Security in Software Development at Atlassian
How does Security fit into Atlassian software development life-cycle?
Agile processes usually do not have distinct SDLC phases, and this inhibits superposition of older, traditional approaches to gating releases through security checkpoints.
At the same time, agile workflows let us fix any vulnerabilities quickly, especially in our cloud services. We have a strict internal policy on timeframes for fixing any security issues that have been found.
What security reviews are undertaken before release of new code?
We do not undertake any "gate" style reviews, but continously assess the security of all our products.
Developers conduct code reviews regularly, pre-commit and post-commit in some cases, although these reviews are not specifically security-targeted. The Atlassian Security team performs regular targeted code reviews, manual and tools-assisted. From time to time, we engage 3rd party auditors to do wide-scope security code reviews for all our products.
We also have a ongoing test engagement with an independent third party for the Atlassian Cloud products and feed any findings back into our development process.
What methods are used to protect against common web application attacks (XSS, SQL injection, CSRF, etc.)
This depends on the product. Some features are cross-product, some are not. This article, Securing your Plugin, which is part of the developer curriculum, describes some of the cross-product controls.