From News Headline to App Solution, with Forge
About the author: Boris Berenberg is a 19 year veteran of the tech industry. He was the founder and CEO of Atlas Authority and now works on interesting side projects, organizes events, and angel invests.
My idea for Securely began with a concerning piece of news: the Okta hack, which had significant repercussions for companies like 1Password and Cloudflare. This event highlighted a critical vulnerability in handling HAR files, which contain potentially sensitive customer data.
A HAR file, or HTTP Archive format file, is a JSON-formatted log of a web browser’s interactions with a site. When you visit a website, your browser makes a series of requests and receives responses: these are what a HAR file records, capturing the precise details of these exchanges. Developers and support teams often utilize HAR files for performance analysis, diagnosing errors, and tracking down network issues. When Okta was compromised, attackers were able to use customer submitted HAR files to then attack Okta's customers.
Shortly after the hack, Cloudflare released an open-source library for HAR file scrubbing, a proactive step in protecting sensitive data. This development caught my attention, but it was the confluence 😉 of this news and an Atlassian webinar, led by Neil Mansilla, that truly sparked my imagination. Neal was demonstrating the rapid development capabilities of Atlassian’s Forge platform, and I found myself wondering:
Could I leverage Forge to integrate Cloudflare’s functionality into an app before the end of the one hour webinar?
Embracing Challenges and Leveraging AI
I fell short of my ambitious goal to complete the app before the webinar's end. However, within a week, not only had I developed a working version, but I also managed to release Securely on the Atlassian Marketplace. As someone who is less than stellar (read: bad) at coding, this was a significant achievement, made possible in no small part through the assistance of ChatGPT and other AI assistants, which handled most of the coding and helped me troubleshoot issues.
Securely listens for Forge events, which tell us when a new attachment is added to Jira. Then we automatically scrub the file based on the app settings, attach the new file to Jira, and update references to it in issue comments. This ensures that if a user account or even your whole Jira Software or Jira Service Management site were to be compromised, an attacker couldn't use HAR files to then attack your customers—like what happened in Okta's case.
Design is not my forte either, but with the help of ChatGPT, DALL-E, and Vectorizer.ai, I created a logo for Securely. For the Atlassian Marketplace promotional images, I turned to Canva, which helped me put together something eye-catching yet straightforward graphics by modifying existing templates.
Enhancing User Experience and Security
After the initial release, I quickly launched a configuration UI, allowing users to specify which attributes to scrub from their HAR files. Thanks to using Atlassian Design tokens from the start, this UI supported Dark Mode, enhancing user experience from the first day it went live.
The initial version of Securely processed HAR files through a Cloudflare worker. This approach was quick to implement but had two main drawbacks:
- Customer data had to leave Atlassian systems
- The file transfer times between AWS and Cloudflare were significant and ate into my 55 second Forge function execution limit
Recognizing these issues, I migrated the scrubbing process to Forge. This shift not only bolstered data privacy, security, and compliance but also slashed processing times from 40 seconds to just 1 second for HAR files near our current 75MB limit.
This improvement is crucial as it paves the way for supporting larger HAR files in the future.
Since those initial releases, a lot has changed.
I ran into bugs with the Cloudflare library and decided to rewrite the core scrubbing code. Then I open sourced it, and actually got my first pull request! Which coincidently came from an Atlassian team member 🎉. Now you can use the library if you need to build something similar.
I also added support for a user to clean sensitive data out of a HAR file before uploading it to Jira Service Management. This means that sensitive data never leaves the customer’s system, and has the added benefit that HAR files much larger than 75 MB can be cleaned.
It’s been rewarding to see Securely gain momentum on the Marketplace, where it was recently featured as a Rising Star. I’d love you to give Securely a try, explore its capabilities, and share your feedback. Every install, rating, and comment propels us toward a future where customer trust is absolute, and the privacy of their data is uncompromised. I do have a slew of improvements I want to build for Securely and would love to hear from you.
In conclusion, the journey of creating Securely using Atlassian’s Forge platform was not just about building an app; it was about testing the potential of Forge as a tool for rapid development, the importance of proactive security in software development, and the strength of the Atlassian ecosystem in responding to emerging challenges.