The Jira integration embeds contextual micro-learning on application security topics directly into Jira issues so developers can get relevant training when they need it most - while they're working to resolve security issues.
How does it work?
The plugin sits in the background watching for references to industry-standard security weakness taxonomies, like Common Weakness Enumeration (CWE) and Open Web Application Security Project Top 10 (OWASP Top 10) within Jira issues. The plugin currently searches for these identifiers in the issue title, description, and labels.
Note: As a fallback, the plugin will also search for a set of common vulnerability names and phrases in the issue title and description.
If the plugin detects one of these references (e.g. CWE 89, OWASP Top 10 A1) or a phrase (e.g. "SQL injection", "use-after-free", or "Forceful browsing"), the developer can leverage the Secure Code Warrior® learning panel on the ticket to learn more about the specific vulnerability by watching a video (if available) or doing a training exercise within the platform
If the user has logged into the training platform before but their session has expired, they will be prompted to log back in.
Tip: For logged-in users, all training activity will be counted toward their overall training metrics.
From the Jira Settings, click Manage Apps then select the Secure Code Warrior for Jira app and click Configure.
Individual Project Configuration
Select a project from the drop down list to enable the integration for and switch the Enabled toggle to On.
If you are unsure what language and framework to select, we recommend you use Pseudocode::Basic. Developers will be able to select the language and framework they are interested in later and the learning platform will remember their selection.
Click Save to store the settings for the selected project. You can configure each project independently by switching projects using the drop down list - just remember to click Save before switching projects.
You can also enable the integration globally for all projects by toggling the Configure all projects globally option and then switching the Enabled setting to On.
This will apply the same settings to all projects.
The integration will automatically attempt to locate CWE and OWASP Top 10 vulnerability references in the issue labels, summary, and description. If it's unable to find any of these references, it will search for common vulnerability names and phrases within the issue summary and description.
Optional Step 1
You can specify an additional custom field to search for security references. This can be useful if you have processes or tooling that adds these references into a custom field instead of a standard Jira issue field such as the description or labels.