SecDevOps is all about pushing security left with tools that automate the integration between security and DevOps teams working in an agile environment. Ideally, that left-shift will go as far as integrating security considerations into the architect’s white boarding stage. Implementing this left-shift with ThreatModeler is rather easy. ThreatModeler’s diagramming canvas works from an architectural perspective, allowing the creation of a detailed threat model as a result of the architectural white boarding process. With the specific potential threats for the upcoming DevOps project identified along with the mitigating security controls, the next step would be to automatically integrate these outputs into the developers’ existing agile workflow and toolset. This is accomplished through the ThreatModeler JIRA plugin.
The ThreatModeler JIRA Plugin Implements DevSecOps
Organizational risk rises or falls with the effectiveness of organizations to secure new DevOps projects. Many studies have demonstrated that, not only is it more effective from a security perspective to design security into the projects, initial secure coding is far more cost effective than mitigation after scanning and testing. The effectiveness and efficiencies of secure initial coding become increasingly apparent at the scale of hundreds or even thousands of new projects annually, each with a multitude of sprints and iterations.
While security teams work under the mandate of reducing organizational risk, agile DevOps teams march to a different set of orders. Their mandate is to create functional products, in the shortest time possible, that satisfy the given business requirements. Under this paradigm, security is often relegated to “bolt it on later,” rather than “build it in now.”
However, organizations are increasingly aware that with a view to long-term strategic planning and competitive advantage, it is counterproductive to have production and security be at odds. The long-term goal of everyone, after all, is the success and economic viability of the organization. It is, therefore, in organizations’ best interest to integrate the functions and concerns security and DevOps even at the finest granularity of a single Agile sprint. This is the fundamental philosophy of the growing DevSecOps movement.
However, it is one thing to philosophize about DevSecOps – it is another thing altogether to implement it in a practical way at an enterprise scale. The best tools of security teams – including ThreatModeler™ – and most beloved tools of developers, such as JIRA, serve very different purposes relative to the functions and focus of the two stakeholder groups. Implementing practical enterprise DevSecOps requires automating the integration of both the different functions and focuses as well as the outputs and inputs of the normal workflows and toolsets.
Integrating Powerful Tools for Powerful Results
Used by more than 75 thousand organizations worldwide since its initial release in 2002, JIRA is easily one of the most popular tools within agile development environments. Not only is it easy to use, but it functions like a sophisticated TO DO list, tracking both the necessary tasks at various stages of completion and the person or group responsible for each stage. Given the fast-paced, multi-faceted nature of seeing a development project through to completion, it is no wonder JIRA defines the mainstream of the agile development workflow and toolset.
By a similar note, threat modeling has become a mainstay of application security since the early 2000s. Depending on the particular analytical tool and underlying methodology used, threat modeling has demonstrated its capacity to identify potential threats while applications are still in the design phase. Armed with the enumerated threats, security teams can then provide developers the necessary mitigating security controls to incorporate during their initial coding. ThreatModeler™, the world’s first enterprise threat modeling solution, provides concrete, actionable outputs for all stakeholders throughout the organization – including DevOps teams and CISOs.
However, due largely to the significant disconnect between developers’ production mandate and the cumbersome nature of less powerful threat modeling tools, developers have long resisted adopting threat modeling as part of their standard workflow.
Now, thanks to the ThreatModeler JIRA plugin, ThreatModeler’s capacities are expanded to seamlessly integrate with bug and epic tracking in JIRA! Organization’s ability to implement the concepts and ideals of the DevSecOps movement have never been greater – or easier to do.
How the ThreatModeler JIRA Plugin Works
The ThreatModeler JIRA plugin provides bi-directional communication between ThreatModeler and JIRA. The potential threats identified in ThreatModeler become bugs to track in JIRA. Likewise, the enumerated security requirements become JIRA epics.
As developers track and update the bugs and epics in JIRA, the ThreatModeler JIRA plugin automatically updated the associated threat models with just the click of the mouse. Moreover, the plugin automatically updates developers’ bugs and epics based on changes in the status of threats and security requirements in ThreatModeler.
With the ThreatModeler JIRA plugin, agile developers and security teams can automate their integration and collaboration toward the organization’s long-term strategic and competitive goals – creating a truly seamless DevSecOps production and risk-reduction environment.