After getting an overview of your security posture, let's start creating tickets for your team to fix vulnerabilities
Now that you've identified vulnerabilities through Autobahn Fit scans, by importing issues from third-party tools, or a combination of both, it's time to tackle them and improve your security posture! Here's how:
- Organize with tags: Use tags to categorize your assets and, if needed, issues. This simplifies managing your Workouts by allowing you to filter and prioritize tasks based on tags. It will also make it easier to create custom dashboards and analyze your data.
- Send Workouts to Jira: If you have tagged your assets and issues properly, sending them to Jira will be a breeze - you will be able to select which assets to send, and to whom.
This guide assumed that you will drive remediation through Jira. If you would rather use the platform directly, please refer to this guide for advice instead.
Table of content
1. Integrate with Jira
Integrate Autobahn Fit with Jira to automatically create tickets and tasks directly from Autobahn Fit. This will help you efficiently manage and address vulnerabilities identified during scans.
To learn how to do it, refer to this article.
2. Manage your assets
Tagging your assets is useful to manage them more efficiently. By tagging your assets, you will be able to filter your Workouts easier, create custom dashboards, and select which assets to send to Jira. There are different tags you can use, for example:
- Location
- Team
- OS
- Network
What matters is that you use a tag (or multiple tags) that ultimately help you in the long run. You can also start with one type of tag, and expand it afterwards.
You can tag your assets from the Asset detail page or in bulk from the Assets page.
If you are using integrations from third-party tools, your tags will be carried over.
3. Review your issues
If you don't typically have asset owners in your organization - although we recommend having owners for assets because what gets owned, gets done - you can also tag and assign issues.
In the case of assigning an issue instead of an asset, the user will only be assigned to that specific issue on that specific asset and be able to see the Workout only for them.
Refer to this article to learn how to assign and tag issues.
What we often see is people assigning issues of a specific type (for example, all issues related to web browsers) to a specific team. In this case, we would recommend assigning but also tagging them - since that will make it easier to filter your Workouts.
4. Remediate with Workouts
Cyber Fitness Workouts are step-by-step guides which remediate the root cause of vulnerabilities, thereby closing multiple issues in one go. You can either access them from your Dashboard, or from the Workouts page.
In both the Dashboard and Workouts page, Workouts are sorted by the impact they have on your security posture (as measured by the Hackability reduction). They will also be labelled by the Effort it takes to do them.
You can read more about the Workouts page in this article.
Clicking on a Workout opens a page with:
- a short description of the Workout (Warmup)
- a list of the assets this Workout targets (Setup)
- step-by-step instructions (Workout)
Tagging your issues and assets comes in handy when managing Workouts: you can filter your Workouts page based on tags, as well as the Setup tab, and it will allow you to select which assets to send to Jira.
You can send a Workout to Jira from the Workout list or the Workout detail page, by clicking on Send to Jira. You will be able to send either all assets, or only a selection of them. The fields displayed when creating a ticket follow the fields selected in your Jira projects.
The Workout PDF will be attached to the ticket. If you’ve customized the asset selection, only the selected assets will be included in the PDF file.
Since you are sending this Workout to Jira, go into Jira once you have sent it and assign the relevant personnel to work on this Cyber Fitness Workout.
After finishing a Workout, there's two ways to label an issue as remediated:
- By labeling the issue from the Individual issues page
- By running a re-scan. If the asset and port are still reachable but the issue isn't found, it will be automatically be labelled as Remediated by the platform
5. Next steps
By now you should have:
✔️ Run at least one scan
✔️ Reviewed the results in your dashboard
✔️ Created a custom dashboard
✔️ Set up the integration with Jira
✔️ Sent a Workout to Jira to be picked up by the team
So what comes next? Repeating the steps again. It's important to run scans regularly to a) make sure that your issues are being properly remediated, and b) keep an eye out for new issues.
Some tips and tricks
- Create custom dashboards for the different teams - this way you can track remediation for each of them and see which one might need extra support
- Make use of the Risk accepted button. Not all issues are fixable, at least not with an unreasonable investment. If you can't fix something but are aware that it's there, make sure to quarantine your asset, report it, and then label the finding as Risk Accepted (learn how to apply our Double Control Principle to make sure someone always needs to accept risks).