Uploaded byAtlassian
9,768 views
Enable DevSecOps using Jira Software
The document discusses the integration of DevSecOps within Jira software to enhance application security by standardizing the vulnerability scanning process, enabling collaboration between application security and development teams, and improving operational efficiency. Key benefits include significant time savings in generating reports, simplified remediation workflows, and a consolidated platform for vulnerability management. Overall, the initiative aims to make security processes more efficient and cost-effective while meeting regulatory needs.
![[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2ffs-agenticaiarchitectureredefiningsystemcommunication-251124030838-e6c70cc2-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
![Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2fagenticcommunityseries-day3-cfd-251120170304-ddef8112-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
![[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2fmd-exploringappleson-devicefoundationmodels-251124030840-d690542c-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
![[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2fmd-mobileengineerandsoftwareengineerarewestillrelevantsidiqpermana-251127010650-55224ef1-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2fai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
![[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...](/image.pl?url=https%3a%2f%2fcdn.slidesharecdn.com%2fss_thumbnails%2fmd-craftingimmersiveuiwithe2eandagslshaderveronicaputrianggraini-251124030840-0c677f44-thumbnail.jpg%3fwidth%3d640%26amp%3bheight%3d640%26amp%3bfit%3dbounds&f=jpg&w=240)
Enable DevSecOps using Jira Software
- 1.Enable DevSecOps usingJiraSoftwareSaurabh GuptaMarch 02, 2019DevOps Solution Engineer Head of Developer EfficiencyGroupMostofa Rahman
- 2.2 Information Classification:PublicEveryone isresponsible forsecurity
- 3.3 Information Classification:PublicDeveloper OperationSecurity
- 4.4 Information Classification:PublicApplication Security
- 5.5 Information Classification:PublicSecurity ScannigScanningSQL Injection Insufficient Input ValidationInformation Leakage Code QualityCryptographic IssuesCRLF InjectionCross Site ScriptingAccess Control Missing AuthenticationPrivilege EscalationHTTP Verb TamperingOpen Source ComponentScanning
- 6.6 Information Classification:PublicPlanDevelopBuildTestReleaseDeployOperateContinuousDeliveryContinuousIntegration
- 7.Effect of scanfrequencyon flaw persistenceanalysis.STATE OF SOFTWARESECURITY VOL 9
- 8.8 Information Classification:Public2017 EMA reportA 2017 EMA report found thetop two benefits- better ROI improved- operational efficiencies
- 9.9 Information Classification:PublicSecurity Considerations
- 10.10 Information Classification:PublicTakes Timec
- 11.11 Information Classification:PublicTakes Time Adds CostccApplication Security
- 12.12 Information Classification:PublicTakes Time Adds CostReducesInnovationccc
- 13.13 Information Classification:PublicAutomation Opportunity
- 14.14 Information Classification:PublicSemi-Automated Process
- 15.15 Information Classification:PublicWhy Jira
- 16.16 Information Classification:PublicSolution ImplementationWhat we did?
- 17.17 Information Classification:PublicIntegratedmultiplescanningtools withJira
- 18.18 Information Classification:PublicScanning Tools Auto Issue CreationUsing any of the methods- Jira Plugin - Back end Script- Jira Rest API
- 19.19 Information Classification:PublicTo achieve all the functionalities we integrated our Jira with multiple datasourcesApplication Information SourceScan Request System Due Date Calculation System
- 20.20 Information Classification:PublicStandardize received dataü All fields are populatedü Right fields are populatedü Data in the scanning tool and data inJira matchesü Run different models for datastandardization and calculationaccording to user needs
- 21.21 Information Classification:PublicStandardize received dataü Recalculating severity based onCVSS, CWE ID, CVE IDü Adding remediation data based onCWE ID & CVE IDü Calculating remediation start dateü Calculating due date
- 22.22 Information Classification:PublicBNY Jira structureAS = App Sec JiraAD = App Dev JiraJira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
- 23.23 Information Classification:PublicWorkflow
- 24.24 Information Classification:PublicJira & Beyond
- 25.25 Information Classification:PublicFull ArchitectureScanning ToolsApplicationsList ofVulnerabilitiesPushed/Pulledinto JiraStandardizationtaskApp Sec JiraConnect toexternal systemfor differentparametersInformationSystemScanRequestSystemDue DateCalculationSystemData ValidationandRequired fieldscheckPush to othersystems foranalysticsApp Dev Jira
- 26.26 Information Classification:PublicChallenges Faced
- 27.27 Information Classification:PublicChallengesAPI Limitations
- 28.28 Information Classification:PublicChallengesAPI LimitationsClean Ups
- 29.29 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaboration
- 30.30 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaborationInfrastructure
- 31.31 Information Classification:PublicChallengesAPI LimitationsClean UpsCollaborationScope ChangesInfrastructure
- 32.32 Information Classification:PublicBenefits
- 33.33 Information Classification:PublicBefore• Scan Applications• Suggest remediation• Generate reports• Communicate reportsAfter• Scan Applications• Suggest remediationSecurity Analyst Responsibilities
- 34.34 Information Classification:PublicRegulatory
- 35.35 Information Classification:PublicOne StopShop For ALLApp Dev TeamThey do not need to go to different tools to getvulnerability information. Also, saving the effort tolearn new tool.WorkflowBoth teams can collaborate on the same Jiraissue. Saving time otherwise spent on back andfro.App Sec TeamNew workflow enables App Sec team toaccept/reject false positive findings.
- 36.36 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) = 100 hours per dayNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
- 37.37 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) X 22 = 2200 hours per monthNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
- 38.38 Information Classification:PublicTime saved on generating & communicating report( 50 X 2 ) X 262 = 26,200 hours per yearNumber ofhours spentNumber ofSecurity Analyst* via Bloomberg/Payscale/IMG
- 39.39 Information Classification:Public25%Of Effort Saved
- 40.40 Information Classification:PublicSummary & Takeaways
- 41.41 Information Classification:Public• DevSecOps is the new unicorn, who everyone wants to ride on• Enables shift left• Jira software integration with DevSecOps• Build workflow to simplify the remediation process• Reduces administrative work• Satisfy regulator/auditor needs• Full traceability• Facilitates ease of access• Security becomes cheaper and efficient when using DevSecOpsSummary
- 42.42 Information Classification:PublicBNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporationas a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries byduly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products andservices are offered in all countries.BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein aresubject to change without notice.BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced ordisseminated in any form without the express prior written permission of BNY Mellon.©2019 The Bank of New York Mellon Corporation. All rights reserved.Disclosure