So 2020 was a busy year for the Atlassian security team. It seems like every month or so a major security flaw was discovered that forced action by Atlassian administrators around the globe. These flaws unearthed in 2019 impacted pretty much the entire Atlassian server suite:
Whew, that's a lot of security issues (double 2018)!
As one of Atlassian's top platinum service partners, the Isos Technology's Managed Services and Delivery teams were very busy helping our clients deal with these security issues.
In this blog, I hope to distill some of our experiences into a few short helpful pointers so you organization can stay on top of future issues.
Move to the Cloud
If the past year has demonstrated anything to the Atlassian user base, if dealing with security mitigation is a pain point for your organization – you should really consider moving your organization's Atlassian stack to the Atlassian Cloud. For most of the 7+ security vulnerabilities disclosed last year, all impacted cloud platforms were patched before a public disclosure of the issue was made. Basically, Atlassian Cloud users read the security update in their email, drank their coffee, and moved on.
Run Your Stack Behind a VPN... If You Can
If you can, run your Atlassian services like Jira and Confluence behind a corporate VPN. Our clients who ran their stack under this configuration were under pressure to immediately upgrade Atlassian services after public disclosure of a vulnerabilities, but our clients with publicly facing instances were forced to upgrade. Alternately, you can run your Atlassian service within a Beyond Corp configuration.
Update Often OR Stay On Enterprise Releases
Clients who stayed very current on server releases or, better yet, pegged their service version to the Atlassian enterprise release version had more / smoother options for dealing with security issues.
Stay Up To Date On Atlassian Communications
While there are many places you can obtain security disclosures on Atlassian products, the best source is directly from Atlassian. Here's the official hub: current vulnerability index.
Use a Reverse Proxy
A few of the major organizations we deal with on a daily basis do not go with our 'best practices' recommendation of fronting Atlassian server services with a reverse proxy (like nginx). Among the many benefits of using a reverse proxy I discuss in a different blog article, the main advantage is many security issues can be mitigated by making minor modification at the reverse proxy layer instead of having to update or change the actual Java process or any specific application. Most times these changes to the reverse proxy can be executed with no perceived downtime.
Shameless plug here: Isos can help manage this whole process soup to nuts. From tracking vulnerabilities, implementing mitigations to finally executing upgrades - Isos can be your vendor of choice to deal with these issues.
So there you have it! It doesn't just seem like more and more security vulnerabilities are being discovered in the Atlassia server task, more are actually being discovered. Hopefully this blog article will provide your organization a little more clarity in how to stay on top of this never ending quest.