Atlassian announced today it has allied with Snyk, Mend, Lacework, Stackhawk and JFrog to make it simpler to aggregate vulnerability data within the Jira project management software that many organizations rely on to manage application development and deployment efforts.
Andrew Pankevicius, a senior product manager for Atlassian, said the collaborations will make it easier to prioritize a list of vulnerabilities that need to be addressed and for DevOps teams to automatically assign that work to a continuous integration/continuous delivery (CI/CD) pipeline. Atlassian provides those third-party integrations via an Open DevOps initiative.
These capabilities, accessible via the Security Tab in Jira, will make it simpler for DevOps teams to manage output from the multiple application security tools that have become part of a larger DevSecOps workflow, noted Pankevicius.
These additions to the Atlassian portfolio are arriving at a time when there is a lot more focus on securing software supply chains in the wake of a series of high-profile breaches. Those breaches have led to a wave of legislative proposals in the U.S. and Europe that will soon require organizations to embrace DevOps best practices to address increased potential liability that might stem from an application breach.
For example, a proposed Cyber Resilience Act being negotiated by the member states of the European Union seeks to require organizations that sell internet-connected hardware platforms to ensure that their devices—and the software that runs on them—comply with cybersecurity best practices.
In the U.S., meanwhile, a National Cybersecurity Strategy proposal put forward by the Biden administration seeks to hold organizations that collect data or build software more accountable for breaches.
While both proposals are a long way from becoming the law of the land anytime soon, they are indicative of changing attitudes. Governments around the world are concluding the only way to ensure better cybersecurity is to require it. Previous suggestions made by government agencies are going to soon give way to actual mandates. As such, DevOps teams would be well-advised to get ahead of this sea change by implementing the tools and processes that inevitably will be required. As a result, many organizations are now embracing DevSecOps best practices that shift more responsibility for application security further left toward developers.
The challenge is finding the right set of cybersecurity tools that surface vulnerabilities as code is being developed to make sure context isn’t lost, said Pankevicius. Historically, cybersecurity teams have discovered vulnerabilities long after an application has been deployed in a production environment. By then, however, most developers have moved on to other projects, so remembering how a specific piece of code was developed and by whom can be a significant challenge, he noted.
There’s no doubt that when it comes to application security, a lot of progress has been made, but there is still much work to be done. The issue now is finding the best way to organize those efforts at a time when more applications are being simultaneously developed within organizations than ever.