Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Code

[avatraxiom]

Today it was revealed that servers at Apache.org and Atlassian were successfully attacked, leading to thousands of stolen passwords. The attack on apache.org's servers was via JIRA, and since the attack on Atlassian came from the same source, it probably was also through JIRA.

I'm sure that JIRA's programmers feel embarrassed enough about all of

Comments

JIRA source is not hidden

[anonymous]

All commercial licenses ($10 and up) get access to the source code. It's pretty open already.

Re: JIRA source is not hidden

[avatraxiom]

But the thing is, that doesn't encourage people to look over the code--it doesn't get enough people looking at it to get the sort of effect that we have with Bugzilla. Anybody can look over the code of Bugzilla, even if they haven't bought it, so there's a lot more opportunity to get reports about security issues from people.

-Max

Replace password auth with information cards/OpenID

[ext_234303]

The best recommendation for protecting passwords in web apps is not to use them. Use information cards and/or OpenID instead.

The fact that even super-users at Apache can't use a password system securely shows (once again) that we should be moving away from passwords as fast as we can.

Would be great if this incident spurred high-profile open source people like Bugzilla and Apache to get serious about Identity 2.0.

Re: Replace password auth with information cards/OpenID

[ext_234303]

Don't know why I wrote "and/or OpenID." OpenID doesn't get rid of passwords.

I should have noted this since my OpenID provider (myopenid.com) requires a password. But they do have the "nice" feature that if I just click the "forgot password" link and put in my email address, I can log in without needing to know my password. I can just use the link sent in an email. So can anyone who sniffs that email, but, hey, at least it's convenient. Sigh....