Wednesday 2 March 2016

Updated JIRA RISK workflow (now with a 'Fixing' State)

As an improvement of the workflow I showed at JIRA Workflows for handing AppSec RISKS here is a version that adds a 'Fixing' state between 'Allocated for Fix' and ‘Test Fix’.

The reason for this change, was to take into account projects (or components) that have a large number of open issues that want to be fixed (vs risks to be accepted).

Since we try to use an Kanban 'Work in Progress' model for the issues to fix (i.e. no more than 3 to 4 active items), this new state helps to keep a nice separation between the issues that:
  • need to be 'Risk Accepted' (i.e. there is no intention (or resources) to fix in the next couple months)
  • have been reviewed and are 'Allocated for Fix'
  • are currently being worked on (i.e. in a 'Fixing' state)
Here is a diagram of the workflow (let me know what you think of it, or if you find any blind spots):

There are a number of direct transitions that are not shown in the screenshot above, but make life easier, when using this workflow everyday (for example between 'Allocated for Fix' and 'Fixed', or between 'In Progress' and 'Fixing')

You can spot them in the image below (look for the lines that are in front of the state). At the bottom of the image you can also see all transitions that exist in this workflow

If you want the XML of this workflow, you can get it from here.