Change is required. Atlassian engineer's blog

  Hi!  Today I would like to share a curious story related to the integration of Jira (adoptJDK 11) and the ERP system which works on old Java 6. You would say to me, welcome to the "blood enterprise systems". So during our security audit, IDS detected the non-secure protocol TLSv1.1 in that inter-connected communication Jira DC and that ERP system, correctly one of the cipher suites  TLS_RSA_WITH_AES_128_CBC_SHA . Yes, it's an old cipher suite, and that tutorial can be used for any other cipher suite as well.  How we can fix it?  Set string TLS protocol for all Jira (don’t forget for all nodes), TLS1.3 , TLS1.2. And please, keep in your mind the  bug  (JDK-8211806 : TLS 1.3 handshake server name indication is missing on a session resume) Adjust java.security configurations   Below table describe the small background and default protocols in your jdk/jre:    JDK 8 (March 2014 to present) JDK 7 (July 2011 to present) JDK 6 (2006 to  ...

  Hi!  Nowadays. security and trust is a very important aspect. I was wondering a lot of administrators, security specialists, security researches and attackers investigate installed components on the production system, e.g. Jira opened through the internet.  To minimize the risk you can investigate the jar files in directory installed plugins, the same thing I can do for every Atlassian product installed in your company. I'd like to share very small tip and trick related dependency checker and I hope you will check your set of installed apps or developed apps.  next part you can find ( here PART-2 )  1. Introduction Just a small quote which shows important from  OWASP site .  Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities Also, keep in your mind it is not deep analysis, instead of using static code analyzers Sonar, PVS studio, but it provides a good overview and...