JiraSecPlugin - JIRA plugin is a simple to use plugin for classifying recorded issues as security related or not. It is based on artificial intelligence algorithms. By default, the plugin comes with a trained model built on a comprehensive set of security terms that we divided into four categories: 1. Personally Identifiable Information (PII), 2. Direct (terms related to attacks and vulnerabilities), 3. Control (terms related to implemented security controls), and 4. Indirect (terms that are indirectly related to security and not in the above 3 categories).Terms are extracted from different sources such as the CWE, OWASP, CVE, RFC 4949, and industrial issue tracking databases.
Through empirical study, we have observed that issues in issue tracking systems do not get any classification with respect to security. We want to use this tool to change this. Manually tagging your recorded issues as security related may be really hard, so let the tool give you a head start. Using the tool moves your organization towards full automation and makes the organization more proactive to security issues.
There are four motivations for implementing this tool.
(1) Reducing the Window of Exposure
We argue that the decision regarding what defects to fix now or later may be influenced if there is awareness about the security importance and implications of such defects. As a result, introducing an additional decision variable that could trigger prioritization of security related issue may help with this decision.
(2) Awareness and Learning
Furthermore, we believe that for security to be effective, learning through awareness, education, and training have to be driven at all levels and layers of the development lifecycle. This approach and tool is aimed to support the requirement and sustainment (maintenance and operation) phases of the system.
(3) Many still don't have any security program
We still face the reality that many organizations do not have any security program for their organizations due to lack of awareness, drivers, budget, and resources. We believe this tool can provide a minimum support to help kick-start discussion around issues flagged as security related within the organization.
(4) Support for continuous delivery/deployment
Lastly, the plugin could support continuous integration and deployment.
e.g. it is possible to set a quality gate that all issues with security importance higher than medium should be resolved before release
To install, please visit the link below for the add-on (jar), installation and user guides.
1. Plugin jar
2. Installation guide
3. User guide