SlideShare a Scribd company logo

Enable DevSecOps using Jira Software

Atlassian
Atlassian

In this session, you will learn how BNY Mellon is tackling the challenges of DevSecOps at scale by unifying static/dynamic source code scanning, audit and risk analysis tools into a unified workflow by using Jira Software. BNY Mellon’s ability to generate reports from multiple sources had become a time consuming manual process. Jira Software demonstrated the ability to deliver efficiency at reporting and became the solution for tracking security aspects of the SDLC process.

Technology
1 of 42
Enable DevSecOps using Jira Software Saurabh Gupta March 02, 2019 DevOps Solution Engineer Head of Developer Efficiency Group Mostofa Rahman
2 Information Classification: Public Everyone is responsible for security
3 Information Classification: Public Developer OperationSecurity
4 Information Classification: Public Application Security
5 Information Classification: Public Security Scannig Scanning SQL Injection Insufficient Input Validation Information Leakage Code Quality Cryptographic Issues CRLF Injection Cross Site Scripting Access Control Missing Authentication Privilege Escalation HTTP Verb Tampering Open Source Component Scanning
6 Information Classification: Public Plan Develop Build Test Release Deploy Operate Continuous Delivery Continuous Integration
Effect of scan frequency on flaw persistence analysis. STATE OF SOFTWARE SECURITY VOL 9
8 Information Classification: Public 2017 EMA report A 2017 EMA report found the top two benefits - better ROI improved - operational efficiencies
9 Information Classification: Public Security Considerations
10 Information Classification: Public Takes Time c
11 Information Classification: Public Takes Time Adds Cost c c Application Security
12 Information Classification: Public Takes Time Adds Cost Reduces Innovation c c c
13 Information Classification: Public Automation Opportunity
14 Information Classification: Public Semi-Automated Process
15 Information Classification: Public Why Jira
16 Information Classification: Public Solution Implementation What we did?
17 Information Classification: Public Integrated multiple scanning tools with Jira
18 Information Classification: Public Scanning Tools Auto Issue Creation Using any of the methods - Jira Plugin - Back end Script- Jira Rest API
19 Information Classification: Public To achieve all the functionalities we integrated our Jira with multiple data sources Application Information Source Scan Request System Due Date Calculation System
20 Information Classification: Public Standardize received data ü All fields are populated ü Right fields are populated ü Data in the scanning tool and data in Jira matches ü Run different models for data standardization and calculation according to user needs
21 Information Classification: Public Standardize received data ü Recalculating severity based on CVSS, CWE ID, CVE ID ü Adding remediation data based on CWE ID & CVE ID ü Calculating remediation start date ü Calculating due date
22 Information Classification: Public BNY Jira structure AS = App Sec Jira AD = App Dev Jira Jira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
23 Information Classification: Public Workflow
24 Information Classification: Public Jira & Beyond
25 Information Classification: Public Full Architecture Scanning Tools Applications List of Vulnerabilities Pushed/Pulled into Jira Standardization task App Sec Jira Connect to external system for different parameters Information System Scan Request System Due Date Calculation System Data Validation and Required fields check Push to other systems for analystics App Dev Jira
26 Information Classification: Public Challenges Faced
27 Information Classification: Public Challenges API Limitations
28 Information Classification: Public Challenges API Limitations Clean Ups
29 Information Classification: Public Challenges API Limitations Clean Ups Collaboration
30 Information Classification: Public Challenges API Limitations Clean Ups Collaboration Infrastructure
31 Information Classification: Public Challenges API Limitations Clean Ups Collaboration Scope Changes Infrastructure
32 Information Classification: Public Benefits
33 Information Classification: Public Before • Scan Applications • Suggest remediation • Generate reports • Communicate reports After • Scan Applications • Suggest remediation Security Analyst Responsibilities
34 Information Classification: Public Regulatory
35 Information Classification: Public One Stop Shop For ALL App Dev Team They do not need to go to different tools to get vulnerability information. Also, saving the effort to learn new tool. Workflow Both teams can collaborate on the same Jira issue. Saving time otherwise spent on back and fro. App Sec Team New workflow enables App Sec team to accept/reject false positive findings.
36 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) = 100 hours per day Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
37 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) X 22 = 2200 hours per month Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
38 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) X 262 = 26,200 hours per year Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
39 Information Classification: Public 25%Of Effort Saved
40 Information Classification: Public Summary & Takeaways
41 Information Classification: Public • DevSecOps is the new unicorn, who everyone wants to ride on • Enables shift left • Jira software integration with DevSecOps • Build workflow to simplify the remediation process • Reduces administrative work • Satisfy regulator/auditor needs • Full traceability • Facilitates ease of access • Security becomes cheaper and efficient when using DevSecOps Summary
42 Information Classification: Public BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries by duly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products and services are offered in all countries. BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein are subject to change without notice. BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced or disseminated in any form without the express prior written permission of BNY Mellon. ©2019 The Bank of New York Mellon Corporation. All rights reserved. Disclosure

Recommended

Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA Software
AUGNYC
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Achieving a Serverless Development Experience
Achieving a Serverless Development ExperienceAchieving a Serverless Development Experience
Achieving a Serverless Development Experience
Ivan Dwyer
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessCode-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
JadeCampbell13
 

Recommended

Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA Software
AUGNYC
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Achieving a Serverless Development Experience
Achieving a Serverless Development ExperienceAchieving a Serverless Development Experience
Achieving a Serverless Development Experience
Ivan Dwyer
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
Qualitest
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps SuccessCode-to-Cloud Visibility: An Essential Framework for DevOps Success
Code-to-Cloud Visibility: An Essential Framework for DevOps Success
JadeCampbell13
 
Driving Service Ownership with Distributed Tracing
Driving Service Ownership with Distributed TracingDriving Service Ownership with Distributed Tracing
Driving Service Ownership with Distributed Tracing
DevOps.com
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan
 
Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and How
DevOps.com
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
DevSecOps at the GSA
DevSecOps at the GSADevSecOps at the GSA
DevSecOps at the GSA
Chris Downey
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
JamesHarmison
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Splunk
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
Devops the Microsoft Way
Devops the Microsoft WayDevops the Microsoft Way
Devops the Microsoft Way
Patrick Chanezon
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
Eficode
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
Ulf Mattsson
 

More Related Content

What's hot

Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and How
DevOps.com
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Splunk
 
Devops the Microsoft Way
Devops the Microsoft WayDevops the Microsoft Way
Devops the Microsoft Way
Patrick Chanezon
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 

What's hot (20)

Driving Service Ownership with Distributed Tracing
Driving Service Ownership with Distributed TracingDriving Service Ownership with Distributed Tracing
Driving Service Ownership with Distributed Tracing
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
Integrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and HowIntegrating SAP into DevOps Pipelines: Why and How
Integrating SAP into DevOps Pipelines: Why and How
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
DevSecOps at the GSA
DevSecOps at the GSADevSecOps at the GSA
DevSecOps at the GSA
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
 
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
Data-Driven DevOps: Improve Velocity and Quality of Software Delivery with Me...
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Devops the Microsoft Way
Devops the Microsoft WayDevops the Microsoft Way
Devops the Microsoft Way
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
 
Enterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & ZoweEnterprise DevOps Series: Using VS Code & Zowe
Enterprise DevOps Series: Using VS Code & Zowe
 

Similar to Enable DevSecOps using Jira Software

Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
Jonah Kowall
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Devops based progressive delivery finalized
Devops based progressive delivery finalizedDevops based progressive delivery finalized
Devops based progressive delivery finalized
BhagvanK1
 
From Chaos to Compliance: The New Digital Governance for DevOps
From Chaos to Compliance: The New Digital Governance for DevOpsFrom Chaos to Compliance: The New Digital Governance for DevOps
From Chaos to Compliance: The New Digital Governance for DevOps
XebiaLabs
 
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps StrategyA Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
DevOps.com
 

Similar to Enable DevSecOps using Jira Software (20)

Why Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and ObservabilityWhy Serverless is scary without DevSecOps and Observability
Why Serverless is scary without DevSecOps and Observability
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
 
Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...Building DevOps in the enterprise: Transforming challenges into organizationa...
Building DevOps in the enterprise: Transforming challenges into organizationa...
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final2018 11-19 improving business agility with security policy automation final
2018 11-19 improving business agility with security policy automation final
 
HPE ALM Octane | DevOps | Agile
HPE ALM Octane | DevOps | AgileHPE ALM Octane | DevOps | Agile
HPE ALM Octane | DevOps | Agile
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
SWP Take Three - Lets Talk Agile - 27 Jul 2022b.pptx
SWP Take Three - Lets Talk Agile - 27 Jul 2022b.pptxSWP Take Three - Lets Talk Agile - 27 Jul 2022b.pptx
SWP Take Three - Lets Talk Agile - 27 Jul 2022b.pptx
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Devops based progressive delivery finalized
Devops based progressive delivery finalizedDevops based progressive delivery finalized
Devops based progressive delivery finalized
 
SplunkLive! London 2016 Splunk for Devops
SplunkLive! London 2016 Splunk for DevopsSplunkLive! London 2016 Splunk for Devops
SplunkLive! London 2016 Splunk for Devops
 
From Chaos to Compliance: The New Digital Governance for DevOps
From Chaos to Compliance: The New Digital Governance for DevOpsFrom Chaos to Compliance: The New Digital Governance for DevOps
From Chaos to Compliance: The New Digital Governance for DevOps
 
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps StrategyA Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
A Decade of DevOps: Design Patterns for Future-Proofing Your DevOps Strategy
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 

More from Atlassian

Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch Plugin
Atlassian
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the Building
Atlassian
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that Matter
Atlassian
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Atlassian
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
Atlassian
 

More from Atlassian (20)

International Women's Day 2020
International Women's Day 2020International Women's Day 2020
International Women's Day 2020
 
10 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 202010 emerging trends that will unbreak your workplace in 2020
10 emerging trends that will unbreak your workplace in 2020
 
Forge App Showcase
Forge App ShowcaseForge App Showcase
Forge App Showcase
 
Let's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UILet's Build an Editor Macro with Forge UI
Let's Build an Editor Macro with Forge UI
 
Meet the Forge Runtime
Meet the Forge RuntimeMeet the Forge Runtime
Meet the Forge Runtime
 
Forge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User ExperienceForge UI: A New Way to Customize the Atlassian User Experience
Forge UI: A New Way to Customize the Atlassian User Experience
 
Take Action with Forge Triggers
Take Action with Forge TriggersTake Action with Forge Triggers
Take Action with Forge Triggers
 
Observability and Troubleshooting in Forge
Observability and Troubleshooting in ForgeObservability and Troubleshooting in Forge
Observability and Troubleshooting in Forge
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
Designing Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI SystemDesigning Forge UI: A Story of Designing an App UI System
Designing Forge UI: A Story of Designing an App UI System
 
Forge: Under the Hood
Forge: Under the HoodForge: Under the Hood
Forge: Under the Hood
 
Access to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIsAccess to User Activities - Activity Platform APIs
Access to User Activities - Activity Platform APIs
 
Design Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch PluginDesign Your Next App with the Atlassian Vendor Sketch Plugin
Design Your Next App with the Atlassian Vendor Sketch Plugin
 
Tear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the BuildingTear Up Your Roadmap and Get Out of the Building
Tear Up Your Roadmap and Get Out of the Building
 
Nailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that MatterNailing Measurement: a Framework for Measuring Metrics that Matter
Nailing Measurement: a Framework for Measuring Metrics that Matter
 
Building Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in MindBuilding Apps With Color Blind Users in Mind
Building Apps With Color Blind Users in Mind
 
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
Creating Inclusive Experiences: Balancing Personality and Accessibility in UX...
 
Beyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced TeamsBeyond Diversity: A Guide to Building Balanced Teams
Beyond Diversity: A Guide to Building Balanced Teams
 
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed TeamThe Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
The Road(map) to Las Vegas - The Story of an Emerging Self-Managed Team
 
Building Apps With Enterprise in Mind
Building Apps With Enterprise in MindBuilding Apps With Enterprise in Mind
Building Apps With Enterprise in Mind
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Enable DevSecOps using Jira Software

  • 1. Enable DevSecOps using Jira Software Saurabh Gupta March 02, 2019 DevOps Solution Engineer Head of Developer Efficiency Group Mostofa Rahman
  • 2. 2 Information Classification: Public Everyone is responsible for security
  • 3. 3 Information Classification: Public Developer OperationSecurity
  • 4. 4 Information Classification: Public Application Security
  • 5. 5 Information Classification: Public Security Scannig Scanning SQL Injection Insufficient Input Validation Information Leakage Code Quality Cryptographic Issues CRLF Injection Cross Site Scripting Access Control Missing Authentication Privilege Escalation HTTP Verb Tampering Open Source Component Scanning
  • 6. 6 Information Classification: Public Plan Develop Build Test Release Deploy Operate Continuous Delivery Continuous Integration
  • 7. Effect of scan frequency on flaw persistence analysis. STATE OF SOFTWARE SECURITY VOL 9
  • 8. 8 Information Classification: Public 2017 EMA report A 2017 EMA report found the top two benefits - better ROI improved - operational efficiencies
  • 9. 9 Information Classification: Public Security Considerations
  • 10. 10 Information Classification: Public Takes Time c
  • 11. 11 Information Classification: Public Takes Time Adds Cost c c Application Security
  • 12. 12 Information Classification: Public Takes Time Adds Cost Reduces Innovation c c c
  • 13. 13 Information Classification: Public Automation Opportunity
  • 14. 14 Information Classification: Public Semi-Automated Process
  • 16. 16 Information Classification: Public Solution Implementation What we did?
  • 17. 17 Information Classification: Public Integrated multiple scanning tools with Jira
  • 18. 18 Information Classification: Public Scanning Tools Auto Issue Creation Using any of the methods - Jira Plugin - Back end Script- Jira Rest API
  • 19. 19 Information Classification: Public To achieve all the functionalities we integrated our Jira with multiple data sources Application Information Source Scan Request System Due Date Calculation System
  • 20. 20 Information Classification: Public Standardize received data ü All fields are populated ü Right fields are populated ü Data in the scanning tool and data in Jira matches ü Run different models for data standardization and calculation according to user needs
  • 21. 21 Information Classification: Public Standardize received data ü Recalculating severity based on CVSS, CWE ID, CVE ID ü Adding remediation data based on CWE ID & CVE ID ü Calculating remediation start date ü Calculating due date
  • 22. 22 Information Classification: Public BNY Jira structure AS = App Sec Jira AD = App Dev Jira Jira 1 AS Jira 2 AD Jira 3 AD Jira 4 AD Jira 5 AD
  • 24. 24 Information Classification: Public Jira & Beyond
  • 25. 25 Information Classification: Public Full Architecture Scanning Tools Applications List of Vulnerabilities Pushed/Pulled into Jira Standardization task App Sec Jira Connect to external system for different parameters Information System Scan Request System Due Date Calculation System Data Validation and Required fields check Push to other systems for analystics App Dev Jira
  • 26. 26 Information Classification: Public Challenges Faced
  • 27. 27 Information Classification: Public Challenges API Limitations
  • 28. 28 Information Classification: Public Challenges API Limitations Clean Ups
  • 29. 29 Information Classification: Public Challenges API Limitations Clean Ups Collaboration
  • 30. 30 Information Classification: Public Challenges API Limitations Clean Ups Collaboration Infrastructure
  • 31. 31 Information Classification: Public Challenges API Limitations Clean Ups Collaboration Scope Changes Infrastructure
  • 33. 33 Information Classification: Public Before • Scan Applications • Suggest remediation • Generate reports • Communicate reports After • Scan Applications • Suggest remediation Security Analyst Responsibilities
  • 34. 34 Information Classification: Public Regulatory
  • 35. 35 Information Classification: Public One Stop Shop For ALL App Dev Team They do not need to go to different tools to get vulnerability information. Also, saving the effort to learn new tool. Workflow Both teams can collaborate on the same Jira issue. Saving time otherwise spent on back and fro. App Sec Team New workflow enables App Sec team to accept/reject false positive findings.
  • 36. 36 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) = 100 hours per day Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
  • 37. 37 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) X 22 = 2200 hours per month Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
  • 38. 38 Information Classification: Public Time saved on generating & communicating report ( 50 X 2 ) X 262 = 26,200 hours per year Number of hours spent Number of Security Analyst * via Bloomberg/Payscale/IMG
  • 39. 39 Information Classification: Public 25%Of Effort Saved
  • 40. 40 Information Classification: Public Summary & Takeaways
  • 41. 41 Information Classification: Public • DevSecOps is the new unicorn, who everyone wants to ride on • Enables shift left • Jira software integration with DevSecOps • Build workflow to simplify the remediation process • Reduces administrative work • Satisfy regulator/auditor needs • Full traceability • Facilitates ease of access • Security becomes cheaper and efficient when using DevSecOps Summary
  • 42. 42 Information Classification: Public BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries by duly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products and services are offered in all countries. BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein are subject to change without notice. BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced or disseminated in any form without the express prior written permission of BNY Mellon. ©2019 The Bank of New York Mellon Corporation. All rights reserved. Disclosure