Movatterモバイル変換

[0]ホーム
URL:

Atlassian, profile picture
Uploaded byAtlassian
9,768 views

Enable DevSecOps using Jira Software

The document discusses the integration of DevSecOps within Jira software to enhance application security by standardizing the vulnerability scanning process, enabling collaboration between application security and development teams, and improving operational efficiency. Key benefits include significant time savings in generating reports, simplified remediation workflows, and a consolidated platform for vulnerability management. Overall, the initiative aims to make security processes more efficient and cost-effective while meeting regulatory needs.

Embed presentation

Enable DevSecOps using JiraSoftwareSaurabh GuptaMarch 02, 2019DevOps Solution Engineer Head of Developer EfficiencyGroupMostofa Rahman
2 Information Classification: PublicEveryone isresponsible forsecurity
3 Information Classification: PublicDeveloper OperationSecurity
4 Information Classification: PublicApplication Security
5 Information Classification: PublicSecurity ScannigScanningSQL Injection Insufficient Input ValidationInformation Leakage Code QualityCryptographic IssuesCRLF InjectionCross Site ScriptingAccess Control Missing AuthenticationPrivilege EscalationHTTP Verb TamperingOpen Source ComponentScanning
6 Information Classification: PublicPlanDevelopBuildTestReleaseDeployOperateContinuousDeliveryContinuousIntegration
Effect of scan frequencyon flaw persistenceanalysis.STATE OF SOFTWARESECURITY VOL 9
8 Information Classification: Public2017 EMA reportA 2017 EMA report found thetop two benefits- better ROI improved- operational efficiencies
9 Information Classification: PublicSecurity Considerations
10 Information Classification: PublicTakes Timec
11 Information Classification: PublicTakes Time Adds CostccApplication Security
12 Information Classification: PublicTakes Time Adds CostReducesInnovationccc
13 Information Classification: PublicAutomation Opportunity
14 Information Classification: PublicSemi-Automated Process
15 Information Classification: PublicWhy Jira
16 Information Classification: PublicSolution ImplementationWhat we did?
17 Information Classification: PublicIntegratedmultiplescanningtools withJira
18 Information Classification: PublicScanning Tools Auto Issue CreationUsing any of the methods- Jira Plugin - Back end Script- Jira Rest API
19 Information Classification: PublicTo achieve all the functionalities we integrated our Jira with multiple datasourcesApplication Information SourceScan Request System Due Date Calculation System
20 Information Classification: PublicStandardize received dataü All fields are populatedü Right fields are populatedü Data in the scanning tool and data inJira matchesü Run different models for datastandardization and calculationaccording to user needs
21 Information Classification: PublicStandardize received dataü Recalculating severity based onCVSS, CWE ID, CVE IDü Adding remediation data based onCWE ID & CVE IDü Calculating remediation start dateü Calculating due date
22 Information Classification: PublicBNY Jira structureAS = App Sec JiraAD = App Dev JiraJira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
23 Information Classification: PublicWorkflow
24 Information Classification: PublicJira & Beyond
25 Information Classification: PublicFull ArchitectureScanning ToolsApplicationsList ofVulnerabilitiesPushed/Pulledinto JiraStandardizationtaskApp Sec JiraConnect toexternal systemfor differentparametersInformationSystemScanRequestSystemDue DateCalculationSystemData ValidationandRequired fieldscheckPush to othersystems foranalysticsApp Dev Jira
26 Information Classification: PublicChallenges Faced
27 Information Classification: PublicChallengesAPI Limitations
28 Information Classification: PublicChallengesAPI LimitationsClean Ups
29 Information Classification: PublicChallengesAPI LimitationsClean UpsCollaboration
30 Information Classification: PublicChallengesAPI LimitationsClean UpsCollaborationInfrastructure
31 Information Classification: PublicChallengesAPI LimitationsClean UpsCollaborationScope ChangesInfrastructure
32 Information Classification: PublicBenefits
33 Information Classification: PublicBefore• Scan Applications• Suggest remediation• Generate reports• Communicate reportsAfter• Scan Applications• Suggest remediationSecurity Analyst Responsibilities
34 Information Classification: PublicRegulatory
35 Information Classification: PublicOne StopShop For ALLApp Dev TeamThey do not need to go to different tools to getvulnerability information. Also, saving the effort tolearn new tool.WorkflowBoth teams can collaborate on the same Jiraissue. Saving time otherwise spent on back andfro.App Sec TeamNew workflow enables App Sec team toaccept/reject false positive findings.
36 Information Classification: PublicTime saved on generating & communicating report( 50 X 2 ) = 100 hours per dayNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
37 Information Classification: PublicTime saved on generating & communicating report( 50 X 2 ) X 22 = 2200 hours per monthNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
38 Information Classification: PublicTime saved on generating & communicating report( 50 X 2 ) X 262 = 26,200 hours per yearNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
39 Information Classification: Public25%Of Effort Saved
40 Information Classification: PublicSummary & Takeaways
41 Information Classification: Public• DevSecOps is the new unicorn, who everyone wants to ride on• Enables shift left• Jira software integration with DevSecOps• Build workflow to simplify the remediation process• Reduces administrative work• Satisfy regulator/auditor needs• Full traceability• Facilitates ease of access• Security becomes cheaper and efficient when using DevSecOpsSummary
42 Information Classification: PublicBNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporationas a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries byduly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products andservices are offered in all countries.BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein aresubject to change without notice.BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced ordisseminated in any form without the express prior written permission of BNY Mellon.©2019 The Bank of New York Mellon Corporation. All rights reserved.Disclosure

Recommended

PPTX
Enable DevSecOps using JIRA Software
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
PDF
Achieving a Serverless Development Experience
PDF
Securing DevOps Lifecycle
PPTX
DevSecOps - It can change your life (cycle)
PDF
DevSecOps - The big picture
DOCX
10 things to get right for successful dev secops
PDF
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
PDF
Driving Service Ownership with Distributed Tracing
PPTX
DevSecOps OWASP
PDF
Integrating SAP into DevOps Pipelines: Why and How
PDF
Barriers to Container Security and How to Overcome Them
PDF
DevSecOps at the GSA
PDF
DevSecOps for the DoD
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
PDF
Take Control: Design a Complete DevSecOps Program
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
PDF
Diving Deeper into DevOps Deployments
PDF
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
 
PPTX
DevSecOps reference architectures 2018
PDF
Devops the Microsoft Way
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
PDF
Application Asset Management with ThreadFix
PDF
Dos and Don'ts of DevSecOps
PPTX
Splitting the Check on Compliance and Security
PDF
Enterprise DevOps Series: Using VS Code & Zowe
PPTX
DevSecOps without DevOps is Just Security
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops

More Related Content

PPTX
Enable DevSecOps using JIRA Software
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
PDF
Achieving a Serverless Development Experience
PDF
Securing DevOps Lifecycle
PPTX
DevSecOps - It can change your life (cycle)
PDF
DevSecOps - The big picture
DOCX
10 things to get right for successful dev secops
PDF
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Enable DevSecOps using JIRA Software
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Achieving a Serverless Development Experience
Securing DevOps Lifecycle
DevSecOps - It can change your life (cycle)
DevSecOps - The big picture
10 things to get right for successful dev secops
Code-to-Cloud Visibility: An Essential Framework for DevOps Success

What's hot

PDF
Driving Service Ownership with Distributed Tracing
PPTX
DevSecOps OWASP
PDF
Integrating SAP into DevOps Pipelines: Why and How
PDF
Barriers to Container Security and How to Overcome Them
PDF
DevSecOps at the GSA
PDF
DevSecOps for the DoD
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
PDF
Take Control: Design a Complete DevSecOps Program
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
PDF
Diving Deeper into DevOps Deployments
PDF
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
 
PPTX
DevSecOps reference architectures 2018
PDF
Devops the Microsoft Way
PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
PDF
Application Asset Management with ThreadFix
PDF
Dos and Don'ts of DevSecOps
PPTX
Splitting the Check on Compliance and Security
PDF
Enterprise DevOps Series: Using VS Code & Zowe
Driving Service Ownership with Distributed Tracing
DevSecOps OWASP
Integrating SAP into DevOps Pipelines: Why and How
Barriers to Container Security and How to Overcome Them
DevSecOps at the GSA
DevSecOps for the DoD
Building an AppSec Pipeline: Keeping your program, and your life, sane
Take Control: Design a Complete DevSecOps Program
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Diving Deeper into DevOps Deployments
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
 
DevSecOps reference architectures 2018
Devops the Microsoft Way
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Application Asset Management with ThreadFix
Dos and Don'ts of DevSecOps
Splitting the Check on Compliance and Security
Enterprise DevOps Series: Using VS Code & Zowe

Similar to Enable DevSecOps using Jira Software

PPTX
DevSecOps without DevOps is Just Security
PPTX
BsidesMCR_2016-what-can-infosec-learn-from-devops
PPTX
Runtime Protection in the Real World
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
PDF
AppSec in an Agile World
PPTX
How to Get Started with DevSecOps
 
PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
PDF
The What, Why, and How of DevSecOps
 
PDF
Summer "Tuning" in Jira and DevSecOps
 
PPTX
Introduction to DevSecOps
PDF
Security as Code (Second Early Release) Bk Sarthak Das
PPTX
Solnet dev secops meetup
 
PDF
Security as Code (Second Early Release) Bk Sarthak Das
PPTX
The DevSecOps Advantage: A Comprehensive Guide
PDF
Enterprise Devsecops
 
PDF
DevSecOps Automation for Product Security
PDF
How to adapt the SDLC to the era of DevSecOps
PDF
DevOps and Devsecops- What are the Differences.
PPTX
Devsec ops
PDF
DevOps and Devsecops.pdf
DevSecOps without DevOps is Just Security
BsidesMCR_2016-what-can-infosec-learn-from-devops
Runtime Protection in the Real World
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
AppSec in an Agile World
How to Get Started with DevSecOps
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
The What, Why, and How of DevSecOps
 
Summer "Tuning" in Jira and DevSecOps
 
Introduction to DevSecOps
Security as Code (Second Early Release) Bk Sarthak Das
Solnet dev secops meetup
 
Security as Code (Second Early Release) Bk Sarthak Das
The DevSecOps Advantage: A Comprehensive Guide
Enterprise Devsecops
 
DevSecOps Automation for Product Security
How to adapt the SDLC to the era of DevSecOps
DevOps and Devsecops- What are the Differences.
Devsec ops
DevOps and Devsecops.pdf

More from Atlassian

PPTX
International Women's Day 2020
PDF
10 emerging trends that will unbreak your workplace in 2020
PDF
Forge App Showcase
PDF
Let's Build an Editor Macro with Forge UI
PDF
Meet the Forge Runtime
PDF
Forge UI: A New Way to Customize the Atlassian User Experience
PDF
Take Action with Forge Triggers
PDF
Observability and Troubleshooting in Forge
PDF
Trusted by Default: The Forge Security & Privacy Model
PDF
Designing Forge UI: A Story of Designing an App UI System
PDF
Forge: Under the Hood
PDF
Access to User Activities - Activity Platform APIs
PDF
Design Your Next App with the Atlassian Vendor Sketch Plugin
PDF
Tear Up Your Roadmap and Get Out of the Building
PDF
Nailing Measurement: a Framework for Measuring Metrics that Matter
PDF
Building Apps With Color Blind Users in Mind
PDF
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
PDF
Beyond Diversity: A Guide to Building Balanced Teams
PDF
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
PDF
Building Apps With Enterprise in Mind
International Women's Day 2020
10 emerging trends that will unbreak your workplace in 2020
Forge App Showcase
Let's Build an Editor Macro with Forge UI
Meet the Forge Runtime
Forge UI: A New Way to Customize the Atlassian User Experience
Take Action with Forge Triggers
Observability and Troubleshooting in Forge
Trusted by Default: The Forge Security & Privacy Model
Designing Forge UI: A Story of Designing an App UI System
Forge: Under the Hood
Access to User Activities - Activity Platform APIs
Design Your Next App with the Atlassian Vendor Sketch Plugin
Tear Up Your Roadmap and Get Out of the Building
Nailing Measurement: a Framework for Measuring Metrics that Matter
Building Apps With Color Blind Users in Mind
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Beyond Diversity: A Guide to Building Balanced Teams
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
Building Apps With Enterprise in Mind

Recently uploaded

PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
PDF
How Much Does It Cost To Build Software
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
PDF
So You Want to Work at Google | DevFest Seattle 2025
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
PDF
Top Crypto Supers 15th Report November 2025
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
PDF
Lets Build a Serverless Function with Kiro
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
PPTX
MuleSoft AI Series : Introduction to MCP
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
Connecting the unconnectable: Exploring LoRaWAN for IoT
[DevFest Strasbourg 2025] - NodeJs Can do that !!
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
How Much Does It Cost To Build Software
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
So You Want to Work at Google | DevFest Seattle 2025
10 Best Automation QA Testing Software Tools in 2025.pdf
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
Agentic Intro and Hands-on: Build your first Coded Agent
Dev Dives: Build smarter agents with UiPath Agent Builder
Top Crypto Supers 15th Report November 2025
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
Lets Build a Serverless Function with Kiro
Transcript: The partnership effect: Libraries and publishers on collaborating...
Open Source Post-Quantum Cryptography - Matt Caswell
ODSC AI West: Agent Optimization: Beyond Context engineering
MuleSoft AI Series : Introduction to MCP
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf

Enable DevSecOps using Jira Software

  • 1.
    Enable DevSecOps usingJiraSoftwareSaurabh GuptaMarch 02, 2019DevOps Solution Engineer Head of Developer EfficiencyGroupMostofa Rahman
  • 2.
    2 Information Classification:PublicEveryone isresponsible forsecurity
  • 3.
    3 Information Classification:PublicDeveloper OperationSecurity
  • 4.
    4 Information Classification:PublicApplication Security
  • 5.
    5 Information Classification:PublicSecurity ScannigScanningSQL Injection Insufficient Input ValidationInformation Leakage Code QualityCryptographic IssuesCRLF InjectionCross Site ScriptingAccess Control Missing AuthenticationPrivilege EscalationHTTP Verb TamperingOpen Source ComponentScanning
  • 6.
    6 Information Classification:PublicPlanDevelopBuildTestReleaseDeployOperateContinuousDeliveryContinuousIntegration
  • 7.
    Effect of scanfrequencyon flaw persistenceanalysis.STATE OF SOFTWARESECURITY VOL 9
  • 8.
    8 Information Classification:Public2017 EMA reportA 2017 EMA report found thetop two benefits- better ROI improved- operational efficiencies
  • 9.
    9 Information Classification:PublicSecurity Considerations
  • 10.
  • 11.
    11 Information Classification:PublicTakes Time Adds CostccApplication Security
  • 12.
    12 Information Classification:PublicTakes Time Adds CostReducesInnovationccc
  • 13.
    13 Information Classification:PublicAutomation Opportunity
  • 14.
    14 Information Classification:PublicSemi-Automated Process
  • 15.
  • 16.
    16 Information Classification:PublicSolution ImplementationWhat we did?
  • 17.
    17 Information Classification:PublicIntegratedmultiplescanningtools withJira
  • 18.
    18 Information Classification:PublicScanning Tools Auto Issue CreationUsing any of the methods- Jira Plugin - Back end Script- Jira Rest API
  • 19.
    19 Information Classification:PublicTo achieve all the functionalities we integrated our Jira with multiple datasourcesApplication Information SourceScan Request System Due Date Calculation System
  • 20.
    20 Information Classification:PublicStandardize received dataü All fields are populatedü Right fields are populatedü Data in the scanning tool and data inJira matchesü Run different models for datastandardization and calculationaccording to user needs
  • 21.
    21 Information Classification:PublicStandardize received dataü Recalculating severity based onCVSS, CWE ID, CVE IDü Adding remediation data based onCWE ID & CVE IDü Calculating remediation start dateü Calculating due date
  • 22.
    22 Information Classification:PublicBNY Jira structureAS = App Sec JiraAD = App Dev JiraJira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
  • 23.
  • 24.
  • 25.
    25 Information Classification:PublicFull ArchitectureScanning ToolsApplicationsList ofVulnerabilitiesPushed/Pulledinto JiraStandardizationtaskApp Sec JiraConnect toexternal systemfor differentparametersInformationSystemScanRequestSystemDue DateCalculationSystemData ValidationandRequired fieldscheckPush to othersystems foranalysticsApp Dev Jira
  • 26.
    26 Information Classification:PublicChallenges Faced
  • 27.
    27 Information Classification:PublicChallengesAPI Limitations
  • 28.
    28 Information Classification:PublicChallengesAPI LimitationsClean Ups
  • 29.
    29 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaboration
  • 30.
    30 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaborationInfrastructure
  • 31.
    31 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaborationScope ChangesInfrastructure
  • 32.
  • 33.
    33 Information Classification:PublicBefore• Scan Applications• Suggest remediation• Generate reports• Communicate reportsAfter• Scan Applications• Suggest remediationSecurity Analyst Responsibilities
  • 34.
  • 35.
    35 Information Classification:PublicOne StopShop For ALLApp Dev TeamThey do not need to go to different tools to getvulnerability information. Also, saving the effort tolearn new tool.WorkflowBoth teams can collaborate on the same Jiraissue. Saving time otherwise spent on back andfro.App Sec TeamNew workflow enables App Sec team toaccept/reject false positive findings.
  • 36.
    36 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) = 100 hours per dayNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
  • 37.
    37 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) X 22 = 2200 hours per monthNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
  • 38.
    38 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) X 262 = 26,200 hours per yearNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
  • 39.
    39 Information Classification:Public25%Of Effort Saved
  • 40.
    40 Information Classification:PublicSummary & Takeaways
  • 41.
    41 Information Classification:Public• DevSecOps is the new unicorn, who everyone wants to ride on• Enables shift left• Jira software integration with DevSecOps• Build workflow to simplify the remediation process• Reduces administrative work• Satisfy regulator/auditor needs• Full traceability• Facilitates ease of access• Security becomes cheaper and efficient when using DevSecOpsSummary
  • 42.
    42 Information Classification:PublicBNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporationas a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries byduly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products andservices are offered in all countries.BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein aresubject to change without notice.BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced ordisseminated in any form without the express prior written permission of BNY Mellon.©2019 The Bank of New York Mellon Corporation. All rights reserved.Disclosure
[8]ページ先頭
©2009-2025 Movatter.jp