How to keep your Jira issues safe from secrets?

by Ilona

May 04, 2022

Why is safety so important?

There's nothing new about hackers breaking into systems, or fraudulent acts, like identity theft, collecting personal information, credit cards, piracy and more. The worrying fact is the rate at which these things are happening and that's why it's necessary to know why overall online safety is important.

According to a recent Verizon 2021 Data Breach Investigations Report,

"Breaches, as always, continue to be mostly due to external, financially motivated actors. And 61% of breaches involved credential data."

Shifting to the current DevOps decade, and amplified by the pandemic, there are "more that 65,000 companies around the world that rely on Jira Software to manage their projects." (Atlassian)

Protecting Jira, as your main work collaborative environment is the key to safe and successful results.

Let's go over a few ways your organization can protect its secrets and improve its data protection strategy.

Communicate security best practices

Keeping company information secure is the responsibility of the entire organization. By educating your teams and users about risk mitigation, you can implement best practices that help to build a strong security environment. Here are a few things you can communicate to your users.

Remind users not to include the following information in issues:

  • Technology credentials and secrets (Access tokens and API keys, private keys, SSH keys, etc. often found in build logs, attachment file extensions that are associated with secrets which include .pem, .env or .keychain, etc.)
  • Personal identifiable information (for example, Social Security Number)
  • Credit card numbers

Remind users to restrict access to pages or tickets that include customer or other sensitive information.

Per the Verizon 2021 Data Breach Investigations Report,

"Credentials remain one of the most sought after data types. Personal data is a close second. Considering that Personal data includes items such as Social Security numbers, insurance related information, names, addresses, and other readily monetizable data, it is little wonder that attackers favor them as they do. They are also useful for financial fraud further down the line, not to mention their resale value."

"Two most common cybercrime terms found on criminal forums are bank account and credit card related."

Timely detection and remediation are critical

It is hard to understate the importance of detecting and remediating secrets before they become a crises often with painful repercussions.

Here is a list of recommended actions to take when a secret is detected:

  • Review each secret in case it can be ruled out as a false positive.
  • Change the secret at the source.
  • If a password is found, change it immediately.
  • If an access token is found, generate a new access token, and update your services to use the new token. Once all your services have been updated, revoke the old token.
  • Delete the secret from the Jira issue. Users seeing previously improperly stored secrets might get the impression that this is an acceptable way to store passwords and other API keys.
  • If you cannot change or delete the secret, make the user aware of the secret so timely action can be taken.

Periodic audits are necessary

While utilizing best practices and timely detection & remediation are important ways to mitigate risk, we recommend that you periodically audit your Jira projects as well. Without a way to periodically scan your Jira instance for secrets, you may simply be unaware that you have secrets that need to be remediated.

Jira safety is not just about making your own space secure, but it is also about being responsible while working with the rest of your team.

How No More Secrets for Jira can help

No More Secrets for Jira scans and detects secrets found in Jira issues.

Try out No More Secrets for Jira and we hope that it becomes an important part of your organization's data protection strategy.