Bug tracking tools like JIRA are used by development and QA engineering teams as a part of the development cycle to track the functional defects across releases in addition to requirements, enhancements and user stories as this provides a holistic view of their software development requests and its status. But these bug tracking tools are almost never used by testing and security teams to track vulnerabilities found in an application during and after it’s development.
One of the major challenges faced in AppSec is managing the fixing of scanned vulnerabilities provided by security scanning platforms. The effort and time spent on tracking and fixing vulnerabilities is much more than that of scanning and uncovering them. Using defect tracking tools like Jira, does let security teams log vulnerabilities as bug tickets, but it is still difficult to manage and track these bug tickets as at the end of it all, these tools are still just systems that raise tickets. In addition to this, multiple scan reports across tools frequently give duplicate vulnerabilities with little to no information about the vulnerabilities and how to remediate them.
How does Orchestron help?
As a vulnerability management and correlation platform, Orchestron integrates with commonly used defect tracking tools such as JIRA and Github, thereby helping security vulnerabilities reach developers faster and, presenting them in a format that helps them fix issues better and faster.
Orchestron’s ability to correlate scanned vulnerabilities from multiple SAST, SCA and DAST tools prevents the deduplication of vulnerabilities. This ensures that the issues raised as tickets in the bug tracking tools are not repeated, thereby giving the development teams a consolidated view of the vulnerabilities. Orchestron’s integration with bug tracking tools also allows security teams to ‘tag’ vulnerabilities as false positives. Once a particular vulnerability is tagged as a false positive, Orchestron continues to tag similar vulnerabilities as false positives automatically.
Detailed Vulnerability Information
Orchestron’s Risk Language (ORL) database removes the constraint of relying on purely tool delivered information. The ORL provides enhanced information in the form of impact analysis, time of introduction, affected instances, and vulnerable lines of code across any security tool. Orchestron also grades the scanned vulnerabilities based on the Common Vulnerability Scoring System (CVSS) in addition to the CWE.
Remediation advisory with code snippets representing good/bad code examples and actionable recommendations on fixes are outlined to ensure faster closure of vulnerabilities by the development team. In addition to this, security testers can manually add additional remediations to aid developers in fixing the issues.
Security teams can manually amend the scores given by SAST and DAST scanners within Orchestron, thereby helping developers prioritise the fixes according to the severity of the vulnerabilities.
How does the Bug tracker Integration work?
Orchestron integrates with commonly used defect tracking tools through their published APIs. This integration pushes the correlated scan results directly to defect tracking platforms, as bug tickets - which is the primary channel of managing product defects. This ensures thats security vulnerabilities are transformed as “non-functional defects"
As and when the bug tickets are remediated, and the status of the fixed issues is updated in the bug tracking tool, the updated status also reflects in the Orchestron Console (AVC) and vice versa, thereby giving a consolidated view of the bug tickets to the security team. This 2 way sync is achieved via the Orchestron’s webhooks with the defect tracking tools.