In this guide, you will learn how to use the Action Plan function in Kiuwan Code Security.
If you want to learn about Action Plans with Code Analysis, please visit the following page: Action Plans in Code Analysis
Contents:
What is an Action Plan?
Once you have analyzed an application with Kiuwan, you will have a bunch of results.
Most likely, you will not decide to fix all the defects found, but a subset of them.
That subset of defects to be fixed will be decided based on very different considerations, from technical to economic reasons.
The most common reasons have to do with the technical impact of the defects and available effort to fix them.
Those defects, together with target dates and responsible, constitute an Action Plan.
Kiuwan helps you during this process:
- To decide which defects should be fixed based on your goals, and state a concrete plan
- To monitor the progress of the plan
Let’s go through those steps together.
Create an Action Plan
As said above, the Action Plan can be decided based on several factors, such as technical considerations and/or economical reasons.
To decide which defects to fix, Kiuwan lets you:
- Do it on your own (by manually selecting the defects to be fixed based on an inspection of defects found), or
- Build an action plan based on your goals and a simulation (What If) of different scenarios
Let’s suppose we have an application with the following results:
Just by seeing these results, it might be hard to decide where to start to fix vulnerabilities. Even if it tells me how much effort I need to invest to reach a certain number of stars, how do I know what the biggest priority is? The answers to these questions depends on your business and technical needs.
Kiuwan creates an Action Plan with you, fully suited to your needs.
Select Action Plans from the menu.
Click the hamburger menu to see your options:
- New action plan = create a new action plan manually.
- What if = open a simulation tool and let Kiuwan help you detect those defects that will most contribute to fulfilling your goal
Manual creation of an Action Plan
From the hamburger menu, click New action plan to create a plan manually.
Here you can select the defects you are most interested in fixing, based on your business' needs.
For example, let’s suppose that you are very concerned about security and you want to make sure that OWASP-related defects should be fixed. That’s your plan.
To do it, filter the defects list for the appropriate criteria (or any subset you consider).
Then,
- Select the defects you want to fix
- Click on Save This Action Plan.
A new window will appear.
You will see the number of defects contained in this action plan, the estimated effort required to fix them as well as the metrics before and after the fulfillment of the action plan.
It is mandatory to enter a name in the Name field in order to save the action plan.
Kiuwan-aided creation of an Action Plan (What If)
What if you want to improve your code but you don’t know where to start?
Well, the What if feature helps you generate an automatic action plan with a given quantity of available hours or a quality goal you want to achieve.
Rather than manually selecting the specific defects, Kiuwan finds those defects that should be fixed according to your needs.
The What if tool allows you to simulate as many scenarios as you want, letting you build an action plan based on two different strategies:
- Effort-based
- Rating- based
Effort-based
- Select Effort (hours)
- Enter how many hours you would like to invest
- Click Simulate
Your action plan will appear at the bottom of the page.
Click Save this action plan to save it.
Ratings-based
In this approach, you can decide which rating you would like to achieve and Kiuwan will create an Action Plan based on this.
- Select Rating
- Select which rating you would like to achieve (in this example, 4-star)
- Click Simulate
Your action plan will again appear at the bottom of the page.
Click Save this action plan to save it.
Monitoring the execution progress of an Action Plan
Once you have saved the plan, you can view it at any time in the Action Plan dashboard.
For every Action Plan, Kiuwan provides the following information:
- Name of the plan
- Creation and Expiration Dates
- Starting analysis (where the Action Plan comes from)
- Number of defects (to fix to fulfill the plan)
- Estimate (effort needed to fix all the defects of the plan)
- Assignee (responsible to fulfill the plan)
- Progress (%)
- Pending Effort
Action Plan Progress (%) is calculated as the percentage of defects fixed in the last application analysis as compared to the defects when the action plan was created. Click Progress to see a detailed progress page.
Pending Effort is calculated as the effort to fix the remaining defects.
As the application is further analyzed, Kiuwan will update progress indicators for every plan.
Detailed Progress of an Action Plan
Click Progress to see a detailed progress page.
Here, you will be able to see the Remediation Timeline, i.e. a temporal view of the execution progress of the plan.
By hovering the mouse over any point you will see details such as analysis date and fixed vs total defects.
Progression information will be presented for any analysis you choose (selecting the analysis in the selection list).
Scroll down to see the information presented in form of a pie chart:
The pie charts display information on Progress as well as Pending Defects (classified by Priority and Software characteristic).
Also, you will be presented with three tabs with a breakdown of the action plan’s defects;
- Pending defects
- Removed defects in the selected analysis
- Defects in the action plan
Export information from an Action Plan
For further information, please visit the following guide: Export an Action Plan