The Jira integration embeds contextual micro-learning on application security topics directly into Jira issues so developers can get relevant training when they need it most - while they're working to resolve security issues.
How does it work?
The plugin sits in the background watching for references to industry-standard security weakness taxonomies, like Common Weakness Enumeration (CWE) and Open Web Application Security Project Top 10 (OWASP Top 10) within Jira issues. The plugin currently searches for these identifiers in the issue title, description, and labels.
Note: As a fallback, the plugin will also search for a set of common vulnerability names and phrases in the issue title and description.
If the plugin detects one of these references (e.g. CWE 89, OWASP Top 10 A1) or a phrase (e.g. "SQL injection", "use-after-free", or "Forceful browsing"), the developer can leverage the Secure Code Warrior® learning panel on the ticket to learn more about the specific vulnerability by watching a video (if available) or doing a training exercise within the platform
If the user has logged into the training platform before but their session has expired, they will be prompted to log back in.
Tip: For logged-in users, all training activity will be counted toward their overall training metrics.
From the Jira Settings, click Manage Apps then select the Secure Code Warrior for Jira app and click Configure.
Select a project to enable the integration for and toggle to Enabled.
The integration will automatically attempt to locate CWE and OWASP Top 10 vulnerability references in the issue labels, summary, and description. If it's unable to find any of these references, it will search for common vulnerability names and phrases within the issue summary and description.
Select the default Language:Framework for the project and then click Save. You can also select other projects to configure them as well. Each project has its own configuration and can be enabled separately.
Optional Step 1
You can specify an additional custom field to search for security references. This can be useful if you have processes or tooling that adds these references into a custom field instead of a standard Jira issue field such as the description or labels.
Optional Step 2
If there are multiple languages or frameworks for the project, the default language and framework can be overridden at an issue-level by enabling visibility of the Secure Code Warrior language and framework field as follows
Click Associate the SCW Language/Framework with screens to select which screens to display.