Atlassian Protects Its Products and Its Customers With BugcrowdDownload Case StudyAgile approaches have transformed software development, enabling organizations to fast-track innovation by launching new features and products more rapidly than ever before. The Agile methodology is all about teamwork. To succeed, teams that are often spread across the globe need to be able to plan projects, share documents, and create together.Atlassian’s mission is to unleash the potential of every team. Its suite of tools, including flagship products like Jira and Trello, help agile teams collaborate. Founded by a couple of entrepreneurial graduates in Australia in 2001, the company now has over 5,000 employees, offices in seven countries, and its products are used by more than 180,000 companies worldwide.With a customer base that includes well-known brands such as Hubspot, Delta and Visa, Atlassian can’t afford for its products to be vulnerable to security threats. Even with a fully dedicated security team, the Atlassian security team wants to invest in building more secure products rather than triaging and validating incoming vulnerability findings. “No matter how many pen tests we run, or how many tools we use, we’re never going to pick up every vulnerability internally,” says Adrian Ludwig, CISO at Atlassian. “We needed greater diversity—with a broad range of people from various backgrounds and with different experience and expertise, you’re more likely to identify the bugs within your system.”Covering All Bases With Crowdsourced SecurityTo ensure it has a diverse group of experts investigating its systems for vulnerabilities, Atlassian has a bug bounty program with Bugcrowd. “It’s always going to be helpful to have other people, outside Atlassian, looking at our environment,” confirms Ludwig. “It’s a win-win situation—either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.”For Atlassian, the first stage of setting up the program was about finding as many vulnerabilities as possible, and the second is about ensuring it’s doing enough. “I can use budgeting as a mechanism to measure the effectiveness of my program,” says Ludwig. “By expanding scope and increasing rewards, I can make sure that we’re identifying and addressing particular problems quickly.”Industry Software DevelopmentBugcrowd Product Managed Bug BountyChallenge Identify as many vulnerabilities as possible within agile development products by creating a more diverse security team.OutcomesMeasurable reports make it easy to demonstrate valueShows commitment to security to reassure customersNo matter how many pen tests we run, or how many tools we use, we’re never going to pick up every vulnerability internally. We needed greater diversity—with a broad range of people from various backgrounds and with different experience and expertise, you’re more likely to identify the bugs within your system.Adrian Ludwig, CISO, AtlassianExtending the Benefits to the Atlassian MarketplaceThe third stage is about applying crowdsourced security more broadly. The company doesn’t just develop its own software, but also runs a marketplace of 5,000+ applications, built by partners, that integrate with Atlassian products. The Marketplace Security Bug Bounty Program aims to give partners the tools to facilitate post-production vulnerability discovery in a cost-efficient way. “Many of our partners are small development shops that don’t have their own specialist security teams,” explains Ludwig. “We’re helping to ensure that their solutions are also secure by adding them to the program.”By working with Bugcrowd, Atlassian can access specialist security knowledge from more than 60,000 researchers. Plus, the Bugcrowd team runs the process, including triage and ensuring researchers submit the right information, making it easier and more efficient for Atlassian to manage. With regular reports, Atlassian can measure the effectiveness of its program and demonstrate its value.With continuous testing via the Bugcrowd platform, the company can safeguard the quality and trustworthiness of its products, protecting both its customers and its business.If you are interested in learning more about Atlassian, go to www.atlassian.com.More about the IntervieweeAdrian Ludwig is the Chief Information Security Officer (CISO) at Atlassian. Adrian joined the company in May 2018 and is responsible for Atlassian’s security team and practices. Prior to joining the company, Adrian held a number of leadership positions, including building out the security capabilities at Nest, Macromedia, Adobe, and Android (Google). As a self-described hacker in his early years, Adrian was recruited bythe Department of Defense when he was 16. They put him through college and, after graduation, put him to work for several years finding security flaws in cryptographic and computer network systems.
