Security Practices

The Easy Agile team takes security seriously. We know we're not infallible and we are always working to improve our security practices. Below we detail our current practices.

Our Security Practices should be read in conjunction with the Easy Agile Privacy Policy and License Agreement.

Security Vulnerability

We align with the Security Severity Levels published by Atlassian, and as a Platinum Atlassian Marketplace Partner we adhere to their security requirements for Cloud applications.

We participate in the Atlassian Marketplace Security Bug Bounty Program.

If you believe you have found or experienced a security vulnerability with an Easy Agile product or service please raise a security incident.

Jira Cloud

All of your Jira issue / project / user data is kept in your Jira Cloud instance. Your data is never stored by our add-on servers. Our addons are simple, static javascript applications which run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance.

Our Jira Cloud versions require the following Atlassian Connect Permissions (Scopes): Read, Write, Delete and Project Administration. Project Administration is needed for the creation and updating of Versions.

As the product is delivered as a static, client-side add-on, the requests to read, create or update Jira data are made by the account of the person using the addon. When you install the add-on you will see a new user added automatically to the Jira Software projects (e.g. Easy Agile User Story Maps for Jira (addon_com.kretar.Jira.plugin.user-story-map)) under the role 'atlassian-addons-project-access'.

We follow the Atlassian guidelines for security:

Analytics Data

Easy Agile captures analytics events from our products and stores these in a private analytics database hosted on Amazon Web Services in the United States of America.

No Personally Identifiable Information is included in the analytics events sent.

We do include the license Support Entitlement Number (SEN) to improve your customer support experience. For example, in the event you experience an error and raise a support request we are able to diagnose the problem quicker. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information.

Example analytics event data we receive:

Add-on Key	SEN	Action	Event Data	Timestamp	Version
com.kretar.Jira.plugin.user-story-map	SEN-XXXXXXX	storymap-rendered	{"JiraVersion":"7.1.2", "eausmjsVersion":"3.0.18", "loadDuration":3447, "boardType":"scrum", "estimationType":"Story Points", "doneIssueCount":2, "issueCount":59, "epicCount":25}	2017-03-20 22:54:39.488+00	3.6.1
com.kretar.Jira.plugin.user-story-map	SEN-XXXXXXX	clicked-create-epic-button-splash		2017-03-20 22:53:22.433+00	1.2.3-AC
com.arijea.easy-agile-roadmaps	SEN-XXXXXXX	roadmap-rendered	{"epicCount":10, "loadDuration":570, "JiraVersion":"7.2.6", "readOnlyMode":true, "scheduledEpicCount":0, "selectedTimelineType":"month", "themeCount":1}	2017-03-20 22:38:17.322+00	2.8.2

Error reporting

Easy Agile Products utilise an error reporting service, bugsnag, to assist us in providing higher quality software and quickly diagnosing errors which occur in Easy Agile code running in the browser. No data is ever transmitted from your Jira Server. This information helps us quickly pinpoint issues to help quickly resolve support requests, or ship fixes before support requests are raised. A win-win for everyone.

No Personally Identifiable Information is included in the bugsnag payload events sent.

Key points

Only errors which originate from within Easy Agile code are transmitted.
All business-sensitive information is redacted, such as:
1. The URL of the Jira instance
2. Any project keys
3. Any issue keys
4. Usernames or any other personally identifiable information

We do include the license Support Entitlement Number (SEN) to improve your customer support experience. For example, in the event you experience an error and raise a support request we are able to diagnose the problem quicker. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information.

Expand to see example

{
    "apiKey": "4c6a97b915700d2318f163d99f5a9323",
    "notifier": {
        "name": "Bugsnag JavaScript",
        "version": "6.5.2",
        "url": "https://github.com/bugsnag/bugsnag-js"
    },
    "events": [
        {
            "payloadVersion": "4",
            "exceptions": [
                {
                    "errorClass": "Error",
                    "message": "This is a test error being notified",
                    "stacktrace": [
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879909
                        },
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879770
                        }
                    ],
                    "type": "browserjs"
                }
            ],
            "severity": "warning",
            "unhandled": false,
            "severityReason": {
                "type": "handledException"
            },
            "app": {
                "releaseStage": "production",
                "version": "5.0.190"
            },
            "device": {
                "locale": "en-US",
                "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
                "time": "2020-08-14T03:49:11.401Z"
            },
            "context": "This is a test error being notified",
            "user": {},
            "metaData": {
                "deployment": "server",
                "jiraSoftwareVersion": "8.6.1",
                "pluginVersion": "6.1.0",
                "supportEntitlementNumber": "SEN-XXXXXXX",
                "uuid": "185c36dc-1a89-4f29-9c68-d5fd1ddf3fe7"
            },
            "request": {
                "url": "redacted"
            }
        }
    ]
}

Development Workflow

We have a backlog that is ordered in terms of our vision for the product coupled with key customer feature requests. Team members pull stories from the backlog as capacity allows. Typically their first step is to write tests to assert the behaviour we expect. From there they will write code to make tests pass, and then refactor as needed.

When a team member is ready for code review they add two of their colleagues to a pull request. Their colleagues review the code for consistency, sanity, and against the acceptance criteria of the user story. There are usually a few comments of things to consider, tidy up or change, and these are then incorporated.

During the code review we also begin user acceptance testing of the functionality in both Jira Cloud and Server. At this point we're trying to ensure that what we deliver makes sense from a customers perspective. This often turns up UI/UX improvements for the story which are then subsequently included in the pull request.

Once the pull request has been approved the development branch is merged into our staging branch where we do final user acceptance testing before release. Once we are happy with the results we merge into the master branch which always represents what is in production.

In the case of Jira Cloud the feature is then deployed automatically and customers begin to see the new version immediately. For Jira Server we select a commit on master that contains the desired functionality, we than tag that with a version number and perform a manual release to Atlassian Marketplace.

On every commit to the development branch unit and functional tests are automatically run. Pre-commit hooks exist on the master branch which prevent a merge in the event a pull request has not been approved or tests are not passing.

Infrastructure Access

Build, test and deployment automation means Easy Agile Team Members do not require or have access to production infrastructure.

Infrastructure is in code (Amazon Web Services CloudFormation Templates) enabling us to test changes in test and staging environments before rolling those changes to production environments.

We leverage a Cloud access management platform and enforce team members use of randomly generated passwords (1Password) plus Two Factor Authentication for accessing service providers.