Using jira to manage risks v1.0 - owasp app sec eu - june 2016
-
Upload
dinis-cruz -
Category
Internet
-
view
2.512 -
download
0
Transcript of Using jira to manage risks v1.0 - owasp app sec eu - june 2016
![Page 1: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/1.jpg)
Using JIRA to manage Risks and Security Champions activities
OWASP AppSecEU, Rome, 2016
![Page 2: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/2.jpg)
Me• Developer for 25 years
• AppSec for 13 years
• Day jobs:
• Leader OWASP O2 Platform project
• Application Security Training for JBI Training
• Part of AppSec team of:
• The Hut Group
• BBC
• AppSec Consultant and Mentor
![Page 3: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/3.jpg)
• @Leanpub (buy for 0$ )
• http://leanpub.com/u/DinisCruz
–
Books Published
![Page 4: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/4.jpg)
Books under development
Major revision with lots of new content (based on Maturity Models app)
Ideas shown in this presentation and a lot more
![Page 5: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/5.jpg)
![Page 6: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/6.jpg)
See also:
http://blog.diniscruz.com/2016/03/new-era-of-software-with-modern.html
![Page 7: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/7.jpg)
![Page 8: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/8.jpg)
APPSEC AND DEVELOPERS
![Page 9: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/9.jpg)
• (unit) Test - For me a test is anything that can be executed with one of these Unit Test Frameworks: https://en.wikipedia.org/wiki/List_of_unit_testing_frameworks
• RISK - Abuse the concept, found RISK to be best one for the wide range of issues covered by AppSec, while being understood by all players
• 100% Code Coverage - not the summit, but base-camp (i.e. not the destination). And 100% code is not enough, we really need 500% or more Code Coverage)
• AppSec ~= Non Functional requirements - AppSec is about understanding and controlling app’s unintended behaviours
Disclamers
![Page 10: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/10.jpg)
• This presentations is about AppSec
• AppSec is about: – code, apps, CI, secure coding standards, threat models, frameworks,
code dependencies, QA, testing, fuzzing, dev environments, DevOps, ….
• InfoSec is about: – Networks, Firewalls, Server security, Anti-virus, IDS, Logging, NOC,
Policies, end-user security, mobile devices, AD/Ldap management, user provisioning, DevOps, ….
• If your ‘InfoSec’ team/person cannot code (and would not be hired by the Dev team), then that is NOT AppSec.
• InfoSec is also very important (workflow described here can also be used by them)
AppSec vs InfoSec
![Page 11: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/11.jpg)
• You will become a better developer
• You will be paid better
Developers we need you to join AppSec
![Page 12: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/12.jpg)
MATURITY MODELS APP
![Page 13: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/13.jpg)
• App used on the JIRA tickets examples
• Open Source (https://github.com/DinisCruz/Maturity-Models)
• Based on real world mapping of BSIMM on large organisation
• Starting to be compatible with OWASP OpenSAMM (help needed)
• Coded in NodeJS and AngularJS (v1) with 90%+ code coverage and full automated CI
Maturity Models
![Page 14: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/14.jpg)
Visualise Maturity Models
![Page 15: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/15.jpg)
Edit Maturity Model
![Page 16: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/16.jpg)
View Maturity Model Radar chart
![Page 17: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/17.jpg)
View projects and schema
![Page 18: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/18.jpg)
All data stored in JSON (git repo)
![Page 19: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/19.jpg)
Mapped Attack Surface
![Page 20: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/20.jpg)
1. Dev pushes code to GitHub
2. Github (main code repo)
• sends web hook to Travis
3. Travis • clones repo, runs tests (API and UI)
• builds Docker Image (if all tests pass)
• push Docker Image to Docker Hub
• clones QA repo fork, sync with QA repo, adds extra commit to QA repo fork, pushes to QA repo Fork
4. Docker Hub • sends web hook to Docker Cloud
Continuous Integration (CI)5. Docker Cloud
• contacts mapped Node (Digital Ocean VM with Docker installer)
• docker host pulls image from Docker cloud
• docker container starts
6.Github (QA fork repo)
• sends web hook to Travis
7.Travis
• clones repo, runs tests (QA against deployed docker image on Digital ocean)
• (in the future) will send web hook to deploy to production (if all tests pass)
![Page 21: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/21.jpg)
Technologies used (40x)
see book fordetails on
each of these technologies
![Page 22: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/22.jpg)
SECURITY CHAMPIONS
![Page 23: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/23.jpg)
Security Champions (SC)
http://blog.diniscruz.com/2015/10/what-are-security-champions-and-what-do.html
![Page 24: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/24.jpg)
If you don’t have an SC, get a Mug
![Page 25: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/25.jpg)
JIRA WORKFLOW
![Page 26: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/26.jpg)
1.Open JIRA issues for all AppSec issues
2.Write passing tests for issues reported
3.Manage using AppSec RISK workflow 1.Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close
2.Accept Risk Path: Open, Accept Risk, Approve Risk, (Expire Risk)
4.Automatically report RISK’s status
Proposed JIRA workflow
![Page 27: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/27.jpg)
RISK Workflow (using JIRA in Cloud)
![Page 28: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/28.jpg)
PATH #1 - Fix issue
![Page 29: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/29.jpg)
PATH #2 - Accept and Approve RISK
![Page 30: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/30.jpg)
PATH #2 - Variation when risk not approved
![Page 31: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/31.jpg)
‘FIX’ PATH
![Page 32: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/32.jpg)
Issue: Data_Files.set_File_Data - Path Traversal
![Page 33: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/33.jpg)
Status: OPEN
![Page 34: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/34.jpg)
Status: IN PROGRESS
![Page 35: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/35.jpg)
Status: ALLOCATED FOR FIX
![Page 36: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/36.jpg)
Status: FIXING
![Page 37: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/37.jpg)
Status: TEST FIX
![Page 38: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/38.jpg)
Status: FIXED
![Page 39: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/39.jpg)
PATH ‘RISK ACCEPT/APPROVE’
![Page 40: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/40.jpg)
RISK: Support for coffee allows RCE
![Page 41: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/41.jpg)
Status: OPEN
![Page 42: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/42.jpg)
Status: IN PROGRESS
![Page 43: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/43.jpg)
Status: AWAITING RISK ACCEPTANCE
![Page 44: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/44.jpg)
Status: RISK ACCEPTED
![Page 45: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/45.jpg)
Status: RISK APPROVED
![Page 46: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/46.jpg)
Status: RISK APPROVED EXPIRED
![Page 47: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/47.jpg)
All status changes are tracked
![Page 48: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/48.jpg)
CASE STUDY: WHEN I CREATED A VULNERABILITY
![Page 49: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/49.jpg)
• Here is the code I wrote (at the Data Layer)
• This method is designed to be called by the controller (i.e. rest api endpoint):
Feature request: Allow data editing on UI
![Page 50: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/50.jpg)
Feature request: Allow data editing on UI
![Page 51: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/51.jpg)
Regression test that passes on issue
![Page 52: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/52.jpg)
![Page 53: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/53.jpg)
![Page 54: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/54.jpg)
![Page 55: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/55.jpg)
![Page 56: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/56.jpg)
Fix for Path transversal
![Page 57: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/57.jpg)
Regression test
![Page 58: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/58.jpg)
LET’S SEE HOW IT LOOKED IN THE CODE
![Page 59: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/59.jpg)
…before the vuln is created
![Page 60: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/60.jpg)
…when the vuln is created
![Page 61: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/61.jpg)
… adding comments
![Page 62: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/62.jpg)
…after issues are created
![Page 63: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/63.jpg)
…improving comments
![Page 64: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/64.jpg)
…updating issues after 1st fix
![Page 65: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/65.jpg)
… after final fix
![Page 66: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/66.jpg)
KEY CONCEPTS FOR JIRA RISK WORKFLOW
![Page 67: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/67.jpg)
Key for AppSec JIRA workflow is this button
![Page 68: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/68.jpg)
• This is a separate JIRA repo from the one used by devs – I like to call that project ‘RISK’
– This avoids project ‘issue creation’ politics and ‘safe harbour for: • known issues
• ’shadow of a vulnerability’ issues
• ‘this could be an problem…’ issues
• ‘app is still in development’ issues
– When deciding to fix an issue:
• that is the moment to create an issue in the target project JIRA (or whatever bug tracking system they used)
– When issue is fixed (and closed on target project JIRA):
• AppSec confirms fix and closes RISK
Separate JIRA project
![Page 69: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/69.jpg)
• Key is to understand that issues need to be moving on one of two paths: – Fix
– Risk Accepted (and approved)
• Risks (i.e. issues) are never in ‘Backlog’
• If an issue is stuck in ‘allocated for fix’, then it will be moved into the ‘Awaiting Risk Acceptance’ stage
Always moving until fix or acceptance
![Page 70: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/70.jpg)
• If you don’t have 350+ issues on your JIRA RISK Project, you are not playing (and don’t have enough visibility into what is really going on)
• Allow team A to see what team B had (and scale due due to issue description reuse)
• Problem is not teams with 50 issues, prob is team with 5 issues
• This is perfect for Gamification and to provide visibility into who to reward (and promote)
You need volume
![Page 71: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/71.jpg)
• All issues identified in Threat Models are added to the JIRA RISK project
• Create Threat models by – layer
– feature
– bug
• … that is a topic for another talk
Threat model
![Page 72: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/72.jpg)
Mapping to InfoSec risks
![Page 73: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/73.jpg)
Mapping JIRA Tickets to Tests
![Page 74: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/74.jpg)
JIRA AppSec Dashboards
![Page 75: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/75.jpg)
Weekly emails with Risk status
![Page 76: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/76.jpg)
• Components (one per team or project)
• Labels (to add metadata to issues, for OWASP Top 10)
• Links – connect with internal/external issues and
– external resources
• Auto emails
• Copy and paste of images into description
• Markdown
• Security restrictions (use with care)
• Security lock certain actions
• Extra workflow actions for example when moving state)
• Create APPSEC JIRA project for AppSec related tasks (like ‘Create Threat Model for app XYZ’)
Other powerful JIRA features
![Page 77: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/77.jpg)
GITHUB RISK WORKFLOW
![Page 78: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/78.jpg)
Using GitHub (instead of JIRA)
![Page 79: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/79.jpg)
![Page 80: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/80.jpg)
![Page 81: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/81.jpg)
Example with DoS issue
![Page 82: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/82.jpg)
TDD
![Page 83: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/83.jpg)
• For TDD to be productive you need – Real time unit test execution (when hands lift)
– Real time code coverage
• TDD focus needs to be on – making developers more productive
– preventing developers from switching context
• If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working
TDD
![Page 84: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/84.jpg)
TDD in WebStorm with WallabyJS
![Page 85: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/85.jpg)
What happens when you increase attack surface
![Page 86: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/86.jpg)
You want a test to fail
![Page 87: Using jira to manage risks v1.0 - owasp app sec eu - june 2016](https://reader034.fdocuments.us/reader034/viewer/2022051502/58f9b330760da3da068bd35f/html5/thumbnails/87.jpg)
TDD in WebStorm with WallabyJS
• … but is a topic for another talk :)