For today’s tale of security horror, I’ll share the story of a small company that had Jira Server and used Atlassian’s Crowd product to store user credentials. Their tools were publicly accessible on the internet and had no secure site certificate. That’s already a little scary, right? It gets worse.
One day the CEO reported that a few users have forgotten their Jira password and they, very understandably, didn’t have time to deal with password issues.
As a Jira admin, how would you recommend addressing the situation?
There are many things that could be done like:
ad-hoc password resets to solve the immediate problem,
training users to reset their own passwords in Crowd,
or asking users to contact the Help Desk for a password reset instead of the CEO.
Additionally, some other related changes would be helpful, like:
deploying a password management tool so end users can securely store passwords,
connecting Crowd to network credentials stored in places like Active Directory or G Suite,
putting Jira and Crowd behind a firewall,
and adding SSL to encrypt traffic between the browser and web server.
I suggested all of this, but none of it actually happened.
The CEO decided each user should have the same application password. For example, if the company was named “Acme Software”, the password for everyone was “acme jira.” This was a security and compliance nightmare! Users could all login as each other making the audit trail useless. Since there was no firewall, former employees could login just by knowing the name of any current employee. I wonder how many users logged in as the CEO?
Rachel Wright
Author, Jira Strategy Admin Workbook
Industry Templates, LLC
Traveling the USA in an RV
46 accepted answers
1 comment