Arnica has just released the world's best AppSec integration with issue management tools, Jira and Azure DevOps Boards, and developers are going to love it. Why? Because Arnica automates huge portions of the manual work to create, manage, understand, and close security tickets in Jira and ADO Boards.
Security issue management and ticket backlogs have long been a thorn in the side of both developers and security teams. Security teams are required to manage and attempt to prioritize tickets for issues that go unaddressed as the security ticket backlog grows ever larger. Developers must context switch to address outstanding security issues that they may not be best suited to fix.
When security tool workflows are bad, everything becomes a ticket in the backlog. When everything becomes a ticket, security issues pile up and go unaddressed. JupiterOne’s 2022 State of Cyber Assets Report suggests that the average security backlog contains over 120,000 findings.
When all or most security issues end up in the backlog, then any effort made by development teams to address security issues will inherently require some amount of context switching. Developers will need to shift from their core product and feature work to investigating long-standing security issues that may have been introduced months or years ago by someone other than them.
When developers pick up a security ticket, too often the ticket does not contain the critical information to effectively and efficiently address the security issue at hand.
Arnica is thrilled to announce the release of two major issue management integrations – Jira and Azure DevOps Boards – with more on the way!
Arnica scans 100% of your code. So, when risks are found tickets get opened and when risks are mitigated in the right git branches, the tickets are automatically closed. Simple as that! This new approach relieves security from needing to create and manage tickets manually and reduces the number of tickets that need to be prioritized in planning meetings because they’ve been auto closed with full context of the fix logged in the ticket.
One way to keep the security ticket backlog down is to minimize the number of issues that require tickets in the first place. Arnica’s pipelineless security approach ensures that code is scanned on every code push. This helps developers and their security partners reduce the number of tickets created by giving developers every opportunity and resource – from code risk mitigation recommendation snippets to fixing secrets for you – to easily fix risks early.
Across Arnica customers, 91% of all risks detected are addressed in feature branches. No risk introduced. No ticket needed.
Sometimes risks do get introduced… that’s reality. Maybe the developer had to push a hot fix for a customer issue or maybe they needed to get a feature across the line in time for the big launch. When the time comes to fix the risk, Arnica makes it as easy as possible by providing severity, risk type, CVE, depth, recommended fix versions, and who is best suited to help fix an issue all in the ticket.
Left: You can see a timeline of an SCA risk detected in a feature branch and then an issue was created in Jira when the pull request was opened. When the code was fixed, Arnica automatically detected the fix and closed the issue in Jira when the fix was merged into the default branch.
Right: You can see the Jira ticket with the context of the SCA risk. The Jira ticket is in a “DONE” state since Arnica automatically closed it when the fix was merged into the default branch.
Developers should be focused on shipping features and improving the product, not digging through stale tickets and other developers’ code to try to figure out where an outdated third-party and corresponding vulnerability exists and how to fix it. Security teams should be armed with tools to prevent risks from making it to production in the first place and wielding thoughtful automations to help reduce existing risks easily.
Now they can!
Check out Arnica’s issue management integrations and give it a try for yourself!
Enterprises today are faced with the need to harden their DevOps ecosystem to combat the proliferation of Software Supply Chain Attacks. These organizations are faced with the growing challenge of balancing development velocity, cost efficiency, and security.
Managing excessive developer permissions and identifying corresponding anomalous behavior are two obstacles in the way of establishing this equilibrium. Arnica was established to solve these obstacles by providing a seamless and frictionless active mitigation platform for exactly these issues and more. Arnica is the easy button for DevOps security.
Arnica analyzes excessive permissions, code risks and misconfigurations across the developer toolset and mitigates them.
press@arnica.io