An In-Depth Guide to Jira Attachment Security (+6 Best Practices)

George Vulov
George Vulov
February 14, 2024
February 14, 2024
Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

Jira attachments are often an underestimated security risk, making them a potential attack vector.

Several high-profile data breaches over the past year or more have impacted organizations reliant on Jira among their teams. Many of these attacks originated from the platform's file attachment capabilities and improper attachment security controls, allowing threat actors to carry out exploits successfully.

In this post, I'll cover a comprehensive overview of the importance of attachment security for Jira and the risks associated with it. Plus, I'll provide best practices to help you and your team ensure that your Jira instance has the most efficient security for any attachments between users and your team (protecting client and company data).

Importance of Attachment Security for Jira

Jira's attachment feature allows users to upload and share files through issues and comments for better project collaboration. This feature allows users to store and transfer large amounts of data between individual projects within a centralized unit.

However, uploading Jira's attachments containing sensitive data or vulnerabilities can allow attackers to escalate their privileges, obtain personally identifiable information, or execute various attacks against targets. This is especially true when the environment lacks the proper Jira security controls and restrictions to prevent successful exploitation.

These attack methods can include malware deployment, remote code execution attacks, and the uploading of malicious file attachments. All are designed to provide threat actors with unauthorized access to the environment and its data.

Once inside the targeted environment, attackers can further exploit organizations by enabling privilege escalation and data exfiltration from the environment. Stolen data from these attacks can subsequently be sold or shared on dark web forums and marketplaces by attackers.

In the case of the Okta data breach in 2023, attackers exploited HAR files in Jira. They obtained the HAR files by using stolen credentials to access the internal Okta client support management system. From there, attackers could view and access internal client files containing client support session tokens and cookies, allowing them to log in as an admin.

The Okta attack would have been mitigated by using a Jira secret scanner. It's vital to ensure no sensitive data is stored within Jira. More on this in a bit.

These increased attacks on digital supply chains have made it imperative that the application administrators and leadership understand the need for attachment security in Jira. Without the proper controls in place, organizations can face additional risks beyond the initial security event.

Risks Associated with Jira Attachments

Cybersecurity attacks and data breaches can be a costly risk to countless businesses. According to IBM, data breaches cost organizations over $4.45 million in 2023. This figure was up 15% from the previous three years.

The reality about data breaches is that when a security incident occurs, it can be a costly risk to mitigate and conduct a comprehensive investigation. This is because data breaches can also prompt several legal and regulatory impacts with the government and law enforcement agencies.

The aftermath of a data breach can likewise include companies being liable for potential fines, lawsuits, and other damages that can impact their revenue and business reputation. Often, there is also a need for companies to rely on public relations efforts in order to inform stakeholders, customers, and their third-party vendors to ensure timely communication of cybersecurity issues.

Vulnerabilities, like improper attachment security configuration in Jira, can lead to these outcomes. Consequently, this can open up organizational supply chains to exploitation. In the event of several recent exploits that affected organizations through Jira attachments, the stolen data was also used to launch additional attacks further into the digital supply chain. 

Relating back to the latest Okta breach, this ultimately created a domino effect where some of Okta's customers were also affected by the attacks. One of those customers included Cloudflare, prompting them to face their own security incident to resolve.

6 Best Practices for Implementing Attachment Security in Jira

The increased need for effective security measures for file attachments within Jira environments is more crucial than ever before.

Secrets, financial information, intellectual property, and other sensitive client data may be shared as attachments within Jira.

If not adequately protected against attacks, this can expose the data to unauthorized access or interception. Organizations need to take the appropriate measures in order to ensure they are implementing measures that will safeguard attachments within Jira.

Below are several essential practices in order to protect file attachments within your Jira instance.

1. Modify attachment security policies in Jira

Jira's attachment security policy controls how attachments are handled within Jira Cloud or Data Center environment. This is done by forcing the attachment to download or displaying it inline within the Jira configuration. Atlassian recommends setting this configuration up by adjusting the settings in the Jira administration panel for those with the proper access permissions.

2. Restrict user download accessibilities

For Jira Data Center and Servers, there are several measures admins can take to restrict attachment uploads and downloads. This includes configuring permission schemes to set up specific attachment permissions and criteria for the applications. Admins can also configure specific attachment settings that will limit the size, thumbnail, and encryption or zip capabilities to increase attachment security. 

3. Utilize 2FA or MFA

Utilizing two-factor authentication (2FA) or multi-factor authentication (MFA) for Jira can support protecting the application from unauthorized access. This can especially be the case in the event of a compromised user account in which these authentication measures can thwart privilege escalation within the Jira environment. Additional authentication steps ensure the data confidentiality, integrity, and accessibility of attachments in Jira. 

4. Scan Jira attachments for secrets (then remove them)

Use the Security for Jira app to scan for sensitive data stored within projects, issues, comments, attachments, and issue history.

Unlike attachment scanners in the Jira marketplace that help prevent the malicious upload of files from threat actors, Security for Jira helps mitigate your biggest risk: employees and customers leaking sensitive data.

Investing in a Jira attachment scanner like Security for Jira can help ensure that company secrets don't lurk waiting for a threat actor to find them.

Take for example this issue in Jira where an expense report is attached:

An attachment uploaded to a Jira issue containg sensitive information

Upon running a scan, we can see that the attachment does indeed contain credit card info.

Jira secret scan showing an attachment containg a secret

What else may be lurking in Jira? Find out before an attacker.

Security for Jira would have thwarted the Okta breach (if it had been utilized).

5. Encrypt sensitive data (attachments and custom fields)

Using an app like Encryption for Jira enables the file system to be encrypted for Data Center. This way, the files must be accessed via Jira and therefore restricted by user permissions.

Note: Jira encryption, including attachments, is built into Jira Cloud.

Using Encryption for Jira's encrypted custom fields feature lets you protect sensitive fields so that values stored in the Jira database are encrypted.

Encrypting sensitive files and fields will significantly improve security. However, unauthorized access to Jira will naturally show unencrypted information, bolstering the need to ensure no sensitive data is stored in Jira attachments, which is enforced by using Security for Jira.

6. Audit and monitor attachments in Jira

Even with proper configurations, settings, and encryption, file attachment vulnerabilities can still be exploited in Jira. Regular file auditing and monitoring within Jira should allow admins to remove sensitive information that may be included in Jira file attachments. It's also important to ensure that files stored in the environment are given data retention and classification levels to ensure that secrets are not left unsecured in Jira.

Enhanced Jira Attachment Scanning with Security for Jira

Security for Jira in the Atlassian Marketplace

Attachment security in Jira is paramount to ensure that sensitive data is protected from being leaked in the event of a data breach. Soteri is excited to offer a game-changing feature within Security for Jira. This feature allows for the scanning of files attached to issues in Jira Servers and Data Centers (not yet available for Jira Cloud).

Security for Jira: Enhanced Secret Scanner offers:

  • Automatic Scanning: Every file attached to your Jira tickets is automatically scanned, ensuring constant vigilance against security threats.
  • Broad File Support: From PDFs to Microsoft Office documents and even email formats - our tool covers a comprehensive range of file types.
  • Customizable Scanning: You have full control to enable or disable attachment scanning, tailoring it to your project's specific needs.
  • Comprehensive Scanning: It scans your projects, issues, comments, attachments, and issue history for sensitive information (all locally and private).
  • In-Depth Insights: Not just scanning, but detailed reporting on each attachment's scan status, with insights into unscanned files and reasons for any scan failures.

Try Security for Jira free.