Jira Align and Enterprise Insights Security: Protection against SQL injection attacks

Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article aims to help cover security concerns as the following:

  1. Documentation of the mechanisms implemented within the JA application to ensure the validity of data input

  2. Confirmation that the JA application includes measures designed to protect against SQL injection attacks

Environment

Jira Align

Solution

Jira Align:

Atlassian has multiple controls in place to thwart SQL Injection attacks. Firstly in our security testing methodologies: In our SDLC, we use Snyk both for Source Composition Analysis (SCA) and Static Application Security Testing (SAST) to detect both SQL Injection in our own code as well as in third-party libraries. We also use Burp for Dynamic Application Security Testing (DAST) to detect any SQL Injection at runtime/deployment. We have annual Third-party penetration testing and an ongoing Bug Bounty Program which could also detect such issues

Enterprise Insights:

The security standards for Enterprise Insights (EI) are consistently aligned with the guidelines set by the Security team. When it comes to validations, EI can be accessed as a read-only database, eliminating the need for specific input validations at the application layer. Additionally, it's worth noting that the source data for EI has already undergone validation, as highlighted in the Security response

Updated on April 14, 2025
Platform
Cloud and Data Center
Products
Jira Align Cloud
Jira Align Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community