Friday 4 December 2015

JIRA Workflows for handing AppSec RISKS

Recently I have been acting as 'head of Application Security' for a couple UK companies, and one of my most effective actions has been to setup the JIRA workflow that you can see below.

The key to this workflow (and the secret of its success) is the action to get the business owners to click on the 'Accept Risk' button. 

That simple action makes the whole difference, since that is the moment that a particular RISK become REAL.

Now, the responsibility/decision/liability of NOT fixing an issue, is clearly mapped to an individual (which in some cases can even be the CTO).

Note that the definition of 'not fixing' should be 'will not be fixed in the next couple weeks'

Here is v1.0 of the workflow (for an Risk JIRA issue)

Once there are enough risks in the system, its time to introduce v2.0

In addition to the original 'Accept Risk' and 'Fix' status, this version also allows for the revisiting of the risks accepted and to ensure that the fixes have regression tests (i.e. detect if fixed vulnerabilities are re-introduced)