Unify Security and Developer Workflows with the ArmorCode Jira Application
Remediation workflows for security issues are broken. Findings are generated from many different security scanning tools. These either get turned into lots of individual tickets with partial context, or perhaps the security team spends time manually correlating those findings and then submitting tickets that quickly get outdated as new information or metadata comes in. Developers are flooded with tickets that lack proper context and are hampered with no way to easily collaborate with the security teams - as a result, SLAs get missed or issues get ignored.
This challenge with remediating security issues is not a matter of developers not caring or being interested in security, it’s about the disruption that can come with trying to get security issues resolved when they don’t fit into developers’ workflows. To be successful, security must fit into developer workflows and keep them in their environments, rather than trying to pull them out of their flow or make them learn new systems to get the information they need.
Security teams recognize this problem, and most scanning tools are able to create tickets in developer systems like Jira directly. This helps, but is not sufficient. What ends up happening when several security tools are creating tickets in Jira is two-fold:
- Developers see multiple tickets for the same problem. With each tool creating a ticket, developers face dozens of different tickets related to one issue, each with one slice of context or relating to one of the impacted assets. This leads to developers having to deal with too many tickets and needing to spend time sifting or consolidating tickets
- Uneven and delayed flow of information. One-way integrations will leave the security team in the dark about what happens after a ticket is submitted. Bi-directional integrations are better, but are often limited. Since the content of the ticket itself is static, even if something changes and the security or development team updates the ticket, it shows up as comments that require time to interpret and act on, which can break a developer’s flow and slow them down.
This challenge is something we’ve long focused on helping security and development teams overcome at ArmorCode. Initially, we’ve focused on the first problem – too many tickets with too little information. Central to ArmorCode is the ability for security teams to automatically correlate Findings from across tools and group similar Findings into one ticket. This reduces the number of tickets that developers get, and gives them more context for every issue. However, despite a bi-directional integration with Jira, this still left the second problem in place.
Introducing the ArmorCode Jira Application
Today, with our new Jira Application, we are solving the problem of uneven and delayed flows of information between security and development teams. The Jira Application for ArmorCode moves the connection between security and development remediation workflows forward with real-time, dynamic connectivity between ArmorCode and Jira. Whenever an artifact is changed in ArmorCode (e.g. changing the status or severity of a Finding, updating metadata, adding new Finding to a ticket, etc), it's automatically and dynamically displayed in Jira at the ticket level. This keeps developers in Jira and ensures that they have the latest and most complete information for a security issue in one easy to understand place.
The Jira Application ensures that developers have everything they need to remediate security issues at their fingertips. Let’s take a look at some of what makes it stand out:
Developers can jump directly to a source tool to review detailed information.
ArmorCode gives developers the summary of an issue and all the Findings across your scanning tools that relate to it. Developers can see a list of everything they need to address, then get more info in the detailed description to determine their next action. For any ArmorCode Finding that makes up a ticket, the original finding from the source tool is linked. If the next step is to resolve the Finding, they can jump to the issue in the source scanning tool with one click for the full technical details.
Improved collaboration between security and development teams.
Strong collaboration requires communication, as well as checks and balances. ArmorCode strengthens collaboration through request, proposal, and approval workflows in the Jira application. For example, a developer can propose that a Finding they get in a ticket is a false positive from within Jira. That proposal then dynamically shows up in ArmorCode, where security can review and approve. Each team stays in their preferred workflow, but are able to collaborate effectively and in real-time.
Detailed, dynamic tickets.
Security teams can manually create tickets, or automate ticket creation through Runbooks, and with the Jira Application, new tickets will appear in Jira in real time, and any changes made in ArmorCode to the ticket will as well. Developers can see a summary of details for any of the related Findings that make up the ticket, the status of the ticket, the type of scan, and any SLA due dates. To take action, developers can propose updates (e.g. change the severity, mark as a false positive, accept risk, etc) individually or in bulk, all within Jira. These updates then show up immediately in ArmorCode, where security teams can respond.
The smoothest way ever to make security part of developer workflows
With the Jira Application for ArmorCode, we’ve removed the friction from the remediation process with a focus on keeping security and development teams able to do their part of the process fully within their preferred tools and workflows. This enhances developer experience, enables better collaboration, and reduces MTTR. Each step of the remediation process is faster, developers are seeing a fewer number of more complete tickets on the most critical issues, and since developer experience is more closely aligned with their daily work, it takes them less time and effort to address security issues than ever before.
If you’re an existing ArmorCode user, the Jira Application will automatically pick up your existing tickets, so the process of moving to the application is seamless. If you’re interested in seeing how ArmorCode can help you identify, prioritize, and remediate your most critical issues and make collaborating with developers straightforward, schedule a demo and see for yourself.