Through empirical study, we have observed that issues in issue tracking systems do not get any classification with respect to security. We want to use this tool to change this. Manually tagging your recorded issues as security related may be really hard, so let the tool give you a head start. Using the tool moves your organization towards full automation and makes the organization more proactive to security issues.
There are four motivations for implementing this tool.
(1) Reducing the Window of Exposure
We argue that the decision regarding what defects to fix now or later may be influenced if there is awareness about the security importance and implications of such defects. As a result, introducing an additional decision variable that could trigger prioritization of security related issue may help with this decision.
(2) Awareness and Learning
Furthermore, we believe that for security to be effective, learning through awareness, education, and training have to be driven at all levels and layers of the development lifecycle. This approach and tool is aimed to support the requirement and sustainment (maintenance and operation) phases of the system.
(3) Many still don't have any security program
We still face the reality that many organizations do not have any security program for their organizations due to lack of awareness, drivers, budget, and resources. We believe this tool can provide a minimum support to help kick-start discussion around issues flagged as security related within the organization.
(4) Support for continuous delivery/deployment
Lastly, the plugin could support continuous integration and deployment.
e.g. it is possible to set a quality gate that all issues with security importance higher than medium should be resolved before release
To install, please visit the link below for the add-on (jar), installation and user guides.
1. Plugin jar
2. Installation guide
3. User guide