Security Self Assessment Program - Best Practices

Hi All,
I am new developer to the Atlassian ecosystem, I am planning on submitting the security self assessment questionnaire, I want to check-in if there are any best practices that you would recommend.

In reviewing the questionnaire I see that I have to submit the following:

  • Filled out questionnaire
  • Supporting policy documents
    1. Information Security Policy
    2. Change Control policy
    3. Release Management policy
    4. Audit policy
    5. Notification & follow-up policy
    6. Infrastructure access policy
    7. Vulnerability disclosure policy
    8. Business Continuity policy (BCP)
    9. Backup policy - typically covered under BCP
  • Pentest report

Is there a specific format Atlassian prefers these policy documents to be in.

Is there a preferred vendor for performing the Pentests

Any pointers and guidance would be very much appreciated.

Thank you

Hi @VishReddy ,

It’s not required to actually have the documents nor perform the pentests. The security self-assessment is basically just that: an assessment. You only need to enter the information that reflects the current state of your information security policy (or lack thereof).

The security self-assessment has been deprecated and is replaced by other trust signals like the Bug Bounty program and the Cloud Fortified program. It’s nice to have that green check mark next to your name, but I doubt anyone who is serious about Atlassian procurement & security considers it to be of any value.

Thank you @remie appreciate your advice.

Is there any recommendation on a Pentester who has experience with Connect app’s?

Thank you

Hi, @VishReddy , and welcome!

We do not require a strict format. Instead, we ask you to answer each question, and provide additional documentation, when applicable. We do not have a preferred vendor for performing pentests.

To clarify, the self-assessment has not been deprecated. We recommend that all partners submit a self-assessment on a yearly basis. Additionally, the self-assessment is a requirement for the Cloud Fortified App Program. We also indicate whether you’ve submitted a self-assessment in the overview section of your app listing.

All of our questions and their passing criteria are listed on this page:

I mean, come on. Technically you are right: the program was announced to be deprecated and to be replaced by CAIQ-lite, but that project was abandoned and the deprecation was put on hold (indefinitely). So now you basically just ask all vendors to create an AMKTHELP ticket every year which is more or less auto-approved within 1 business day by @chparker without any significant review whatsoever. Who are we kidding at this point?