The Jira integration embeds contextual micro-learning on application security topics directly into Jira issues so developers can get relevant training when they need it most - while they're working to resolve security issues.
How does it work?
The plugin sits in the background watching for references to industry-standard security weakness taxonomies, like Common Weakness Enumeration (CWE) and Open Web Application Security Project Top 10 (OWASP Top 10) within JIRA issues. The plugin currently searches for these identifiers in the issue title, description, and labels.
Note: As a fallback, the plugin will also search for a set of common vulnerability names and phrases in the issue title and description.
If the plugin detects one of these references (e.g. CWE 89, OWASP Top 10 A1) or a phrase (e.g. "SQL injection", "use-after-free", or "Forceful browsing"), the developer can leverage the Secure Code Warrior® learning panel on the ticket to learn more about the specific vulnerability by watching a video (if available) or doing a training exercise within the platform.
Tip: For logged-in users, all training activity will be counted toward their overall training metrics.
As a Jira Administrator, from the Administration Menu, select Manage Apps and click Configure or Configuration.
Select the Project containing vulnerabilities where you'd like to apply micro-learning and toggle Enabled.
Select the default programming language and framework to be used if one isn't specified on an individual issue.
Click Save. You can also select other projects to configure them as well. Each project has its own configuration and can be enabled separately.
Optional Step 1
You can specify an additional custom field to search for security references. This can be useful if you have processes or tooling that adds these references into a custom field instead of a standard Jira issue field such as the description or labels.
Optional Step 2
If there are multiple languages or frameworks for the project, the default language and framework can be overridden at an issue-level by enabling visibility of the Secure Code Warrior Language/Framework field as follows.
Click Associate the Secure Code Warrior Language/Framework with screens to select which screens to display.