins “Requirement Yogi Cloud” and “Requirement Yogi for Jira Cloud” developed by the company Requirement Yogi.
...
Risk analysis summary
The main risks which lead to this audit arethe auditor was asked to focus on were:
- Data leak of a customer,
- Unauthorized changes or deletion of customer’s data - Privilege escalation,
...
- Availability of the platform.
During the audit, the auditor has determined four scenarios that could impact the company Requirement Yogi: -
- A user dumps data linked to another customer or a space he does not have access to,
...
- A user changes data linked to another customer or a space he does not have access to,
...
- A user performs a restricted action for which he does not have the granted rights,
...
- An attacker performs a distributed denial of service on the platform.
Risk assessment
Probability of the risk | ||
---|---|---|
Impact | Description | |
4 | Strong | The environment or context of the company means that, if nothing is done, such a threat will certainly materialize in the short term. |
3 | Average | The environment and the context of the company mean that, if nothing is done, such a threat will materialize in the short term. |
2 | Low | Even in the absence of any security measure, the environment and the context mean that the probability of occurrence of such a threat, in the short or medium term, is low. |
1 | Unlikely | Regardless of any security measures, the probability of occurrence of such a threat is extremely low and negligible. |
...
Impact of the risk | ||
---|---|---|
Impact | Description | |
4 | Strong | Unsustainable financial, legal, commercial or image impact. |
3 | Average | Significant financial, legal, commercial or image impact |
2 | Low | Weak financial, legal, commercial or image impact. |
1 | Minimal | Financial, legal, commercial or image impact without significant impact. |
Summary
Scenario | Probability | Impact | Risk | Action to lower the risk |
---|---|---|---|---|
An attacker performs a distributed denial of service on the platform. | 2 | 3 | 6 | Implement a rate-limiting system |
A user changes data linked to another customer or a space he does not have access to. | 1 | 4 | 4 | Harden the overall system Secure the API Make the API more consistent |
A user dumps data linked to another customer or a space he does not have access to. | 1 | 3 | 3 | Harden the overall system Secure the API Make the API more consistent |
A user performs a restricted action for which he does not have the granted rights. | 1 | 3 | 3 | Harden the overall system Secure the API |
General overview
Strength
Good understanding of the cybersecurity risks |
Follow the guidelines from Atlassian |
Secure development |
...
Expand | ||
---|---|---|
| ||
SAS ARCANSECURITY au capital de 30 000€ - 535 Route des Lucioles, Les Aqueducs B3, 06560 Valbonne, France Tél. +33 4 83 43 25 44 - e-mail: contact@arcansecurity.com – www.arcansecurity.com |