Enterprise Edition Update: Probely Integration with Jira
June 11, 2019 · 7 min read
Table of Contents
Our web application scanning software’s latest update enables you to integrate Jira with Probely. Atlassian’s Jira is one of the most widely adopted issue and project tracking software systems available and has been named the number one software development tool for agile teams.
This blog post explains how you can now integrate Jira with Probely and synchronize our scanner’s findings with your existing issue tracker and workflow.
How Do You Manage Vulnerabilities In Jira Using Probely?
Software development and security teams work in a sophisticated environment, consisting of complex issues tackled by multiple tools, frameworks, and people, including Jira. It can be overwhelming to track and deal with all this information across varying – and sometimes disconnected – platforms.
At Probely, we want to make web application security easy and accessible for software developers or teams that already use Jira to manage development sprints, tasks, issues, and fixes – without adding yet another login to your roster. This is why we believe integrating Probely with other tools is as crucial for you as it is for us, overcoming this common hurdle of too many logins! Once you configure integration between Jira and Probely, you can manage the results of Probely’s security findings without leaving your existing workflows or digital workplaces (or having to log in to Probely again at all).
Probely supports both Jira Cloud and Jira Server (on premises).
What Can Jira and Probely Do Together?
Integration between Jira and a web vulnerability scanner should be as agile and quick as possible, right? In order to achieve this, we knew we’d need to design and produce something more than a simple integration. So, we’ve included some smart features to make the integration smooth. Each is explained below.
Two-way Sync
Once you integrate Jira with Probely, the following synchronization occurs:
- Every time Probely detects and reports a vulnerability in its list of Findings, it will also be created as a new issue in Jira.
- Once that Jira issue is fixed and marked as ‘Done’, Jira will communicate that back to Probely, which will automatically trigger a retest on that vulnerability.
- If the vulnerability is determined by Probely to be resolved, then it is marked there as ‘Fixed’.
- If not, then the vulnerability’s status remains in Probely as ‘Not Fixed’; and in Jira, the issue’s status reverts from ‘Done’ to its previous status.
© Probely <-> Jira Integration diagram
Issue Status Mapping Between Probely and Jira
Probely allows you to map the State values of Probely’s findings to the existing Status types in your Jira workflow:
- Mapping the ‘Fixed’ and ‘Not Fixed’ State values is required for the integration to work.
- You can also map Probely’s ‘Accepted Risk’ state value for vulnerabilities that you don’t want to fix to their respective Jira status type (e.g. ‘Doesn’t need fixing’). In this way, you personalize the integration and set the terms between the two platforms.
Vulnerability Severity Mapping
Another feature, similar to Status mapping, is Severity mapping. Configuring the Severity, mapping in Probely means you can match the severity (risk) of vulnerabilities detected in Probely scans with their respective importance status in Jira (e.g. Highest). For example, you may want to connect vulnerabilities defined as ‘High’ severity by Probely with Jira issue severity levels that represent critical importance in your workflow.
Choice Between Automatically Syncing all Findings or Manually Syncing Selected Vulnerabilities
The default – and recommended – configuration is to automatically sync all Probely findings with Jira. This means all previous and future Probely findings will be recreated as ‘Open’ issues in Jira.
However, we wanted to make integrating Jira with Probely useful for as many use cases as possible. So, if the automated route is not for you, or if you want a more customized experience, you can select to manually sync selected vulnerabilities only.
© Manually syncing a finding with Jira Cloud image from original post
‘How to Fix’ Instructions, Evidence, and Vulnerability Descriptions in Jira
When a Probely scan finding is recreated as a new issue in Jira, Probely also sends across the following information:
- A ‘Description’ of the vulnerability, including instructions on what to do and some additional information
- Evidence that it is real
- Instructions on how to fix it
- A link back to Probely
This allows development teams to learn about the type of security issue and fix it without ever leaving Jira.
© Description and ‘How to Fix’ information for an SQL Injection instructions in Jira
Sample Use Case: Syncing Probely with an Existing Jira Server
This section explains a simple workflow, showing how Probely could be used and integrated with an existing Jira Server. This is only one sample use case. We recommend that you customize your experience so that it works best for you.
- Let’s say you add your target – the website you want to scan – and configure Probely to run scheduled scans (see How to Schedule a Scan).
- At this point, you may want to integrate Probely with Jira (see How to Integrate Probely with JIRA Server). You Install Probely on the Atlassian Marketplace, set the required Status and Severity mapping configurations, sync your findings, and you are ready to go.
- Now that you have your setup completed and your scans running, each finding detected by Probely will be also published to Jira (with the appropriate Status and Severity values).
- Developers would then receive the Jira tasks (security findings), and under ‘Description’ they would have instructions on how to fix those vulnerabilities along with some additional information.
- Once they have used that information, and the vulnerability is fixed, the task is marked as ‘Done’ (closed).
- This information is synched with Probely, which triggers a retest of the finding, to make sure that the vulnerability is fixed properly:
- If Probely determines that it’s not fixed properly, then this updated Probely information is synched with Jira, the Jira issue is automatically reopened, and the developer tries fixing it again
- If the issue is properly fixed, then the finding is marked as ‘Fixed’ in Probely and the Jira issue remains closed
Alternatively, if you have configured scheduled scans, they can detect if a finding is fixed, and they will automatically close the ticket for that finding (updating the corresponding Jira issue to the state you mapped to Fixed when configuring the integration).
Why You Should Integrate Jira with Probely
Being able to maintain your existing workflow avoids frustration and saves time. This is why we worked hard on this integration. Using Probely will mean your Software Development Life Cycle (SDLC) is more secure, but you have an integrated security tool that slots into your existing SDLC workflow without adding more time and effort to the process.
Security is straightforward to integrate properly into your SDLC – without adding additional resources. Finally, by following the Jira boards that incorporate Probely issues, management teams benefit from an overview of the entire security status of the websites in their company portfolio.
For further information, see How to Integrate Probely with JIRA Server.