[Owasp-leaders] SecDevOps Risk Workflow Book (please help with your feedback)

Mario Robles OWASP mario.robles at owasp.org
Thu Nov 3 13:59:38 UTC 2016

The workflow I use is very simple actually because need to be adapted to different teams with different SDLC models on different Countries, it’s more generic I would say:

Fixing: The issue is assigned to someone working on fixing it (link to issue in their own Agile board), if they challenge the issue and risk is accepted the issue is sent to Done using Risk Accepted or Not an issue as resolution
Testing: When security test the issue as part of the QA process
Deploying: Security accept or reject the fix sending it back to Fixing or providing approval moving it to the Deploying queue
Acceptance: Dev team move the issue to Acceptance when it’s ready on UAT for final tests
Done: Security will send the issue back to fixing is something wrong happened, otherwise will provide sign off by moving it to Done using resolution Fixed

I use Jira dashboards but also some custom macro based metrics based on Jira exports

I do really like your workflow, however in my experience Dev teams start getting hesitant to follow your process when more clicks from their end are needed

btw, false positives are not included in my workflow because we never should have a FP included in a list of issues, everything should be validated before including it as an issue, if I have to add it, I think that will be as a Resolution type


> On Nov 3, 2016, at 06:42, Dinis Cruz <dinis.cruz at owasp.org> wrote:
> Mario that is really nice, thanks for sharing
> What workflow do you use to track the changes? Is it something like the (Kanban-like) right-hand side of :
> <image.png>
> What about reporting? How do you visualise the data and stats you collect? (in Jira Dashboards or in confluence?)
> Dinis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161103/9404be17/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-16.png
Type: image/png
Size: 20362 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161103/9404be17/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161103/9404be17/attachment-0001.pgp>

More information about the OWASP-Leaders mailing list