In this session, you will learn how BNY Mellon is tackling the challenges of DevSecOps at scale by unifying static/dynamic source code scanning, audit and risk analysis tools into a unified workflow by using Jira Software.
BNY Mellon’s ability to generate reports from multiple sources had become a time consuming manual process. Jira Software demonstrated the ability to deliver efficiency at reporting and became the solution for tracking security aspects of the SDLC process.
18. 18 Information Classification: Public
Scanning Tools Auto Issue Creation
Using any of the methods
- Jira Plugin - Back end Script- Jira Rest API
19. 19 Information Classification: Public
To achieve all the functionalities we integrated our Jira with multiple data
sources
Application Information Source
Scan Request System Due Date Calculation System
20. 20 Information Classification: Public
Standardize received data
ü All fields are populated
ü Right fields are populated
ü Data in the scanning tool and data in
Jira matches
ü Run different models for data
standardization and calculation
according to user needs
21. 21 Information Classification: Public
Standardize received data
ü Recalculating severity based on
CVSS, CWE ID, CVE ID
ü Adding remediation data based on
CWE ID & CVE ID
ü Calculating remediation start date
ü Calculating due date
22. 22 Information Classification: Public
BNY Jira structure
AS = App Sec Jira
AD = App Dev Jira
Jira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
25. 25 Information Classification: Public
Full Architecture
Scanning Tools
Applications
List of
Vulnerabilities
Pushed/Pulled
into Jira
Standardization
task
App Sec Jira
Connect to
external system
for different
parameters
Information
System
Scan
Request
System
Due Date
Calculation
System
Data Validation
and
Required fields
check
Push to other
systems for
analystics
App Dev Jira
35. 35 Information Classification: Public
One Stop
Shop For ALL
App Dev Team
They do not need to go to different tools to get
vulnerability information. Also, saving the effort to
learn new tool.
Workflow
Both teams can collaborate on the same Jira
issue. Saving time otherwise spent on back and
fro.
App Sec Team
New workflow enables App Sec team to
accept/reject false positive findings.
36. 36 Information Classification: Public
Time saved on generating & communicating report
( 50 X 2 ) = 100 hours per day
Number of
hours spent
Number of
Security Analyst
* via Bloomberg/Payscale/IMG
37. 37 Information Classification: Public
Time saved on generating & communicating report
( 50 X 2 ) X 22 = 2200 hours per month
Number of
hours spent
Number of
Security Analyst
* via Bloomberg/Payscale/IMG
38. 38 Information Classification: Public
Time saved on generating & communicating report
( 50 X 2 ) X 262 = 26,200 hours per year
Number of
hours spent
Number of
Security Analyst
* via Bloomberg/Payscale/IMG
41. 41 Information Classification: Public
• DevSecOps is the new unicorn, who everyone wants to ride on
• Enables shift left
• Jira software integration with DevSecOps
• Build workflow to simplify the remediation process
• Reduces administrative work
• Satisfy regulator/auditor needs
• Full traceability
• Facilitates ease of access
• Security becomes cheaper and efficient when using DevSecOps
Summary