Triage Issues
Triaging issues is a day to day routine. You know the drill: you get notified of an incoming issue, you take a look at it, understand what's it about and decide how to handle.
You might assign it to the relevant person, ignore it because it's intentional, create a ticket in your favorite ticket management system (Jira, Monday etc) or best of all - simply resolve it 👍
Another scenario is scanning a new asset and sifting through multiple findings.
SpectralOps strives to provide you with the best experience handling both of these scenarios. We make it easy to overview all your assets while focusing on the most important things. Let's take a look at how to work this out in SpectralOps:
Assets
Assets page provides a way to overview, filter and sort your assets. You'll find some high level info about what's important in each asset. Drilldown to an asset to review its issues.
Asset page
Asset page provides details about a single asset. You'll find the asset's issues grouped into relevant tabs.
Sprawl tab allows you to explore secrets that appear in multiple locations across your assets & infrastructure.
A closer look at issues
Detectors & Playbooks
An issue's detector represents a concrete problem in your asset. For example, CLD001 (this is the detector ID, see it by hovering the description) is a detector from the cloud detector category and means that you have a Visible AWS Key.
Most of the detectors have a playbook to help you give you more details and help you remediate. Clicking on the detector name will take you to its playbook.
We also include links for the different CWE and other articles and make sure your developers are well educated and have a good understanding of the issue and how to resolve it.
For quick info you can check out the "show more info" section.
Severity
Prioritizing application security issues is one of the most challenging tasks. We try to simplify it by providing a few different severities to enable you to prioritize the other issues.
- Critical: An asset is compromised. An action is required immediately.
- High: May lead to a potential risk. An action is required immediately.
- Medium: A potential security risk exists. An action is required, within a reasonable time period.
- Low: There is no security or infrastructure risk. It is advised to take an action, as per best practices.
- Informational: There is no security or infrastructure risk. Administrator awareness is advised.
You can change any of the detector severity. This will affect all the issues with the same detector type across all assets.
Content
Spectral automatically classifies issues based on their context so you can be more productive and focus on the issue, which creates the most significant risk.
SpectralOps will classify each of the findings as one of code/infra | examples | docs | tests.
code /infra are the most common asset engineers produce and have the highest probability of becoming a significant threat.
Tests are part of the project and may contain real keys, but they should have lower priority from our experience.
While examples/docs/tests have lower priority, we noticed that human mistakes also reproduce those assets, and you should validate them before ignoring them.
Validity
For secrets issues, SpectralOps can test the validity of the keys that were found. A live key or token is labeled as valid, and should be prioritized.
NOTE: validation is also done on ignored keys
Jump into action
OK, so what can we do with issues? Several courses of action:
Ignore
An Ignored Issue is an issue you and your team decided not to invest efforts in fixing. Spectral provides three options for ignoring an issue:
Won’t fix - this is a type of issue you and your team decided isn’t critical enough or something you don't mind leaking.
False/Positive - Spectral discovered an issue, but it’s not a secret. Be sure to attach a comment explaining why it's a false possitive, it helps us get better!
Snooze - put it on hold for a period of time.
In all the above cases, once an issue is ignored, you won’t get any notifications about it, and SpectralOps will filter those issues from view, unless you explicitly change the filtering to show ignored issues.
Resolve
If an issue has been handled in the code and you want to mark it as done - you can resolve it. If the same issue is found again - it will be marked as regression.
Note that if you rescan the asset and an existing active issue isn't found there - it will be autoresolved by Spectral.
Assign
SpectralOps Assign
You can assign an issue to a team mate. He will be notified he has a issue he needs to handle. You can filter issues to see issues assigned to any team mate.
External change management
You can create a ticket for any issue that was discovered by SpectralOps in Jira or Monday.
After setting up your integration, select the issue and click the "Assign" button,
Select the Jira project in which you would like to open an issue, add a Summary of the problem and edit the description.
Once you create a Jira issue, a “Jira” label will be assigned to the spectral Issue so you can track the progress in Jira.
Export
Export the issue so you can share it with other people or create reports. You have two options to export the data: PDF/CSV.
Exported report fields:
- Assets : asset details/location
- Team: The team that owns the asset
- Branch - in which branch the item was discovered
- Asset type /Path - asset type and its location ( mainly for code)
- Detector - the detector id of the issue
- Description - the detector description
- Content - Classification of the asset
- Is Ignored - ignored asset?
- Severity - the severity of an issue
Updated about 1 month ago