This document discusses security and permissions management in JIRA. It provides best practices for server configuration including using strong passwords, firewalls, monitoring open ports, and SSL/HTTPS. It also covers JIRA security administration such as system administrator, project administrator, and workflow permissions. The document addresses issue security and hiding what users don't have permissions to see.
17. Exposure
• Balance usability and security
• Public internet vs. internal network
• Encryption
Tuesday, May 28, 13
18. Server Best Practices
• Named Users
• Strong Passwords
• at least 15 characters
• uppercase letters
• lowercase letters
• numbers
• Keys
• sudo
• Don’t run as root
Remember:
A"ackers
are
good
at
finding
the
cracks
8I=</-53UR>t(n5
Tuesday, May 28, 13
19. Firewalls and Routing
• Incoming Ports: 80, 443, 22
• Outgoing Ports? (smtp, pop/imap, db)
• No route to backend systems
Credit: NIST, modified by cpepe
sshd
JIRA
Server
DB
Server
RouterFirewall
A"acker
Tuesday, May 28, 13
20. Open Ports, strong daemons
• IDS
• Monitoring
• Firewall
• Routing
Tuesday, May 28, 13
21. SSL - Considerations
• Terminate in apache or tomcat?
• Application Links
• Make life easier
Tuesday, May 28, 13
22. SSL is tough
• Black box
• Chip away at it ‘til it works
• Hope to never touch it again (document because you will)
• Do it right, it protects you
Tuesday, May 28, 13
23. Why use SSL?
• Always for public facing systems
• Optional, recommended ‘behind the firewall’
• Optional, recommended for backend systems
h"ps://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS
Running
JIRA
over
SSL
or
HTTPS:
Helpful Atlassian resources:
h"ps://confluence.atlassian.com/display/JIRA/IntegraIng+JIRA+with+Apache
IntegraIng
JIRA
with
Apache:
h"ps://confluence.atlassian.com/display/JIRA/Installing+JIRA+on+Linux
Installing
JIRA
on
Linux:
h"ps://confluence.atlassian.com/display/JIRA/Tomcat+security+best+pracIces
Tomcat
Security
Best
PracIces:
* While Atlassian does provide some documents for SSL and Apache, Atlassian cannot guarantee providing support for these custom configurations
Tuesday, May 28, 13
25. System Administrator
Ability to perform all administration functions.There must be at least one group with
this permission.
JIRA Administrator
Ability to perform most administration functions (excluding Import & Export, SMTP
Configuration, etc.).
Project Administrator
This includes the ability to edit project role membership, project components, project
versions and some project details ('Project Name', 'URL', 'Project Lead', 'Project
Description').
Application Administration
Tuesday, May 28, 13