Users of Atlassian Jira Software Cloud have a free DevSecOps workflow option at their disposal with this week's release of Security in Jira, which offers a glimpse into possibilities for future expansion in software security for the vendor.
The optional tab in the Jira Software Cloud interface ties in security vulnerability management tools from five partners in its first release: Snyk code scanning; Mend.io application security testing; Lacework's cloud-native application protection platform; StackHawk application and API security; and JFrog, which markets multiple software composition analysis scanning and DevSecOps pipeline tools. Atlassian said it plans to develop additional partnerships for future releases.
Data from partner tools fed into Security in Jira will enable DevSecOps teams to filter and triage security vulnerabilities in their software through existing developer workflows. The integrations, via the Atlassian Open DevOps API, will automatically link Jira issues to vulnerabilities and populate those issues with security details or assign team members to respond.
Atlassian Jira users can already tie in third-party tools using Open DevOps through deployments and releases tabs. Now, Security in Jira partners have their data pre-integrated into the separate security tab without requiring users to do custom work, said Suzie Prince, head of product for DevOps at Atlassian.
"This is expanding the scope of Jira Software to bring security into that native experience, to make it a native part of Agile planning for software development teams," Prince said. "If they're using one or more [partner tools], it will merge those vulnerabilities to provide a holistic view of all of the vulnerabilities that impact a particular project … either at the code level or [in] issues that might appear at runtime as well."
This update from Atlassian reflects a wider trend in enterprise DevSecOps practices that increasingly ties security concerns into the software planning and design process, said Katie Norton, an analyst at IDC.
"In our DevSecOps survey this year, there was a huge shift in the number of organizations that indicated they are moving security into the planning and design phases of the lifecycle," she said. "Jira is obviously a tool that is used in those phases of software development -- in our market share [analysis] Atlassian is second only behind Microsoft, and the majority of that comes from Jira -- so having that security information there is valuable."
In the 2023 IDC DevSecOps Adoption, Tools and Techniques survey, 28.3% of respondents said they first incorporate application security at the planning phase of software development, an increase from 16.3% in the 2022 survey; and 41.2% said they first incorporate it at the design phase, up from 15.6% in 2022.
Laying groundwork for potential DevSecOps expansion
Software supply chain security has also been a hot topic for DevSecOps vendors in the last year, including GitHub and GitLab. Generating software bills of material or software provenance information isn't a part of Security in Jira, but Atlassian is considering it, Prince said, along with potential tie-ins to further stages of the software deployment process through other Atlassian tools such as Bitbucket. Bitbucket already integrates with Snyk through an existing partnership between the two vendors.
Atlassian Jira Software Cloud provides a feedback tab so that customers can request additional integrations with third-party security vulnerability management tools, Prince said.
Security in Jira comes amid a broader security push by Atlassian, which also includes a new threat detection tool in beta, a new policy toward upstream open source vulnerability fixes and a changing of the guard in the chief trust officer role.
To strengthen Security in Jira's value, future releases could also include some of Atlassian's own prioritization of vulnerabilities surfaced from partner tools based on business context, Norton said.
Katie NortonAnalyst, IDC
"One of the biggest things organizations struggle with is prioritizing [work]," she said. "Atlassian has a really unique opportunity to add some business context into that data they're pulling in. Better than anyone in the DevOps and DevSecOps space, they have a deep connection with the work that's happening more broadly at an organization."
There are some areas Atlassian could consider expanding its DevSecOps features outside of Jira Software as well, Norton said. Security in Jira overlaps with some third-party application security orchestration and coordination tools that also typically feed application security information into Jira -- but increasingly, they also tie into developer workflows via pull requests, an option Atlassian might want to expand in future DevSecOps integrations. Its Bitbucket integration with Snyk already includes this feature.
"Sometimes stuff can get pushed into Jira and then it can sit in a backlog for a while before it gets dealt with," she said. "With pull requests, especially the tools that are generating a fix -- a human just has to accept it … it's the quicker way to deal with these things."
The downside of the pull request route is that it doesn't have the same auditability as pushing data into Jira workflows, Norton added.
"When you're talking about larger security issues that need much more organizational coordination across units and groups of people and personas, some of that going into Jira seems like it would make more sense," she said.
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.