Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The OWASP Risk Rating Methodology is a commonly used approach for estimating the severity of security risks. In this model, security risks are assigned ratings (ranging from 0 to 9) for 16 individual risk factors. Calculations are then made to determine the relative Likelihood and Impact of threats to a business. 

We recently helped a client implement this model in Jira with the help of Abacus—the Jira Calculator. Here's how it worked:

Working in Jira

The first step in the process was to create 16 Custom Fields in Jira corresponding to the 16 Risk Factors used in OWASP methodology. Risk Factors are divided into subgroups, including:

  • Factors for Estimating Likelihood:
    • 4 Threat Agent Factors
    • 4 Vulnerability Factors
  • Factors for Estimating Impact:
    • 4 Technical Impact Factors
    • 4 Business Impact Factors

For our client's Risk Issue Type in Jira, we configured 4 tabs on the Create Issue Screen to correspond to each of the four subgroups (Threat Agent, Vulnerability, Threat Impact, and Business Impact). On each of these tabs, the related factors were listed with dropdown menus ranging from 0 to 9 for assigning the relative risk rating of each factor.

A fifth tab was created to display the average Risk Ratings (0 to 9) and corresponding Impact Levels (Low, Medium, High) for the subgroups. 


Working in Abacus

In order to create the calculations for average Risk Ratings for the subgroups and assign the corresponding Impact Levels, we used Abacus, an app specifically designed to create calculations in Jira. 

Using Abacus, we applied the Average function to create formulas for the following subgroups:

  • Overall Likelihood formula averages the 4 Threat Agent Factors and the 4 Vulnerability Factors
  • Overall Technical Impact formula averages the 4 Technical Impact Factors
  • Overall Business Impact formula averages the 4 Business Impact Factors

Next, an Execution Plan named "Severity" was created to determine when and how the formulas would run. The Issue Events "Issue Created" and "Issue Updated" were selected to trigger the formulas; now whenever an issue is created or updated, the formulas will run automatically. 

Then, Execution Groups were used to display the Impact Levels for each of the average Risk Ratings. Using IF and ELSE IF statements along with JQL, we were able to Edit Issue Fields with the corresponding Impact Level. 

Conclusion

Using Abacus and Jira together helped our client monitor the Likelihood, Technical Impact, and Business Impact of issues facing their company. Is it time to solve your Jira?





  • No labels