How to manage vulnerabilities in Jira?
Jira is one of the most widely adopted Issue and Project Tracking Software out there. Atlassian’s Jira has been named the #1 software development tool for agile teams. And Probely now allows you to synchronize your security issues into your Jira issue tracker. So, how do you manage vulnerabilities in Jira using Probely?
In this day and age, the work environment of software teams consists of complicated issues, tackled by multiple tools, frameworks and people. And often it can be quite overwhelming to track and deal with all the information on different platforms. And this is why we believe integrating Probely with other tools is of crucial importance to our customers and to us. At Probely, we want to make web application security easy and accessible to developers, and software teams. And this is quite a step forward, since now we provide developers and software teams with the ability to manage their security findings and not leave their workflows or digital workplaces.
Probely supports both Jira Cloud and Jira Server (on premises), so whichever you are using, you will be able to integrate Web Application Security findings in your workflow.
What can Jira and Probely do together (Features)?
We tried to make the integration between JIRA and our web vulnerability scanner (Probely) as agile and quick as possible. In order to do that we noticed that we need more than a simple integration with Jira. So, we included some cool features that will make things run a lot easier and smoother.
Once you setup Probely and Jira, each vulnerability found by Probely will be created as an issue in Jira. And once that Jira issue is marked as ‘done’, Pobely will automatically trigger a retest on that vulnerability. If the vulnerability is fixed then it is marked as such. If the vulnerability is not fixed, then the status of the Jira issue goes from ‘done’ to its previous state.
Probely <-> Jira Integration
Status and Severity Mapping
Probely allows you to map values of Probely vulnerabilities to the existing Status types in your Jira workflow. Mapping ‘Fixed’ and ‘Not Fixed’ values are required for the integration to work. However, you can additionally map ‘Accepted Risk’ of a vulnerability that you don’t need to fix, to its respective Jira status type (e.g. ‘doesn’t need fixing’). This way you are able to personalize the integration and set the terms between the two platforms.
Another feature, or setting, rather, similar to Status Mapping is the Severity Mapping. Here you can map the severity or the ‘risk’ of vulnerabilities found in Probely to their respective importance status in Jira. For example, you would want to map vulnerabilities defined as High by Probely, to issue severity levels that resemble ‘critical importance’ in your workflow.
Automatically sync all findings or sync selected findings that matter
The default (and recommended) configuration in Probely is to automatically sync all Probely findings with Jira. This way, every past and future finding will appear as an open finding in Jira.
However, we wanted to make Probely and Jira useful for as many use-cases as possible. So, if for some reason this doesn’t work for you, or if you want a more hands-on experience you can manually sync selected vulnerabilities.
Manually Syncing a finding with Jira Cloud
“How to fix” instructions, evidence and vulnerability descriptions in Jira
When a finding is published in Jira, Probely also sends description, evidence, instructions on how to fix the vulnerability, and the link to Probely. This allows developers to learn about the type of security issue and fix it without actually leaving Jira. The instruction and additional information is under ‘Description’ of the task.
Description and ‘How to Fix’ of SQL Injection in Jira
How to successfully sync Probely with an existing Jira Server?
Here, I will explain a simple flow of how Probely could be used and integrated with an existing Jira Server. This is just one use-case and, of course, I would recommend you to personalize your experience so it works best for you.
Let’s say you add your target (the website you want to scan) and have Probely configured to run periodic scans. For example, you can schedule recurring weekly scans (here’s how to do that). Now, it’s time to integrate Probely with Jira. You Install Probely on the Atlassian Marketplace, set correct Status and Severity mapping configurations, sync findings, and you are ready to go. Here’s how you can integrate Probely with your Jira Server, or how to configure the Jira synchronization settings (this applies for Jira Cloud and Server).
Now that you have your setup done, and your scans running, each finding detected by Probely will be also published to Jira (with the appropriate Status and Severity values). Developers would then receive the Jira tasks (security findings), and under ‘Description’ they would have instructions on how to fix those vulnerabilities and some additional information. Once they used that, and the vulnerability is fixed - the task is closed. That triggers a retest of the finding by Probely, to make sure that the vulnerability is fixed properly. If it’s not, then the Jira issue is reopened, and the developer tries fixing it again. If the issue is properly fixed, then the Jira issue is kept close.
Alternatively, the periodic scans can detect if a finding is fixed, and they will aromatically close the ticket for that finding (set that Jira issue to the state you mapped to Fixed when configuring the integration).
Why did we do it? Why should you do it?
The reason why we worked hard on this integration, and why you should make use of it, is to save you time and make developers happy. When developers don’t have to change any workflow within the company, it takes out a lot of the frustration and it saves tons of times. And security, often times is seen as that one thing that just can’t fit properly into your Software Development Life Cycle (SDLC). However, now your SDLC is more secure, and you have a security tool that integrates with your existing SDLC workflow effortlessly.
Additionally, the Probely-Jira integration provides management with an overview of the security status of company projects by following Jira boards that include Probely issues.
Source: Blog Probely