5 ways you can work smarter and stay secure with Bitbucket and Bamboo

When you’re building and deploying code, there’s nothing more valuable than the peace of mind that you’re developing secure software, in a secure environment. That’s why we work to ensure your Developer Tools are highly secure and meet all your compliance needs. Check out these 5 tips for improving security in Bitbucket and Bamboo for Data Center.

1. Keep your code secure with secret scanning in Bitbucket

2. Manage user permissions in Bitbucket with ease

3. Integrate with Bamboo using OAuth 2.0

4. Use REST API rate limiting to protect your instance in Bitbucket and Bamboo

5. Look forward to upcoming releases featuring new security features

 

Keep your code secure with secret scanning in Bitbucket

Did you know that Bitbucket now scans your repositories for secrets and triggers email notifications when leaked secrets are detected within new commits? Those “secrets” can include sensitive information like passwords, tokens, environment variables, and private keys.

While your team collaborates on code, sensitive information may accidentally get added to your repositories. Secret scanning prevents this information from being unintentionally pushed into your repositories and added to the commit history.

To strengthen security, secret scanning is enabled by default in your Bitbucket instance if you’re using Bitbucket 8.6 or higher. This boosts your repository’s security and helps you ensure that secrets are not accidentally exposed in your code.

In the event of an exposed secret, the best approach is to take the same action you would in the event of any exposed sensitive information—update passwords, etc. Unidentified breaches may result in the potential use of secrets by any users with access to your repositories. Learn how to update secret scanning properties.

 

Manage user permissions in Bitbucket with ease

In Bitbucket 8.5, we redesigned the project and repository permission pages to help you easily manage user permissions and meet your compliance needs.

Users in Bitbucket can be assigned permissions at different levels: global, project, or repository. It can be difficult for admins to see the effective permissions of a user or group, which is necessary to find out if excessive permissions have been granted. A clear understanding of who has what permissions helps you maintain a secure and compliant instance.

The new effective permissions update helps admins check to see if the permission is already inherited from a higher level and avoids the need to grant the same permissions at the project or repository level. This allows admins to see everyone who has permission for a repository or a project, regardless of whether they have explicit permission or inherit the permission from a higher level of the hierarchy. Learn more about how to export user permissions.

 

Integrate with Bamboo using OAuth 2.0

Bamboo now includes support for incoming app links, allowing Bamboo to act as an OAuth provider for third-party applications. This provides approved access to the app and restricts what actions the client app can perform on behalf of the user, without ever sharing the user's credentials. For example, an external app can now view the deployment status to share the status view, but it cannot start or stop the deployment itself.

Linked apps can be granted limited or full access to Bamboo data on behalf of a Bamboo user with respect to the user’s permissions. Additionally, because access authorization happens over OAuth 2.0, exchanging data between applications is always secure and reliable. Learn more about OAuth2 support.

 

Use REST API rate limiting to protect your instance in Bitbucket and Bamboo

Rate limiting is one of the best ways to keep your Data Center instance stable and secure. This enterprise feature is now included in all Data Center products and empowers admins to control how many REST API requests automation tools and users can make, as well as how often they can make them. When automated integrations or scripts send requests to your developer tools in huge bursts, it can affect Bitbucket and Bamboo's stability, leading to drops in performance or even downtime.

Limiting requests ensures that while folks who need access to the API still have it, the settings prevent users from flooding the API, whether intentionally or otherwise. As seen in the image below, admins can regulate how many requests can be made within a given timeframe. Learn more about rate limiting.

Look forward to upcoming releases featuring new security features

Looking ahead, we will continue to deliver security-focused features and capabilities to your Atlassian Dev Tools. Plan for upcoming security and compliance features, like:

• Enforced project settings for Bitbucket: This new feature will ensure that admins can strictly manage specific components of repositories to enforce compliance and fill the security.

• Global settings for SSH keys in Bitbucket: This will allow admins to satisfy compliance requirements when it comes to the use of cryptographic methods.

Additionally, both Bitbucket and Bamboo have LTS releases coming this quarter. These releases provide you with continued access to critical security, stability, data integrity, and performance fixes for the two-year support window before this version reaches its end of life. Additionally, LTS releases enable you to move quickly when a high-impact bug or security fix is ported over and released for upgrading.

Thanks for being part of the Data Center community, I hope these tips give you the peace of mind to ensure your instances remain highly secure.