Protecting organizations assets from malicious attackers is critical in today’s highly threatened environment. The threats landscape is continuously changing. Unfortunately, many organizations still lack an overview regarding what there developers and the rest of the stakeholders are doing to protect their assets. Issue Tracking Systems such as Jira provides platform to manage a project’s assets and communications around these assets from inception to delivery and subsequent maintenance of the delivered product.
The Issue Tracking Systems typically consist of fields to describe reported issue such as the description of the issue, summary of issue, severity of issue, date issue reported, priority, etc. Our observation of the issue tracking systems of many organisations reveal the lack of any decision variable that could influence the prioritization of security related issues in the systems. We respond to this need by introducing a Jira add-on named “JiraSecPlugin” for automatic classification of Jira issues/stories/features/task as security related. This plugin is built on artificial intelligence algorithms and evaluated using sound empirical approach.
There are four motivations for building JiraSecPlugin. (1) To reduce the Window of Exposure of security related issues (2) as a means to measure the security posture of a project/product both in-house and during acquisition of new systems (3) to support small/medium scale organizations, and (4) for learning & awareness. We argue that the decision regarding what issue to fix now or later may be influenced if there is awareness about the security importance and implications of such issue. As a result, introducing an additional decision variable that could trigger prioritization of security related issue may help with this decision. In addition, such decision variable could move us closer to understanding the security posture of a project or product.
What it does
JiraSecPlugin is a simple-to-use plugin for classifying recorded issues in Jira as security related or not. It also indicate the importance of the classification and provide a custom message about the terms used for that decision
How I built it
JiraSecPlugin is an add-on built using the Atlassian SDK. It uses 3 custom fields that have to be created in JIRA and associated to the project
Challenges I ran into
Integrating a generic machine learning model and empirical validation of the model are the most challenging while building the add-on
Accomplishments that I'm proud of
Integrating a useful machine learning model that effectively reduce false positives.
What I learned
Application of machine learning algorithms in real-world systems
What's next for JiraSecPlugin
Explore different use-cases for JiraSecPlugin. An example is risk estimation during "buy" and "acquire" decision by stakeholders