Creating a Security Scorecard in Compass

 

With every new evolution of technology, your organization needs another layer of security. However, with security comes governance which can be overwhelming for teams delivering projects. It often slows them down as they work through all of the compliances that need to be put in place for safe delivery.

Scorecards help delivery teams know what is expected of them upfront, meaning no rework at the end of a delivery cycle.

With scorecards, organizations can take control of the standards they put in place and make sure those are being met. That way teams that work on governance can be confident they’re meeting all the requirements. With scorecards, the focus is shifted towards teams who need help and the need for long meetings is effectively reduced.

 

 

Getting started

Pre-requisites

• Populated instance of Compass with software components

• Snyk Enterprise plan

We’ll be creating a security scorecard using the Snyk data available after it is connected to Compass. In the end, you’ll have a security scorecard that tracks the amount of open high and critical vulnerabilities for all the linked software components in your organisation.

If you’re new to Compass, we recommend reading up on some of our pages to get you familiar with it faster:

What is Compass?

• Meet Compass, features and pricing

• Compass Community Articles

 

 

Connect Snyk with Compass

If we want to use Snyk data for our scorecards, we’ll need to ensure we have a Snyk Enterprise Plan. To install the Snyk app follow these steps:

1. From the top bar navigation menu in Compass, select Apps.

 

2. Here you’ll find all the applications that can be added to Compass. Look for Snyk.

 

3. To install it, click on the Get App button.

 

4. Once you get the app, you need to configure it. You will need to enter the token for a service account associated with your Snyk group and enter it under Group API Key. Follow these steps to create a service account group. The Snyk group is necessary to enumerate all the organisations within it, allowing you to select and connect them to Compass. For the Snyk Group ID and where to find it, follow this documentation.

 

5. Find the organisations that you want to connect to the Compass site. You can connect up to 25 organisations.

 

You should see your organisation successfully added.

 

 

Upon completing the integration setup, Snyk will continuously sync security data with Compass, providing details about vulnerabilities in your component dependencies, container images, and more.

Once connected, the metrics "Open High Vulnerabilities" and "Open Critical Vulnerabilities" are automatically added to Compass. The integration associates these metrics with your components by identifying existing repository links in Compass, locating them in Snyk, and importing the relevant vulnerability counts.

 

 

Creating Security Scorecards

Now that you have Snyk connected to Compass, we’re ready to start creating a security scorecard.

Steps to create a security scorecard

1. In the top navigation menu, select Health

2. At the top right corner, click the grey button to Create scorecards

 

3. Enter the scorecards' name and description

 

4. To select the owner of the scorecard, start typing the name and select the user from the dropdown list. An owner is someone who is responsible for the engineering standard tracked in the scorecard and can be the point of contact. In this example, it might be someone in your security team. Adding an owner is optional, but we recommend you add one.

 

5. You can choose to apply the scorecard manually or automatically. Manually applying it requires you to individually select each component you want the scorecard to apply to after you’ve created it. If you choose to apply it automatically, you must select at least one component type, which will then make the scorecard available for all components of the chosen type.

 

You can further refine how your scorecard is applied by adding additional filters. These filters allow you to specify whether the scorecard should be applied by component label, component tier level, or component team. Simply select the appropriate value from the dropdown menu that appears.

 

To remove a filter select the X button on the side marked below.

 

When you’re finished setting up the necessary filters, click Next.

 

6. Next, you need to set up the criteria. You must have at least one criterion. Choose a criterion from the list and assign a percentage that indicates its importance. Ensure that the total percentage for all criteria equals 100%.
   
   There are two types of criteria you can choose from: fields and metrics. If you opt for a field as your criterion type, select the field you wish to measure from the dropdown menu. Similarly, if you select a metric as your criterion type, choose the metric from the dropdown, and also specify the operator and the value that will trigger the evaluation. Select Add Criterion to keep adding more. Choose the X button in case you need to remove any.

 

7. Finally, select Create. This will create your scorecard with all the behaviours you previously defined. It will also automatically display the statistics for all the components to which this scorecard applies.

 

 

 

Get started with your Developer Experience platform using Atlassian Compass!

Start Your Free Trial Now

Click here to begin your journey!