Security Risks and Best Practices


Most software companies resort to using third-party solutions for completing certain tasks within their company. A common example is a ticketing platform that helps teams and companies stay organized with issues that internal employees or customers may experience.

Unfortunately, due to lack of time and strict deadlines, there’s sometimes little to no room left for assessing the security impact of these services. And this can sometimes open up new attack surfaces for your business.

In this post, we’ll go over three popular third-party software services that most (internal) software teams make use of. We’ll explain thoroughly how they can lead to data theft, service disruption, or even financial damage when access to them is left incorrectly configured.

1) Atlassian Jira

Atlassian’s Jira is a popular ticketing software often used by developers and IT teams to keep track of internal issues.

However, if left configured incorrectly, it can be possible for anyone to sign up and create an account on your Atlassian Jira instance. Ultimately, allowing unauthorized users to get access to your internal data (depending on the privileges provided for new accounts).

To quickly check if your instance is currently configured incorrectly, navigate to “/secure/Signup!default.jspa” and check if signups are enabled.

If registrations are public and enabled and you’d like to disable this option, we recommend following the steps provided in the remediation section below.

https://bugology.intigriti.io/misconfig-mapper-docs/services/atlassian-jira/open-user-registration#remediation

2) Jenkins

Jenkins is a popular continuous integration and continuous delivery (CI/CD) tool used by developers to help them build and deploy production-ready applications and web services at scale. It can save developers a lot of time. However, Jenkins also supports signups and if this setting is left incorrectly configured. It could open up another attack surface, allowing bad actors to gain access to your CI/CD pipeline(s).

You can easily check if your Jenkins instance has public signups enabled. Simply navigate to “/signup” or “/jenkins/signup” and verify if you can create an account.

If signups are open and you’d like to revert to this setting and disable public signups, simply follow the following remediation steps. This would make sure that public signups are disabled by default.

https://bugology.intigriti.io/misconfig-mapper-docs/services/jenkins/open-signups#remediation

3) Freshworks Freshservice

Freshworks Freshservice is a service management platform that helps businesses with ticketing, KB, and other services for its employees. By default, Freshservice allows anyone to create an account on your instance.

If you make use of Freshservice only for internal purposes, the best approach would be to disable public account creations. This, if not considered, may disclose sensitive data to unauthorized users.

A simple way of checking if signups are enabled is by visiting the following app route on your Freshservice instance: “/support/signup

If registrations are left open to your Freshservice instance, it could mean that new users gain access to internal-only resources. Examples include internal support tickets, company business metrics, or even personal identifiable information (PII) of customers.

To disable signups on your instance, we recommend going through the following remediation steps:

https://bugology.intigriti.io/misconfig-mapper-docs/services/freshworks-freshservice/open-user-registration#remediation

Automated tooling

A while ago we released Misconfig Mapper. This is an automated tool dedicated to help find these types of security misconfigurations in popular third-party services such as the ones mentioned above.

Furthermore, we’ve also documented the potential impact it can bring and clear step-by-step guides on how to resolve these security misconfigurations.

Conclusion

Third-party solutions and cloud services can provide a lot of benefits to your team. However, can also be a means of opening new attack surfaces to your company or organization if incorrectly configured.



Source link