Atlassian is beta testing a new threat detection tool for its cloud services, but the chief trust officer who had been working to shore up the company’s overall image in security — especially in on-premises software — won’t be part of that effort.
Adrian Ludwig, hired in 2018 as Atlassian’s chief information security officer (CISO), took on the chief trust officer role in mid-2021. According to a company blog post, he sought to increase transparency about the company’s efforts to secure customer data and develop DevSecOps best practices.
On May 31, Ludwig posted a statement on his LinkedIn profile saying he’d left the company and was planning a hiatus from full-time work for the next few months. He did not respond to interview requests.
Ludwig is an investor in Silicon Valley CISO Investments, an angel investor syndicate. He also remains an adviser to venture capital firms including YL Ventures and Glilot Capital Partners, as well as to cloud infrastructure entitlements software vendor Ermetic and cloud-native application protection platform vendor Lacework. On the Atlassian side, Bala Sathiamurthy, hired to replace Ludwig as CISO in March 2022, will step into the role of interim chief trust officer.
“We are grateful for the past five years that Adrian served at Atlassian as our former CISO and, most recently, as our first chief trust officer,” Sathiamurthy said in an email to TechTarget Editorial this week. “He’s taking a well-deserved break to spend more time with his family, and we will miss him and wish him all the best.”
Atlassian bolsters cloud security cred with Beacon
Sessions from April’s Atlassian Team conference made available online in April show that the company put an emphasis on reassuring customers about its security practices in keynote and breakout presentations.
One presentation by a member of Atlassian’s security intelligence team detailed how the company has worked to reduce the impact of security incidents on customers over the last three years, such as threat hunting, alerting, analysis and product team advisories for all Atlassian offerings, including on-premises tools.
A new product launched in beta at the conference, Atlassian Beacon, emerged from that work, according to Parthiban R, a security intelligence analyst at Atlassian, during the presentation.
The add-on to Jira Service Management (JSM) monitors Atlassian cloud services for anomalous user behavior, such as suspicious searches or third-party application installations. The product automatically creates incidents in JSM in response to alerts, which are also sent to team members via Microsoft Teams and Slack messages.
“With Beacon’s investigation functionality, you can drill down into the who, what, when, where and why associated with every alert,” said Atlassian president Anu Bharadwaj during a conference keynote presentation. “With the right information in hand, you can remediate any incident in real time. We are proud to share that Beacon has already helped our alpha customers catch real-world security issues in week one of production deployments.”
Atlassian’s track record in cloud security has so far been clearer than its Server and Data Center editions — most of the critical vulnerabilities the vendor patched over the last year have been for on-premises versions and haven’t affected its cloud services. However, Atlassian must regain cloud customer confidence after a high-profile outage last year.
Atlassian isn’t alone in having vulnerabilities in general, and wouldn’t be for its cloud services either, said IDC analyst Katie Norton. She pointed out that competitors such as GitLab and Microsoft’s GitHub have recently reported security vulnerabilities in cloud services, as defined by NIST’s common vulnerabilities and exposures (CVE) system.
“Almost every vendor in this space has something every other day where they have to patch some sort of vulnerability that’s exploited,” Norton said. “It’s going to get to the point where you almost can’t judge these companies anymore in terms of upstream open source-based vulnerabilities. … [They] just have to be quick to ensure that as soon as the vulnerability is identified, [they’re] doing something to fix it for customers as quickly as [they] can because it’s just happening so much to everyone.”
Ludwig leaves amid on-premises upstream security efforts
It’s no secret that Atlassian is prioritizing its cloud products, but last year critics in the government and defense industries — where on-premises versions are still commonly used — assailed Atlassian’s approach to upstream open source software security. They singled out the vendor for susceptibility to critical vulnerabilities, including two severe and actively exploited vulnerabilities in on-premises Confluence installations within six months.
Atlassian continued to contend that the open source vulnerabilities in question were not reachable in its codebase, and therefore not Atlassian’s responsibility to fix, also the subject of objections from critics. But last year, Ludwig said the vendor might change its approach because it might lead to less confusion.
“Even though I think what we’ve been doing is technically correct, I don’t think it’s pragmatically correct,” he told TechTarget Editorial in June 2022. “It’s probably going to be more efficient for us to just fix the issue.”
Atlassian has since begun to remediate upstream vulnerabilities whether they are reachable or not under its Security Bug Fix policy, according to Sathiamurthy’s email.
“Over the last year, we’ve continued to make significant investments to improve our product’s security posture, ” Sathiamurthy added. “We are continuously upgrading our libraries while removing unused libraries from our code to reduce the number of vulnerabilities introduced by open source software in Atlassian products. Additionally, Atlassian will support and contribute to open source dependencies where feasible.”
One of the company’s critics from a year ago remains unconvinced.
“[It] seems just as bad as always, maybe worse,” said Robert Slaughter, CEO at government IT contractor Defense Unicorns. “I still feel burned from all the customer environments they work in. [I have] scar tissue, for sure.”
Since last year, some Defense Unicorns customers have moved off Atlassian products due to security concerns, Slaughter said.
Ultimately, the implications of Ludwig’s departure for Atlassian customers will depend on whether there were deeper reasons, such as disagreements about the vendor’s security direction, said Larry Carvalho, an independent consultant at RobustCloud.
“Finding good talent at the executive rank in security is always hard, and [Ludwig’s role] could be challenging for Atlassian to backfill,” he added. “If the reason for the departure is [Ludwig’s level of] satisfaction with Atlassian’s strategy and direction, this event is not good news for Atlassian customers.”
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.