This article is more than 1 year old

Atlassian pipes software flaw reports into Jira, so the boss can see them too

This could be a useful way to show what you’re up against, or give the clueless a stick to beat you with

Atlassian has decided that its Jira issue-tracker needs one more category of issue to track: security flaws.

Suzie Prince, Atlassian's head of product for DevOps, told The Register developers use multiple tools during their days, which makes communicating security issues hard. It can also mean fixing them doesn't make it into workflows that touch all stakeholders in a software project, she added. Wider visibility matters, Prince argues, because when security issues fester in ops or infosec silos, it's hard to know what fixes to prioritize, and why.

Atlassian's answer is to tap info feeds from Snyk, Mend, Lacework, StackHawk, and JFrog, load them into a new "Security" tab in Jira, where security-related issues can be viewed by all stakeholders and automated workflows route work to the right people. Atlassian parses severity scores to help users prioritize.

Prince said Atlassian saw customers try to build this sort of thing themselves, so the company productized it.

The Register asked Prince if there's a downside to wide visibility of flaws. We offered a scenario in which a product manager who works with developers reads news of a colossal flaw – something along the order of importance of the Log4Shell vulnerability in the ubiquitous Apache Log4j logging library – and uses their ability to see that in a Jira queue to order a fix without understanding that other matters could be more important.

"Being knee jerk is what product managers do," she admitted, before going on to argue that having a single place to manage the flaw-fixing workflow means you get a chance to have a conversation about what fixes are at the top of a to-do list, and why, perhaps leading a nervous non-techie to back down gracefully.

The new security functionality is baked into Jira Software Cloud, accessible to all users today and is covered by existing licenses. Atlassian will add integrations to more security vendors but could not name names or offer a timeline for their inclusion. ®

More about


Send us news

Other stories you might like