Are you curious which apps other users are buying to extend the capabilities of their Jira, Confluence or Bitbucket?
This year, we are pleased to share again our updated Top 10 Popular apps with fellow Atlassian users. It is a good opportunity to review which useful capabilities to add to your Atlassian suite.
From our perspective, Marketplace apps play a significant role for successful adoption by
enabling automation to improve productivity, speed or security
providing additional capabilities like Business Analytics, Test Automation, etc
organising information to provide insight and facilitate collaboration
How is the ranking done?
The ranking is based on the number of licenses bought through us in 2022. We felt this will be a better measure of the popularity of the app.
In event of a tie, we go by the licensed users count, followed by the total sale value for the app.
Akeles Top 10 List
Congratulations to the winners. It is an achievement given there are over 4,300 apps listed in Atlassian Marketplace.
Do you know that July is the Jira Admin Appreciation Month, and 15th of July is the official Jira Admin Appreciation Day?
As an Atlassian Solution Partner as well as a Marketplace Partner, we work closely with many Jira Admins and witnessed their passion, ingenuity and dedication on countless occasions.
We would like to take the opportunity to share some wonderful Jira Admins we encountered
Kamar who worked with us to troubleshoot a mystery case on the sudden slowdown in Jira’s performance
Jun Xiang who set up a new service desk project all by himself, saving the money to buy an additional system
Hany who suggested improvements for a Marketplace app so that his team can work more effectively
Graeme who organised lunch and learn sessions for colleagues to share his Jira knowledge
Coral who stayed up until 5am so that Jira can be operational when her colleagues return to work on Monday
and many others who took time after work to attend Atlassian Community Events to beef up their knowledge
What people think a Jira Admin do?
Going by the literal meaning, the Jira administrator is the person who administers the Jira web application.
What a Jira Admin really do?
However in the real life, the Jira Admins are responsible for everything that is related to Jira. This is a norm because many organisations do not have a team to manage Jira. Usually the Jira admin will have to wear multiple hats. More importantly, these roles also require knowledge of Jira.
Here are some additional roles the Jira Admins are taking up:
Jira System Engineer
This role focuses on tasks related with systems. It requires competency in both inner workings of Jira as well as the backend systems. Some examples of the tasks are:
Handle Level 2 support by analysing Jira application or access logs
Work with Atlassian Support or App Vendors for complex cases
Using SQL on the database to generate reports or patch data
Perform Application/Server Performance Tuning
Perform upgrades and Disaster Recovery (DR) planning
Work with Security to conduct Vulnerability Assessment & Penetration Testing (VAPT)
Jira Solution Engineer
This role focuses on the business aspect. By providing solutions using Jira to deliver new capabilities, it increases the ROI. Some examples of the tasks are:
Create Jira project templates for new use cases
Build Jira workflows that help to improve the flow
Design Jira dashboards or BI reports to give visibility to the stakeholders
Select Marketplace apps to fulfill business requirements or improve productivity
Write scripts to automate some tasks
Or even coding Jira plugins for customised features
Jira Coach
This role focuses on the people aspect by helping fellow Jira users to use Jira more effectively. Some examples of the tasks are:
Conduct training
Answer questions related on the usage
Write KB articles on Confluence
Promote the use of Jira within the organisation
Analyse statistics to identify trends and area for improvement
How to help your Jira Admins?
In some scenarios, the Jira admin might even be a part-time responsibility in additional to their official job description.
The workload will pile up until the company will engage a Solution Partner or an Atlassian Technical Account Manager for additional support.
We have listed 9 ways to reduce the workload for your beloved Jira Admins
Give up on your Jira admin rights (if you are not trained in Jira)
That can reduce unnecessary fire-fighting due to mistakes
Otherwise get proper training to be a Jira admins
Look for the Jira project admins instead of the Jira admins for project permission requests
It can be death by a thousand paper cuts with 1 request from every user
Standardize your project workflows
It can be messy when every project have a different workflow and different set of custom fields
Raise your requests in Jira
That will facilitate tracking and fulfilment by the Jira Admins
Use apps
They can automate some of the manual tasks taking up the Jira Admin’s time
Use a LTS version to reduce the upgrade cadence
Every upgrade consumes time and effort
It is easier to patch an LTS version
It helps to minimise the turnaround time in event of a security advisory
Upgrade at least once a year
The risk, complexity and technical debt increases over time
Host Jira behind the firewall
Use VPN or Zero Trust Network to access if your team are working remotely
That will reduce a lot of work on security
Use Jira Cloud if it is suitable for your organisation
Atlassian will take over some of the workload
Hopefully with more time, the Jira admins can make Jira better for everyone.
Last Friday, Volexity published a zero day exploit (CVE-2022-26134) on Atlassian Confluence. This post is to share some tips on how to check your Confluence instance is safe, and also some practical advice to protect your Confluence on-prem.
About the vulnerability
This bug affects all versions of Confluence since 1.3.0. It is a critical vulnerability because it allows unauthenticated users to execute code within the Confluence server remotely. According to Imperva Threat Research, there are widespread scanning and attempts of exploitation on the Internet.
How to fix the vulnerability
Atlassian alerted the customers promptly and responded with high priority. We are thankful that Atlassian released the fix in less than 24 hours.
Here are some basic checks that you can execute to check for any traces of malicious attempts. If there is any occurrence, then you may want to engage the security experts for more in-depth foresenic investigation.
URL requests containing ${
Since one of the attack mechanisms is to use ${ in the request URL, it would be helpful to scan the web server access logs for any occurrences. Please update the path of the Apache httpd/ Nginx access logs accordingly.
Based on the Volexity report, there are some IP addresses which are used by the attackers. Similarly, you can grep the access logs to check for any occurrences. Note: It is possible that there may be other attackers using other IP addresses.
Actually, the best form of defense against unauthenticated attacks is to place the server behind the firewall. This will effectively block all attackers from mounting a direct attack remotely. That is a key reason why some security sensitive enterprises are choosing Confluence Data Center. We know that it is not possible for a software to be 100% free of bugs. So there might be another vulnerability waiting to be discovered in the future.
By using Long Term Support release of the product, it reduces the effort to upgrade since the critical security fixes will be available as long it is architecturally possible. This contributes greatly to a quick reaction to any future zero day exploits.
For those organizations who are working remotely, it is possible to access via VPN or use Web application firewalls for added protection. Both CloudFlare and Imperva have announced that their customers are protected from this vulnerability since they will ensure all requests are authenticated before relaying it to Confluence.
Last but not least, do make sure the license technical contacts are up-to-date. As an Atlassian Solution Partner, we have witnessed a number of occurrences when critical alerts from Atlassian are missed due to staff turnover.
From our perspective, Marketplace apps play a significant role for successful adoption of Atlassian platforms by
enabling automation to improve productivity, speed or security
adding features to provide additional capabilities like Business Analytics, Test Automation, etc
organising information to provide insight and facilitate collaboration
This year, Atlassian Marketplace reached $2 billion in lifetime sales. This is a huge testimony of the usefulness and popularity of Marketplace apps.
How is the ranking done?
The ranking is based on the number of licenses (Server/DC/Cloud) customers bought in 2021. We felt this will be a better measure of the popularity of the app.
In event of a tie, we go by the licensed users count, followed by the total sale value for the app.
Akeles Top 10 List
We are pleased to share our list for 2021 voted by the Atlassian users in Singapore. Although our list may not correspond to the global popularity in Atlassian Marketplace, it is an affirmation in the usefulness of the apps.
CVE-2021-44228 or log4shell is a serious vulnerability discovered recently. It allows an attacker to execute malicious code in any applications which uses a vulnerable version of log4j (Version 2.0 onwards). The impact is very severe because:
It is extremely simple to execute such an attack
Log4J is the most popular logging framework used by many Java applications
There are already many attempts on the Internet to scan for this loophole
The official guideline is to patch the applications to upgrade to Log4J version 2.16 onwards.
Are Akeles Jira/Confluence apps safe?
Thankfully with applications like Bitbucket and Sonatype Nexus Lifecycle, we were able to identify the 3rd party components used in our applications.
We have verified that we do not bundle the log4j library in our Jira/Confluence apps. We are using the log4j library that is provided by Jira/Confluence. Hence we are safe.
Another piece of reassuring news is Atlassian is also scanning the apps listed on the Atlassian Marketplace.
Each vulnerable DC or server app will be given the same expedited deadline as cloud apps. DC and server apps that fail to address the vulnerability within this expedited timeframe will be removed from the marketplace, and then Atlassian will inform customers who have vulnerable paid apps installed.
Atlassian has put up a detailed official advisory that stated that Jira and Confluence are using an Atlassian-maintained fork of Log4J 1.2.17 which is not vulnerable to CVE-2021-44228. However they confirmed a similar but low risk vulnerability (CVE-2021-4104) which is exposed only if the log4j configuration has been modified from their default settings.
The risk is low because these settings are not enabled by default. Nevertheless, it is better to counter check again.
For our customers who are using Sonatype products, Nexus Lifecycle, Nexus Firewall or Nexus Repository are using logback instead of log4j. Hence they are not affected. The official statement is available at Sonatype website.
Food for Thoughts
The connectivity of the Internet makes it even more challenging to prevent such zero-day vulnerability. Here are some questions we need to take in considerations for the IT strategy (tooling, SaaS services, architecture, processes, automation, etc)
How can we be notified of any vulnerabilities as soon as possible?
How can we minimise the risks and impact of an attack?
How can we identify the affected applications quickly?
How can we ensure the 3rd party libraries used are safe?
How can we patch the affected applications in a timely manner?
Useful Resources
You may want to consult the following pages for more information
One of Jira’s strengths is that it allows 3rd party integration via REST API calls. By providing the username, password and Base URL, it is possible to 3rd party apps to query or update Jira automatically.
In this article, we will share why using API Tokens is a better and safer option than using Password Authentication.
The Power of Passwords
Besides entering passwords on the Jira login screen, it is also possible to provide the passwords on 3rd party applications or scripts to execute REST API calls.
Some of the use cases are like
Create issues from Slack
Send alerts to Microsoft Teams
Update Jira issues with Commits information from GitHub
Integrate with your in-house systems
If the password fails in the wrong hands, it is possible that
Wikileaks of your confidential data
Your Jira system can slow down drastically due to excessive API calls which affects the usage of other users
Benefits of using API Tokens over Passwords
By using API Token, it improves the security of your Jira instance
Safer – The API Token has a certain level of password complexity which defends against dictionary attacks
Isolation – It distributes the risk by having a different API token for each 3rd party integration. It is possible to revoke/reset the token for that application without any impact to other applications.
Differentiation – With a different mechanism, it is possible to apply more stringent checks on the usage of API Tokens (e.g. restriction by IP address range)
Control – It restricts ordinary users from using their credentials to do REST API calls
Availability – For sites running on Single Sign On. Users will not know their passwords other than their Windows passwords
Validity – It is possible to set the expiry date of the token
It allows basic authentication with API Tokens. Currently, it is not possible to use the Jira Data Center’s Personal Access Token together with the username on 3rd party websites.
Warning: If you disable Basic Authentication with passwords in the System Wide settings, you also can’t authenticate on non REST endpoints with API Tokens directly. You can still do that by reusing a session you got from authenticating with an API Token.
Able to limit usage to particular IP ranges
It is possible to limit the usage of the API token to the IP address of the internal system. You can ensure the REST API calls are coming from your trusted network.
Block requests with malicious characters in path
This is a bonus feature which helps to defend against some attack vectors.
Limit usage of API Tokens
It is a security best practice to grant rights only to users who needs it and has proper training. There are incidents arising from users who entered their Jira passwords on 3rd party sites or executed a buggy script.
Tip: We recommend to create a group “jira-api-users” to manage those service account users who can use API Tokens.
Set a validity of the API Token
If the token is for testing or for temporary usage, the Jira admin can just set a shorter validity that will expire automatically. Otherwise it relies on the Jira Admins to remember to revoke the access manually.
Service Accounts typically do not have a password validity. If the service account is from an Active Directory, there could be disruption if there is a 90 day reset password policy.
By using the Active Directory passwords, it is possible that account is locked out of all applications after multiple wrong password attempts.
Control over audit logging
It offers admins a fine level of control over the information to be logged.
Automation for Jira is one of the most popular apps on Jira. The app allows users to automate and extend Jira with no coding required. Being very user-friendly, there are a lot of admins who can dive straight into using the tool without reading the user guide. As part of our Best Practices series, we have summarised the key things you need to know in this blog post.
For those who are new to Automation for Jira, you can check out this YouTube video below for an introduction.
Things you need to know
1) Asynchronous processing
To speed up on the response time, the Automation for Jira plugin will add all updated issues into a queue. Although there are 8 background threads to process the requests, it still does not ensure the issue are processed immediately. Therefore, users will need to refresh the issue to view the changes applied by the automation rule.
It is possible to select synchronous execution of the rule but that will have some impact in the performance.
2) Rule Matching/Execution
Whenever an issue is updated, the issue is matched against all the configured automation rules (global + project) . As a result, when there are a lot of automation rules, it takes time to
to check against each individual automation rule
to execute against each matching automation rule
Hence it is important to reduce the number of global automation rules by setting them as single project rules whenever possible. You should try to optimise the rules with more specific requirements.
If you are seeing a lot of No Actions Performed in the rule’s audit log, then there might be chance for optimising the rule
3) Traceability
The powerful app allows multiple rules to update an issue due to a single triggered event. As a result, it may not be direct to identify the problematic rule. Moreover, if multiple rules are chained together without proper planning, it could lead to “spaghetti code” scenarios which is not easy to troubleshoot.
If the update is via workflow post functions, it would be easier to identify the bug.
4) Performance & Runtime
To cater to the flexibility and power of the Automation for Jira plugin, there are some tradeoffs. One of them is the processing time for automation rules is slower than post functions. For example, a simple assignment rule can take up to 3s to complete.
We have encountered some rules that can take up over 10 seconds to be processed. So you should check the audit logs on the performance of the rules.
5) Service Limits
Not a lot of users are aware of the Service Limits which can affect the execution of the automation rules. Some of the common service limits are listed in the table below:
When any of the limits is breached, the rules will be throttled until the limits are not exceeded. This could result in some unexpected behaviours as the issues are not processed during this period.
The likelihood of throttling is increased when a huge number of issues are created via REST API or Test Automation plugins.
6) Housekeeping
The app maintains an audit log of the rule executions. Over time, the audit logs can build up which impacts your Jira database performance and clogging up your disk space.
We have encountered some sites which the retention period is set to the default value of forever.
It will be good to revise the retention period and set the schedule expiry during off-peak periods. For more info, check out this KB article.
7) Integration with other apps
Not a lot of people are aware that there are other apps which are compatible with Automation for Jira app. If you have these apps, you can use them with automation rules too.
Try to scope the rules within the project if possible. Use global rules only when necessary.
Make sure your Jira project administrators know what they are doing. You can consider restricting the rights to trained project administrators (e.g. jira-power-admins group)
Conduct periodic audits. You can view performance Insights to see if there is any issues
Conclusion
Automation for Jira is a very useful feature. However, there is a likelihood to see everything as a nail when you have a hammer in your hand. This can result in performance issues in time to come.
We will need to understand what is the requirements and the underlying approach used by various apps. For certain scenarios, we feel it is better to use post functions with apps like
We are proud to be featured in Atlassian’s annual Developer Day to be one of the pioneer Forge apps listed on Atlassian Marketplace.
What is Atlassian Forge
Forge is Atlassian’s next generation Cloud app development platform. Unlike traditional cloud apps, Forge apps run within Atlassian’s infrastructure, providing better performance and stronger integration. The data can be stored in Atlassian Cloud, which can address compliance issues like GDPR or data residency.
Introducing our 5 new Forge apps
This time round, we are launching not 1, but 5 Cloud apps that are all built on Atlassian Forge. 3 of them are brand new apps which are only available for Atlassian Cloud.
This is a Cloud edition for our popular app for Confluence Server/Data Center. It displays the time remaining based on the date provided in the Confluence macro.
This is useful to remind the project teams how much time
they have to their next major delivery.
This Jira Forge app allows users to generate a report across linked/sub-task issues based on the selected metric (e.g. count, story points, number fields, etc) within the issue view. This enables user to have a quick overview of current issue’s progress and the distribution of workload across the related issues.
We built this app specially for ourselves since we use Jira Service Management Cloud to support our customers on Atlassian Marketplace. By dog-fooding, we can understand the pain points and come up with better strategy or solutions.
Now, we can see the tickets raised by the same Reporter in
the issue. This helps in providing us with a better picture, so that we can address
our customers in a personalized manner.
How is our experience with Forge?
As an Cloud app vendor, we like Forge because the backend
infrastructure is taken care totally by Atlassian. There is no need for us to
spend time and money to set up and monitor external platforms. We only need to focus
on developing the apps.
We are looking forward to more features in Forge so that we can add more capabilities to our Cloud apps. Our #1 wish is to display the number of active instances on the Marketplace listing. Currently, the number of Forge installations are not included in the count.
How can you help?
We look forward to your feedback on how to improve our Cloud apps. You can reach out to us via our Service Desk running on Jira Service Management Cloud.
Also, YouTube requires us to have 100 or more subscribers before we can apply for a custom URL for our Akeles YouTube channel. If you think the videos are useful and would like to support us, kindly click on the Subscribe button on the video. Thank you in advance for your support.
We have identified Jira Dashboards can be a potential bottleneck while helping our customer to tune the performance of their Jira. This article explains why Jira takes longer time and give some tips on how to speed things up.
Why my Jira Dashboard takes a long time to load?
These are some factors that contributes to the slowness of Jira:
Huge number of gadgets within a single dashboard
Gadgets with complex reporting
Filters with a huge number of issues
Huge number of gadgets
Whenever a Jira Dashboard page is loaded, the browser will send a number of requests to the server for all the CSS and Javascript required. (For more details, check out JRASERVER-62126). When there are more gadgets, it will fire more requests.
It will be faster if you focused doing 1 task at a time versus doing 100 tasks concurrently. By the same principle, your dashboard will load faster if Jira has less requests to work on at the same time.
We have a couple of support tickets which the end users added a lot of Gauge Gadgets in their dashboard. As a result, some gadgets on the dashboards cannot load.
This is because the browser will silently throw the error message Failed to load resource: net::ERR_INSUFFICIENT_RESOURCES if it detects that are way too many requests within a short interval.
To support the users, we introduced Multiple Filters Counter Gadget that can display multiple counter within a single gadget.
Complex Reporting Gadgets
Not all Jira gadgets are the same. There are some gadgets which involves complex processing. For example, our Tissue for Jira app performs the handy task of traversing all the linked issues and extracting the various field values to present a tabular overview.
If you are using such complex reporting gadget, it will be advisable to have lesser gadgets within that dashboard.
Filters with many matching issues
It is likely that some dashboards load very fast when they were created initially. However, as the number of issues in the project increases over time, the performance of the dashboard become slower without the original author noticing.
The simplest way is to pump more computing resources like more CPU and memory. Jira Data Center also scales the performance by distributing the workload across more nodes.
Split into multiple dashboards
As mentioned previously in Best Practices in Jira Dashboard Reporting, it is recommended to keep a dashboard to its objectives to allow people to identify the action required.
But it is troublesome to have many dashboards
Beside adding the links to various dashboards as project shortcuts in your Jira project, you can also add links to related dashboards using our free Link Menu Gadget to facilitate navigation. You can also add links to the your Confluence spaces and other related project resources too.
If that is still not enough and you want to access your dashboards easily from everywhere in Jira. You can organise your Dashboards in cascading Dashboard Folders which can be accessible in the Jira top menu.
What is the performance of your Jira Dashboard?
You may want to do the 23 seconds test on your frequently used dashboards. If it is taking longer than that, you might want to tidy up your dashboards.