Hi All,
I am new developer to the Atlassian ecosystem, I am planning on submitting the security self assessment questionnaire, I want to check-in if there are any best practices that you would recommend.
In reviewing the questionnaire I see that I have to submit the following:
Filled out questionnaire
Supporting policy documents
Information Security Policy
Change Control policy
Release Management policy
Audit policy
Notification & follow-up policy
Infrastructure access policy
Vulnerability disclosure policy
Business Continuity policy (BCP)
Backup policy - typically covered under BCP
Pentest report
Is there a specific format Atlassian prefers these policy documents to be in.
Is there a preferred vendor for performing the Pentests
Any pointers and guidance would be very much appreciated.
It’s not required to actually have the documents nor perform the pentests. The security self-assessment is basically just that: an assessment. You only need to enter the information that reflects the current state of your information security policy (or lack thereof).
The security self-assessment has been deprecated and is replaced by other trust signals like the Bug Bounty program and the Cloud Fortified program. It’s nice to have that green check mark next to your name, but I doubt anyone who is serious about Atlassian procurement & security considers it to be of any value.
We do not require a strict format. Instead, we ask you to answer each question, and provide additional documentation, when applicable. We do not have a preferred vendor for performing pentests.
To clarify, the self-assessment has not been deprecated. We recommend that all partners submit a self-assessment on a yearly basis. Additionally, the self-assessment is a requirement for the Cloud Fortified App Program. We also indicate whether you’ve submitted a self-assessment in the overview section of your app listing.
I mean, come on. Technically you are right: the program was announced to be deprecated and to be replaced by CAIQ-lite, but that project was abandoned and the deprecation was put on hold (indefinitely). So now you basically just ask all vendors to create an AMKTHELP ticket every year which is more or less auto-approved within 1 business day by @chparker without any significant review whatsoever. Who are we kidding at this point?