The Jira integration embeds contextual micro-learning on application security topics directly into Jira issues so developers can get relevant training when they need it most - while they're working to resolve security issues.
How does it work?
The plugin sits in the background watching for references to industry-standard security weakness taxonomies, like Common Weakness Enumeration (CWE) and Open Web Application Security Project Top 10 (OWASP Top 10) within Jira issues. The plugin currently searches for these identifiers in the issue title, description, and labels.
There is also an optional configuration setting to additionally include custom fields that the plugin will also search. This can be useful if you have processes or tooling that adds these references into a custom field instead of a standard Jira issue field such as the description or labels.
Note: As a fallback, the plugin will also search for a set of common vulnerability names and phrases in the issue title and description.
If the plugin detects one of these references (e.g. CWE 89, OWASP Top 10 A1) or a phrase (e.g. "SQL injection", "use-after-free", or "forceful browsing"), the developer can leverage the Secure Code Warrior® learning panel on the ticket to learn more about the specific vulnerability by watching a video (if available) or doing a training exercise within the platform.
Tip: For logged-in users, all training activity will be counted toward their overall Training metrics.
As a Jira Administrator, from the Administration Menu, select Manage Apps, select the Secure Code Warrior for Jira app and click Configure. Alternatively, you can select Configuration in the left navigation bar.
Individual Project Configuration
Select a project from the drop down list to enable the integration for and switch the Enabled toggle to On.
Select any custom fields that you would also like searched for vulnerability references or names (optional) and then click Save to store the settings for the selected project. You can configure each project independently by switching projects using the drop down list - just remember to click Save before switching projects.
You can also enable the integration globally for all projects by toggling the Configure all projects globally option and then switching the Enabled setting to On.
Select any custom fields that you would also like searched for vulnerability references or names (optional) and then click Save to enable this for all projects. This will apply the same custom fields setting to all projects.
You can optionally register your installation using a tenant ID that you can create from within the Secure Code Warrior portal. This will link this installation to your Secure Code Warrior company account and will enable some future features such as engagement reporting and greater customisation.
The integration will automatically attempt to locate CWE and OWASP Top 10 vulnerability references in the issue labels, summary, description, and any configured custom fields. If it's unable to find any of these references, it will search for common vulnerability names and phrases within these same areas.