AppSec management with Jira tickets

Asaf Eden January 24, 2021

Hi,

I'm trying to figure out if there's a convenient way to manage our security related issues across all of our company's teams (projects).

The ideal situation would be a centralised project/dashboard where all tickets are visible to me, and I can assign an issue to someone -> they would add the ticket to their team's backlog.

Eventually I want to have the visibility and tracking ability on all security related issues which are distributed across multiple projects.

The current situation is where I need to manually add an issue to a specific project, but I'd prefer to assign an issue to a person so they'll know better to which project to add the ticket to.

I hope the explanation is clear enough to get some suggestions.

Thanks!

 

1 answer

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 24, 2021

To assign an issue to a person, you need "can assign issues" permission in the project.

How you would set this up is a good question.  It needs to match the way that you want to work.  Where should the issues go in order to be dealt with by the right person?  Having a project and then moving the issues out to other projects when you know sounds like it might work, but it has two massive problems - it means you don't have a centralised place to report, and, more importantly, moving issues is a monumental pain, being slow, clunky and error prone. 

A far better option would be to raise the issues directly in their target project and have a standard way of identifying them - an issue type of AppSec would be the ideal, but you could also use labels or have a dedicated custom field.  You can then build boards and reporting off "issue type = AppSec"

Asaf Eden January 24, 2021

Thanks @Nic Brough -Adaptavist- ,

The option you suggested is exactly what happens at the moment. The problem is that there are way too many projects and each with different settings, which makes the whole process very inconvenient. 

I would prefer to target a person (i.e. team leader) instead of a project, so they could put the ticket in their respective project (each team has multiple projects as well).

Can you think of another way perhaps?

Thanks

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 25, 2021

You're trying to solve the problem that you've got fragmented process and difficulties identifying just where work should be being done, let alone by whom.  In the face of that you can either try to fix it (standardise your processes, ensure your product owners / team leads understand it is part of their job to actively stay on top of AppSec stuff, etc), or you can try to engineer something

That's not something you can fix with the software, but I would recommend a solution where you keep the issues a bit closer to yourself.  If your organisation is not willing to fix the problems you've got there, then you'll have to run it yourself.  The best option here is probably the other one you came up with already.  Create the AppSec issues in your own project.  Where I'd move away from your solution is when you identify the team or person that needs to take responsibility for it.  By all means, assign the person or team leader in your project, but do not move the issue to their project. Once you know who they are, and which project it needs to be in, create a copy and link it back.  Ideally do a bit of automation so that your "single source of truth" project is updated if the "developers" update their end of the link.  This way, you have simple reporting, you can see if things are being done and go find what the developers are actually doing about it (or not doing) and bother product owners to get things in.  You can even use your project reporting to tell your organisation that there's a problem!

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events