[Owasp-leaders] SecDevOps Risk Workflow Book (please help with your feedback)
andreg+owasp at gmail.com
Fri Oct 28 23:57:05 UTC 2016
On Fri, Oct 28, 2016 at 4:35 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
> Really enjoy the parts on JIRA -- I liked the parts about making Risk a
>> separate project but what if appsec requirements/documentation are listed
>> in its own Epic instead?
> That can work, the prob is that it is easy for those Epics to fall into
> the 'backlog pit of despair
> and start to be ignored (i.e. unless you have that 'Risk Accepted' button,
> it is 'cheap and easy' to just keep prioritising other 'really important'
> features required by the business/users). Another issue is that I like to
> use the JIRA Risk project to describe 'reality' (i.e. the
> Risks/Issues/features that exists or will exist soon) and then let the
> dev's use their JIRA project (or whatever bug tracking system they use) to
> describe what needs to be done (i.e. how they would address those RISK
> issues) For example a RISK issue (in the separate RISK or APPSEC Jira
> project) would be *"Xyz app - There is no Authentication on exposed Web
> Service's methods" , *who would (when in the 'Allocated for Fix' stage)
> be linked into another ticket (or multiple tickets) in the application's
> JIRA project that would be called *"Use Spring Security to authenticate
> users of service"*
This is great and adds context for me. I'll let you know how this
conversation goes with the powers that be.
> Btw, do you open JIRA tickets for the issues/risks/threats raised by
> Threat Models?
Yes, and I very-much also enjoyed the notion of Chained Threat Models. I
think I used those exact same words the same day that you did to describe
the very-same thing. Uncanny.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders