• Launch Webinar – Jira Granular Restore to eliminate Oops-moment 

    13 November 2023
    Comments are off for this post

    What is your biggest Jira concern? Accidental deletion of data from Jira, or data loss during migration? 

    The bigger a supporter of Jira you are, the more you know that Atlassian does not ensure you with granular, point-in-time restore in case of unintentional deletion and daily operations.

    Register to join a special launch webinar of our Partner GitProtect.io, introducing Jira Granular Restore technology on Nov 16, at 10 AM PT / 6 PM CET, and find out how to:

    • Migrate Jira data and the entire configuration from one project to another
    • Instantly restore any deleted object in Jia – projects, issues, workflows, attachments
    • Move between various Jira accounts
    • Copy project configurations from Sandbox to Production
    • Separate out projects or consolidate different Jira sites into one
    • LIVE DEMO – GitProtect Jira Backup and Granular Restore

    P.S. A dedicated webinar recording will be sent to registered people who will not be able to participate in the recording.

    Share this post

  • 8 Possible Reasons Why Your Jira Cloud is Slow

    6 November 2023
    Comments are off for this post

    Typically, the performance issue will surface as the instance gets bigger with more data.

    Some of the possible causes:

    1. incorrect/unexpected scenarios
      • 1000 Stories under 1 single Epic
      • An issue with 5000 comments
    2. design that does not scale well with larger set of data
      • an automation rule to update all the open issues in the instance
    3. very big search index
      • the time to search is correlated with the amount of data searchable
    4. automation
    5. integrations
      • external system sending thousands of REST API calls (to retrieve or update update)
    6. incompatibility across plugins
      • Individually each app works ok, but they cause issues with each other
    7. CPU intensive jobs
      • e.g. project level exports can be intensive if there are a lot of custom fields
    8. a lot of custom fields
      • By updating the custom field context, it can help to improve the performance

    The best way to improve the speed is to identify the root cause and treat the problem accordingly.

    • If it is a plugin related issue, you can try to disable the plugin to isolate the problem
    • If it is a data triggered issue, you can try to remove the data

    You can use Site Statistics for Jira Cloud to track the historical growth of issues in your Cloud instance. It can be helpful to see if the slowness is caused by huge increase of issues.


    What does Atlassian Intelligence says?

    I posed the question “Possible reasons causing Jira Cloud to be slow” and got the answer below

    1. High network latency: Slow internet connection or high network congestion can result in slower response times for Jira Cloud.
    2. Large number of issues: If your Jira project contains a large number of issues, it may impact the performance of Jira Cloud.
    3. Heavy usage: Concurrently performing resource-intensive operations such as searching, reporting, or updating a large number of issues can slow down Jira Cloud.
    4. Misconfigured plugins: In some cases, misconfigured or poorly optimized plugins can cause performance issues in Jira Cloud.
    5. Insufficient hardware resources: Inadequate server resources such as CPU, memory, or disk space can affect the performance of Jira Cloud. ❌
    6. Outdated software version: Running an outdated version of the Jira application may lead to performance degradation and compatibility issues with other components.❌

    To troubleshoot and improve the performance of your Jira Cloud instance, you can follow these steps:

    1. Check your network connectivity and ensure that you have a stable internet connection.
    2. Optimize your issue database by archiving or deleting unnecessary data to reduce database size and improve overall system performance.
    3. Review installed plugins and disable any that are not essential or causing slowdowns. Ensure that all installed plugins are up-to-date with compatible versions for your current JIRA setup.
    4. Monitor system resources (CPU, memory) on the server running JIRA to identify any bottlenecks and consider scaling up hardware if required.
    5. Regularly update your JIRA application to benefit from bug fixes and performance improvements provided by Atlassian through new releases.

    ❌ The hardware for Jira Cloud is managed by Atlassian. It is always upgraded to the latest version automatically.

    Share this post

  • List of Banks using Atlassian Cloud

    30 August 2023
    Comments are off for this post

    Banks are well known for their stringent policies on security and compliance. This is because they need to ensure their customers’ data are well protected.

    We scouted the Internet to research which banks are using Atlassian Cloud and compiled the list below.

    BankCountry / RegionProduct(s)Solution PartnerUser Count
    Latin AmericaJiraeCore4,300
    MexicoConfluence, Jira, JSMbit2bit Americas500
    Commonwealth BankAustraliaConfluence, Jira25,000
    EQ BankCanadaConfluence, JiraBlended Perspectives400
    Hanseatic BankGermanyConfluence, JiraJodocus GmbH
    Libra BankRomaniaJiraLife in Codes

    p.s: The list is ordered by the name of the bank, followed by Country/Region

    Hope the info will be useful for financial institutions who are exploring to migrate to Jira Cloud.

    References

    1. Bank from Latin America
      • https://www.e-core.com/na-en/case-study/large-private-bank-merges-multiple-data-rich-jira-instances-across-different-server-types/
    2. Bank from Mexico
      • https://bit2bitamericas.com/en/insights/mexican-bank-migrates-to-atlassian-cloud/
    3. Commonwealth Bank
      • https://www.itnews.com.au/news/cba-is-shifting-to-cloud-versions-of-atlassian-software-596929
      • https://diginomica.com/commonwealth-bank-australia-ensures-regulatory-compliance-jira-and-confluence-devops-ecosystem
      • https://www.atlassian.com/webinars/enterprise-cloud/commonwealth-bank-of-australia-engineering-transformation-at-scale
      • https://www.youtube.com/watch?v=xyD4ixf5fyM
    4. EQ Bank
      • https://www.blendedperspectives.com/about-us/equitable-bank-eq-bank-atlassian-cloud-case-study/
      • https://www.atlassian.com/customers/eqbank
    5. Hanseatic Bank
      • https://www.jodocus.io/en/success-stories/hansaetic-bank
    6. Libra Bank
      • https://lifeincodes.com/product-news/when-agile-meets-banking-the-story-of-libra-bank-romania-transitioning-to-jira-software/

    Share this post

  • Akeles Top 10 Marketplace apps in 2022

    7 February 2023
    Comments are off for this post

    Are you curious which apps other users are buying to extend the capabilities of their Jira, Confluence or Bitbucket?

    This year, we are pleased to share again our updated Top 10 Popular apps with fellow Atlassian users.
    It is a good opportunity to review which useful capabilities to add to your Atlassian suite.

    From our perspective, Marketplace apps play a significant role for successful adoption by

    • enabling automation to improve productivity, speed or security
    • providing additional capabilities like Business Analytics, Test Automation, etc
    • organising information to provide insight and facilitate collaboration

    How is the ranking done?

    The ranking is based on the number of licenses bought through us in 2022.
    We felt this will be a better measure of the popularity of the app.

    In event of a tie, we go by the licensed users count, followed by the total sale value for the app.

    Akeles Top 10 List

    Congratulations to the winners. It is an achievement given there are over 4,300 apps listed in Atlassian Marketplace.

    (more…)

    Share this post

  • Why being a Jira Admin is a Tough Job

    28 July 2022
    Comments are off for this post

    Estimated reading time: 5 minutes

    Thank you Jira Admins

    Do you know that July is the Jira Admin Appreciation Month, and 15th of July is the official Jira Admin Appreciation Day?

    As an Atlassian Solution Partner as well as a Marketplace Partner, we work closely with many Jira Admins and witnessed their passion, ingenuity and dedication on countless occasions.

    We would like to take the opportunity to share some wonderful Jira Admins we encountered

    • Kamar who worked with us to troubleshoot a mystery case on the sudden slowdown in Jira’s performance
    • Jun Xiang who set up a new service desk project all by himself, saving the money to buy an additional system
    • Hany who suggested improvements for a Marketplace app so that his team can work more effectively
    • Graeme who organised lunch and learn sessions for colleagues to share his Jira knowledge
    • Coral who stayed up until 5am so that Jira can be operational when her colleagues return to work on Monday
    • and many others who took time after work to attend Atlassian Community Events to beef up their knowledge

    What people think a Jira Admin do?

    How IT people see each other

    Going by the literal meaning, the Jira administrator is the person who administers the Jira web application.

    What a Jira Admin really do?

    However in the real life, the Jira Admins are responsible for everything that is related to Jira.
    This is a norm because many organisations do not have a team to manage Jira. Usually the Jira admin will have to wear multiple hats. More importantly, these roles also require knowledge of Jira.

    Here are some additional roles the Jira Admins are taking up:

    Jira System Engineer

    This role focuses on tasks related with systems. It requires competency in both inner workings of Jira as well as the backend systems. Some examples of the tasks are:

    • Handle Level 2 support by analysing Jira application or access logs
    • Work with Atlassian Support or App Vendors for complex cases
    • Using SQL on the database to generate reports or patch data
    • Perform Application/Server Performance Tuning
    • Perform upgrades and Disaster Recovery (DR) planning
    • Work with Security to conduct Vulnerability Assessment & Penetration Testing (VAPT)

    Jira Solution Engineer

    This role focuses on the business aspect. By providing solutions using Jira to deliver new capabilities, it increases the ROI. Some examples of the tasks are:

    • Create Jira project templates for new use cases
    • Build Jira workflows that help to improve the flow
    • Design Jira dashboards or BI reports to give visibility to the stakeholders
    • Select Marketplace apps to fulfill business requirements or improve productivity
    • Write scripts to automate some tasks
    • Or even coding Jira plugins for customised features

    Jira Coach

    This role focuses on the people aspect by helping fellow Jira users to use Jira more effectively. Some examples of the tasks are:

    • Conduct training
    • Answer questions related on the usage
    • Write KB articles on Confluence
    • Promote the use of Jira within the organisation
    • Analyse statistics to identify trends and area for improvement
    Additional roles taken up by the Jira Admins. In dedication to all the Jira Admins

    How to help your Jira Admins?

    In some scenarios, the Jira admin might even be a part-time responsibility in additional to their official job description.

    The workload will pile up until the company will engage a Solution Partner or an Atlassian Technical Account Manager for additional support.

    We have listed 9 ways to reduce the workload for your beloved Jira Admins

    1. Give up on your Jira admin rights (if you are not trained in Jira)
      • That can reduce unnecessary fire-fighting due to mistakes
      • Otherwise get proper training to be a Jira admins
    2. Look for the Jira project admins instead of the Jira admins for project permission requests
      • It can be death by a thousand paper cuts with 1 request from every user
    3. Standardize your project workflows
      • It can be messy when every project have a different workflow and different set of custom fields
    4. Raise your requests in Jira
      • That will facilitate tracking and fulfilment by the Jira Admins
    5. Use apps
      • They can automate some of the manual tasks taking up the Jira Admin’s time
    6. Use a LTS version to reduce the upgrade cadence
      • Every upgrade consumes time and effort
      • It is easier to patch an LTS version
      • It helps to minimise the turnaround time in event of a security advisory
    7. Upgrade at least once a year 
      • The risk, complexity and technical debt increases over time
    8. Host Jira behind the firewall
      • Use VPN or Zero Trust Network to access if your team are working remotely
      • That will reduce a lot of work on security
    9. Use Jira Cloud if it is suitable for your organisation
      • Atlassian will take over some of the workload

    Hopefully with more time, the Jira admins can make Jira better for everyone.

    Share this post

  • CVE-2022-26134 – How to check and protect your Confluence

    6 June 2022
    Comments are off for this post

    Last Friday, Volexity published a zero day exploit (CVE-2022-26134) on Atlassian Confluence. This post is to share some tips on how to check your Confluence instance is safe, and also some practical advice to protect your Confluence on-prem. 

    About the vulnerability

    This bug affects all versions of Confluence since 1.3.0. It is a critical vulnerability because it allows unauthenticated users to execute code within the Confluence server remotely. According to Imperva Threat Research, there are widespread scanning and attempts of exploitation on the Internet.

    How to fix the vulnerability

    Atlassian alerted the customers promptly and responded with high priority. We are thankful that Atlassian released the fix in less than 24 hours.

    For details of the fix, please refer to the official Confluence Security Advisory 2022-06-02.

    How to check your Confluence for malicious access

    Here are some basic checks that you can execute to check for any traces of malicious attempts. If there is any occurrence, then you may want to engage the security experts for more in-depth foresenic investigation.

    URL requests containing ${

    Since one of the attack mechanisms is to use ${ in the request URL, it would be helpful to scan the web server access logs for any occurrences. Please update the path of the Apache httpd/ Nginx access logs accordingly.

    grep '${' /etc/httpd/logs/*access*.log
    grep '%24%7B' /etc/httpd/logs/*access*.log
    

    URL requests from known IP addresses

    Based on the Volexity report, there are some IP addresses which are used by the attackers. Similarly, you can grep the access logs to check for any occurrences. Note: It is possible that there may be other attackers using other IP addresses.

    grep 154.146.34.145 /etc/httpd/logs/*access*
    grep 154.16.105.147 /etc/httpd/logs/*access*
    grep 156.146.34.46 /etc/httpd/logs/*access*
    grep 156.146.34.52 /etc/httpd/logs/*access*
    grep 156.146.34.9 /etc/httpd/logs/*access*
    grep 156.146.56.136 /etc/httpd/logs/*access*
    grep 198.147.22.148 /etc/httpd/logs/*access*
    grep 198.147.22.148 /etc/httpd/logs/*access*
    grep 221.178.126.244 /etc/httpd/logs/*access*
    grep 45.43.19.91 /etc/httpd/logs/*access*
    grep 59.163.248.170 /etc/httpd/logs/*access*
    grep 64.64.228.239 /etc/httpd/logs/*access*
    grep 66.115.182.102 /etc/httpd/logs/*access*
    grep 66.115.182.111 /etc/httpd/logs/*access*
    grep 67.149.61.16 /etc/httpd/logs/*access*
    grep 98.32.230.38 /etc/httpd/logs/*access*

    How to protect your Confluence instance

    Actually, the best form of defense against unauthenticated attacks is to place the server behind the firewall. This will effectively block all attackers from mounting a direct attack remotely. That is a key reason why some security sensitive enterprises are choosing Confluence Data Center. We know that it is not possible for a software to be 100% free of bugs. So there might be another vulnerability waiting to be discovered in the future.

    By using Long Term Support release of the product, it reduces the effort to upgrade since the critical security fixes will be available as long it is architecturally possible. This contributes greatly to a quick reaction to any future zero day exploits.

    For those organizations who are working remotely, it is possible to access via VPN or use Web application firewalls for added protection. Both CloudFlare and Imperva have announced that their customers are protected from this vulnerability since they will ensure all requests are authenticated before relaying it to Confluence.

    Last but not least, do make sure the license technical contacts are up-to-date. As an Atlassian Solution Partner, we have witnessed a number of occurrences when critical alerts from Atlassian are missed due to staff turnover.

    Share this post

  • Akeles Top 10 Marketplace apps in 2021

    8 February 2022
    Comments are off for this post

    This year, we are continuing the tradition of sharing our Top 10 popular apps for Jira, Confluence and Bitbucket.

    From our perspective, Marketplace apps play a significant role for successful adoption of Atlassian platforms by

    • enabling automation to improve productivity, speed or security
    • adding features to provide additional capabilities like Business Analytics, Test Automation, etc
    • organising information to provide insight and facilitate collaboration

    This year, Atlassian Marketplace reached $2 billion in lifetime sales. This is a huge testimony of the usefulness and popularity of Marketplace apps.

    How is the ranking done?

    The ranking is based on the number of licenses (Server/DC/Cloud) customers bought in 2021.
    We felt this will be a better measure of the popularity of the app.

    In event of a tie, we go by the licensed users count, followed by the total sale value for the app.

    Akeles Top 10 List

    We are pleased to share our list for 2021 voted by the Atlassian users in Singapore. Although our list may not correspond to the global popularity in Atlassian Marketplace, it is an affirmation in the usefulness of the apps. 

    Congratulations to the winners.

    (more…)

    Share this post

  • Is My Jira apps affected by Log4j CVE-2021-44228

    18 December 2021
    Comments are off for this post
    log4shell cover image

    What is CVE-2021-44228

    CVE-2021-44228 or log4shell is a serious vulnerability discovered recently. It allows an attacker to execute malicious code in any applications which uses a vulnerable version of log4j (Version 2.0 onwards). The impact is very severe because:

    • It is extremely simple to execute such an attack
    • Log4J is the most popular logging framework used by many Java applications
    • There are already many attempts on the Internet to scan for this loophole

    The official guideline is to patch the applications to upgrade to Log4J version 2.16 onwards.

    Are Akeles Jira/Confluence apps safe?

    Thankfully with applications like Bitbucket and Sonatype Nexus Lifecycle, we were able to identify the 3rd party components used in our applications.

    We have verified that we do not bundle the log4j library in our Jira/Confluence apps. We are using the log4j library that is provided by Jira/Confluence. Hence we are safe.

    Another piece of reassuring news is Atlassian is also scanning the apps listed on the Atlassian Marketplace.

    Each vulnerable DC or server app will be given the same expedited deadline as cloud apps. DC and server apps that fail to address the vulnerability within this expedited timeframe will be removed from the marketplace, and then Atlassian will inform customers who have vulnerable paid apps installed.

    While doing research for our customers, we have also compiled a list of official statements from fellow App publishers. Hope it will be helpful for those who need to do their “due diligence”.

    Is my Atlassian applications safe?

    Jira/Confluence

    Atlassian has put up a detailed official advisory that stated that Jira and Confluence are using an Atlassian-maintained fork of Log4J 1.2.17 which is not vulnerable to CVE-2021-44228. However they confirmed a similar but low risk vulnerability (CVE-2021-4104) which is exposed only if the log4j configuration has been modified from their default settings.

    The risk is low because these settings are not enabled by default. Nevertheless, it is better to counter check again.

    Bitbucket

    While Bitbucket is not affected by the Remote Code Execution, it may be risk of information leakage due to the use of affected versions of ElasticSearch. The remediation steps are available on Atlassian security advisory.

    Is my Sonatype applications safe?

    For our customers who are using Sonatype products, Nexus Lifecycle, Nexus Firewall or Nexus Repository are using logback instead of log4j. Hence they are not affected. The official statement is available at Sonatype website.

    Food for Thoughts

    The connectivity of the Internet makes it even more challenging to prevent such zero-day vulnerability. Here are some questions we need to take in considerations for the IT strategy (tooling, SaaS services, architecture, processes, automation, etc)

    • How can we be notified of any vulnerabilities as soon as possible?
    • How can we minimise the risks and impact of an attack?
    • How can we identify the affected applications quickly?
    • How can we ensure the 3rd party libraries used are safe?
    • How can we patch the affected applications in a timely manner?

    Useful Resources

    You may want to consult the following pages for more information

    Share this post

  • Best Practices in Jira Administration – API Tokens

    12 November 2021
    Comments are off for this post
    Best practices in Jira Administration with API Tokens

    One of Jira’s strengths is that it allows 3rd party integration via REST API calls. By providing the username, password and Base URL, it is possible to 3rd party apps to query or update Jira automatically.

    In this article, we will share why using API Tokens is a better and safer option than using Password Authentication.

    The Power of Passwords

    Besides entering passwords on the Jira login screen, it is also possible to provide the passwords on 3rd party applications or scripts to execute REST API calls.

    Some of the use cases are like

    • Create issues from Slack
    • Send alerts to Microsoft Teams
    • Update Jira issues with Commits information from GitHub
    • Integrate with your in-house systems

    If the password fails in the wrong hands, it is possible that

    • Wikileaks of your confidential data
    • Your Jira system can slow down drastically due to excessive API calls which affects the usage of other users

    Benefits of using API Tokens over Passwords

    By using API Token, it improves the security of your Jira instance

    • Safer – The API Token has a certain level of password complexity which defends against dictionary attacks
    • Isolation – It distributes the risk by having a different API token for each 3rd party integration. It is possible to revoke/reset the token for that application without any impact to other applications.
    • Differentiation – With a different mechanism, it is possible to apply more stringent checks on the usage of API Tokens (e.g. restriction by IP address range)
    • Control – It restricts ordinary users from using their credentials to do REST API calls 
    • Availability – For sites running on Single Sign On. Users will not know their passwords other than their Windows passwords
    • Validity – It is possible to set the expiry date of the token

    API Token Authentication for Jira

    We like the API Token Authentication Jira because it offers the following features:

    Disable basic authentication with user passwords

    It allows basic authentication with API Tokens. Currently, it is not possible to use the Jira Data Center’s Personal Access Token together with the username on 3rd party websites. 

    Personal Access Tokens cannot be used for Basic authentication that is commonly used by 3rd party websites

    Warning: If you disable Basic Authentication with passwords in the System Wide settings, you also can’t authenticate on non REST endpoints with API Tokens directly. You can still do that by reusing a session you got from authenticating with an API Token.

    Able to limit usage to particular IP ranges

    It is possible to limit the usage of the API token to the IP address of the internal system. You can ensure the REST API calls are coming from your trusted network.

    You can limit by ip range for API token usage

    Block requests with malicious characters in path

    This is a bonus feature which helps to defend against some attack vectors.

    Block malicious characters in path

    Limit usage of API Tokens

    It is a security best practice to grant rights only to users who needs it and has proper training. There are incidents arising from users who entered their Jira passwords on 3rd party sites or executed a buggy script.

    which users can create API tokens

    Tip: We recommend to create a group “jira-api-users” to manage those service account users who can use API Tokens.

    Set a validity of the API Token

    If the token is for testing or for temporary usage, the Jira admin can just set a shorter validity that will expire automatically. Otherwise it relies on the Jira Admins to remember to revoke the access manually.

    Service Accounts typically do not have a password validity. If the service account is from an Active Directory, there could be disruption if there is a 90 day reset password policy.

    By using the Active Directory passwords, it is possible that account is locked out of all applications after multiple wrong password attempts.

    Control over audit logging

    It offers admins a fine level of control over the information to be logged.

    What should be audit logged
    Logging of failed attempts
    audit logging of permission errors
    (more…)

    Share this post

  • Canned Search for Confluence

    22 July 2021
    Comments are off for this post

    After months of hard work, we are proud to announce the availability of Canned Search for Confluence (Data Center edition).

    As the plugin has many ways to search content within Confluence, we thought it is easier to digest the information with a Powerpoint deck.

    If you find it difficult to get the information you need, you can try this out. You may discover new

    Share this post