About the author: Anton Storozhuk is the Founder & CEO at Alpha Serve. He is an IT Entrepreneur with 15+ years of experience in software development, network engineering, IT infrastructure setup & maintenance.
The safety and integrity of data assets are a significant concern as more companies move to cloud-based solutions. Cloud computing offers numerous benefits, such as scalability, flexibility, and cost savings, but it also introduces new security challenges that organizations need to address.
As an Atlassian Platinum Marketplace Partner and Solution Partner, Alpha Serve is focused on reliability and compliance with industry standards. We prioritize the customer's security and product quality, and it is always important for us to have proper tools in place.
Alpha Serve specializes in creating BI Connectors, solutions and integrations that enhance or extend the functionality of Atlassian products such as Jira, Confluence, Bitbucket, and others. We have developed more than 20 tools available on the Atlassian Marketplace. One of the latest solutions is Vault Password Manager, a password management app for Jira. It not only offers centralized control within the Jira environment, but also builds on security and compliance features provided by the Forge platform.
During the development process, there were several benefits of Forge that we leveraged. First, it was crucial that Atlassian Forge utilizes a serverless architecture, which means we didn’t need to worry about managing the underlying infrastructure. Second, Forge provides security mechanisms to help solutions built on the Forge platform meet security and compliance standards. And, finally, Forge apps seamlessly integrate with Atlassian products, providing a consistent user experience.
Leveraging Forge App Development for a Secure Password Management App
First and foremost, Alpha Serve prioritizes user privacy and data protection. That's why we opted to use the capabilities of the Forge platform, which is designed to provide a secure environment for building and deploying apps within the Atlassian Сloud ecosystem. Alpha Serve enhances security measures by implementing client-side data encryption and uses the Forge development environment as a reliable storage platform. Within each instance at https://<instance>.atlassian.net/, there exists segregated storage that remains beyond the reach of Vault Password Manager; only application logs are accessible. Even during application reinstallation, the storage persists while browser data is wiped clean. Vault Password Manager also integrates the following Forge features and security principles:
Authentication in Vault
Forge enhances security by offering authentication mechanisms, ensuring that only authorized users can access Jira and Jira apps like Vault Password Manager. Rather than relying solely on Jira's identity service, Vault Password Manager seamlessly integrates with it, and fortifying user authentication and authorization.
During the account creation process in the Vault Password Manager app, users are prompted to set up an application password, adhering to specific security criteria. This password, which is unique and comprises a variety of characters, serves as an authentication element in addition to Jira's verification.
Furthermore, each time the user sets up a new account, they are prompted not only to assign a password but also to download the recovery key the app generates in the format: VPM1-<OrganizationId>-<userId>-<random-string>. This key is stored in the user's browser and Alpha Serve keeps the hash in our system for added security.
To access the system, users are required to input their application password each time. If the recovery key is absent, it indicates the user may be attempting access from a new or unrecognized device, prompting an extra layer of authentication for their protection. The encryption key is composed of the application password and recovery key. The system retains its hash for only 15 minutes. Once this timeframe elapses, a login prompt will appear, and the encryption key hash will be automatically removed.
If MFA or SSO is set up in Jira, then it will be employed. However, it’s important to note that this is not a part of the Vault Password Manager application.
Authorization and Access Control in Vault
Authorization and access control features in Vault were also implemented using Forge.
Forge uses the OAuth 2.0 protocol and handles authorization tasks such as generating access tokens and validating user identities. Vault Password Manager, in turn, manages and safeguards restricted data, including passwords, cryptographic keys, and other confidential information. Once a user has been successfully authorized, the app grants access to their personal Vault or facilitates access to shared Vaults, all contingent upon the user’s designated permissions.
An authentication token is designed to be short-lived, which means Vault Password Manager users are automatically logged out after a predefined period of inactivity. This enhances protection against potential data breaches during downtime.
Forge Data Storage and AES-256-Bit Encryption in Vault
Alpha Serve implemented a number of encryption techniques and practices that help to protect the data generated by our app as well as users' personal data.
Data is synchronized with Atlassian Forge’s secure storage only after undergoing encryption. This is done using the user’s unique encryption key and password.
Vault Password Manager uses an AES-256-bit encryption algorithm to ensure a high level of security for confidential records protection. This algorithm was established by the U.S. National Institute of Standards and Technology (NIST) in 2001 and is considered one of the most secure encryption standards available today. It works through a combination of symmetric key cryptography to encrypt and decrypt the data.
Secure information is transmitted as a block of data encoded in base64. This operation remains concealed from all the parties: neither the Vault Password Manager application nor Alpha Serve can access the application password.
The encryption key is 256-bit long and, in this case, is generated using a default of 27,000 rounds of PBKDF2-SHA256, followed by an additional single round of hashing to create the application password authentication hash (or “login hash”). By employing a salt (a unique random string for each organization), it enforces the security measures with the application of an additional 27,000 rounds of PBKDF2 hashing and a top-tier hashing algorithm Scrypt.
To access their account, users must enter an application password. This password is used in conjunction with the above-mentioned recovery key Vault generates, forming a distinctive key that enables users to encrypt or decrypt their vaulted data. Without this key, the encrypted data remains unintelligible, resembling random noise.
Due to these measures, breaking the encryption through brute force attacks would require an unfeasibly long amount of time, even with the most advanced computers available today.
When the recovery key is generated, an RSA key pair is simultaneously created, consisting of a private key and a public key. The private key, which is essential for decryption and must remain confidential, is securely stored within the browser and further encrypted with the application password. On the other hand, the public key, designed for encryption purposes, is stored by Forge.
How Vault Password Manager Ensures Compliance
Password management apps handle private data, and as such, Alpha Serve prioritizes compliance with various regulations and standards to ensure robust security and privacy measures for user information. These regulations often emphasize appropriate data protection, user consent, data minimization, and individual rights concerning their data, along with the prevention of fraud and breaches.
Forge has been instrumental in helping us establish and implement strong security measures, data protection practices, access controls, auditing, and policies. This ensures that our app maintains a high level of security and privacy for user data, aligning with industry best practices. Those include:
Data Hosting and Isolation: Thanks to the Forge platform infrastructure, Vault was designed to operate within a sandboxed environment that isolates it from other apps and data. Also, Forge is hosting highly confidential data within the Atlassian Cloud, which many customers have already vetted and trust.
User Consent And Access Controls: Forge employs OAuth 2.0. This helps guarantee that apps don't access data they shouldn't at any given moment, and that apps follow best practices for obtaining user consent before accessing and processing user data.
Data Minimization: Following the Forge guidelines, Alpha Serve helps ensure that the app follows data minimization principles, and collects/processes only the data that is necessary for its functionality.
Secure APIs and Third-Party Integrations: Vault interacts with Atlassian products through Forge APIs designed with security in mind, helping to ensure that data is transmitted securely with proper authentication and authorization mechanisms in place.
Compliance Checklist for Password Management Apps
To make the experience applicable to as many developers as possible, Alpha Serve has created a checklist to follow when building secure and compliant password management apps using Forge. So here are the essential considerations and steps:
1. Define the purpose and scope of your password management app. Consider which Atlassian products it will integrate with and the specific features it will offer.
2. Identify the relevant data protection and privacy regulations that apply to your app’s users.
3. Design your app’s data model to store user credentials and other confidential information securely. Implement strong encryption for data at rest and in transit using algorithms provided by Atlassian Forge.
4. Use OAuth 2.0 employed by Forge to implement mechanisms for obtaining user consent to collect and process their data.
5. Utilize Forge’s authentication and authorization capabilities to ensure that only authorized users can access the app. Implement strong authentication methods, such as multi-factor authentication.
6. Use HTTPS for all communication between the app and external services. Ensure that API calls and data transmission are secure.
7. Implement strict input validation to prevent injection attacks. Encode output properly to prevent Cross-Site Scripting (XSS) vulnerabilities.
8. Adhere to Forge secure coding practices, such as input validation, avoiding hardcoded secrets, and regular code reviews.
9. Regularly monitor the app for security issues and emerging vulnerabilities. Keep up-to-date with security patches and updates for both your app and the Forge platform. Use the Ecoscanner platform to make sure you’re meeting Atlassian’s security requirements for Forge apps.
10. If required by regulations, consider undergoing compliance audits or obtaining relevant certifications to demonstrate your app’s security and privacy measures.
This checklist serves as a starting point. Customize it based on the specific regulations that apply to your app’s target audience and the unique features of your password management app.
Best Practices for Secure and Compliant Forge App Development
Using Forge, Alpha Serve developers were able to build an app that is resilient to security vulnerabilities and threats. Here are some key secure coding practices that our developers followed with the provided infrastructure:
- Implement strong authentication and authorization mechanisms with an application password and leverage Forge's OAuth 2.0 to ensure proper authorization checks so that only authorized users can access.
- Utilize strong hashing algorithms with salt to store an application password and forbid using plaintext or reversible passwords.
- Encode user-generated content properly before rendering it in the user interface to prevent Cross-Site Scripting (XSS) attacks. Vault Password Manager uses an AES-256-bit encryption algorithm consisting of a combination of symmetric key cryptography and blocks cipher mode.
Vault Password Manager uses secure protocols (such as HTTPS) for transmitting secure data between the client and the server. Communication between the client and Jira Forge (VAULT) servers utilizes TLS connections as well as security headers in HTTP responses to prevent security vulnerabilities like Cross-Site Scripting and clickjacking.
Recap
In today’s interconnected world, where data breaches and privacy concerns are ever-present, it’s our responsibility to create applications that not only provide convenience but also ensure the security of users’ most restricted information.
Building with Forge helped us to ensure best-in-class security for Vault in several ways. Those include:
- hosting secure data within the Atlassian cloud
- secure and reliable access to vault data through Atlassian’s Jira platform
- encrypting credentials locally on the end user’s device and on Atlassian infrastructure
- granting admins centralized control through a Jira admin dashboard with configurable security policies.
Forge also made it easier to follow industry-standard encryption best practices to protect confidential data against brute-force and man-in-the-middle attacks. In short, while we did a lot of work to ensure our app was secure, Forge definitely made it easier to protect customer data.