Mario Robles feedback - Fixing workflow

[DinisCruz]

From @mario-robles threat on owasp-leaders threat

---

The workflow I use is very simple actually because need to be adapted to different teams with different SDLC models on different Countries, it’s more generic I would say

• Fixing: The issue is assigned to someone working on fixing it (link to issue in their own Agile board), if they challenge the issue and risk is accepted the issue is sent to Done using Risk Accepted or Not an issue as resolution
• Testing: When security test the issue as part of the QA process
• Deploying: Security accept or reject the fix sending it back to Fixing or providing approval moving it to the Deploying queue
• Acceptance: Dev team move the issue to Acceptance when it’s ready on UAT for final tests
• Done: Security will send the issue back to fixing is something wrong happened, otherwise will provide sign off by moving it to Done using resolution Fixed

I use Jira dashboards but also some custom macro based metrics based on Jira exports

I do really like your workflow, however in my experience Dev teams start getting hesitant to follow your process when more clicks from their end are needed

btw, false positives are not included in my workflow because we never should have a FP included in a list of issues, everything should be validated before including it as an issue, if I have to add it, I think that will be as a Resolution type