Being an established software company, Atlassian boasts a large & complex code base consisting of several millions lines of code across a few products. The code is mostly written in Java. The code includes many components, third party plugins, and so on.
Atlassian was searching for a cost effective solution that can provide configuration flexibility and is capable of running on Mac OS.
Another important factor was the need to analyze incomplete code samples with missing dependencies which will significantly reduce the time & resources required to audit a code sample for vulnerabilities.
Lastly, it was important to find a solution that is coupled with strong & dedicated support, to assist with the implementation & configuration process.
Atlassian tried most of the mature products or services in the marketplace.
The selection of Checkmarx
Atlassian conducted an extensive due diligence process over a period of several months with a number of SAST vendors.
Atlassian selected Checkmarx’s solution because it offered a good balance of functionality, and cost and the company demonstrated a readiness to respond to our various specific requests.
When Atlassian implemented Checkmarx over a year ago, the product was not as mature as it is today and so they were prepared for the inevitable tweaks and bugs to get the product to work smoothly. A few hiccups inevitably occurred, which were promptly handled by Checkmarx support team. Overall, it did not take long for the product to be fully installed and productive.
Atlassian currently uses Checkmarx for assessing third-party plugins before bundling those with the core Atlassian products and SaaS services. The main concern is that plugins run at the same level of privileges as the rest of the JVM, so security vulnerability in thesethird- party software components is equal in severity to any vulnerability in the host product.
Following a successful implementation of Checkmarx, Atlassian gradually expanded the use case to assessing shared components used within the entire product range. Eventually, the aim is to scan the millions LoC Atlassian has across its entire code base on a regular basis. Atlassian is considering integrating Checkmarx into the SDLC so that every programmer at Atlassian will be able to scan their code using Checkmarx’s IDE plugins for visual studio / Eclipse and to promote a secure coding methodology across the entire company.
The Bottom Line
Atlassian security team’s overall impression with Checkmarx is that it is a flexible and easy-to-use product.
The team was extremely happy with the levels of support they received. It was both professional and timely despite the time zones differences.
As is always the case with similar tools, Atlassian was prepared for a few quirks with installing and tuning it – the installation was easy. Additional documentation would have been useful.
Atlassian (www.atlassian.com) products help innovators everywhere plan, build and launch great software. More than 18,000 large and small organizations – including Citigroup, eBay, Netflix and Nike – use Atlassian’s issue tracking, collaboration and software-development products to work smarter and deliver quality results on time. Learn more at.
For more background please refer to: https://www.atlassian.com/company/