Integrating JIRA to the Qualys Cloud Platform
This is the second in a blog series on integrations to the Qualys Cloud Platform. This post looks at what are the requirements to build a successful integration and workarounds when some of the pieces are missing functionality. We then specifically consider the question of integrated Qualys with Jira.
ETL is the design pattern that is utilized for most software vendor integrations. ETL stands for Extract, where we retrieve the data from the data store, in this case the Qualys Cloud Platform; Transform it in some way, usually to make API calls against another system with Qualys data; and then Load it into the target system, again with API calls. In the pre-internet days, the 1990’s and before, there were many different ways to accomplish this with some of the better known being Electronic Data Interchange (EDI).
Integration Model 1 – App to App ETL
The first kind of integration model that works is the application-to-application model. We utilize this method in many of our Qualys built integrations today, including but not limited to Splunk, ServiceNow, Qradar, Jenkins, and others. The major requirements for this type of integration are connectivity between the two endpoints and compute resources to handle the transform.
Integration Model 2 – Midpoint ETL
The second integration model is with a midpoint / integration server acting as a central repository for all stages of the ETL process. This is useful when the endpoints do not provide the needed compute resources.
This model is used for many integrations where Integration Model 1 is not usable, or you want to integrate many systems. The integration server here can be whatever your engineering team decides. For example, the server could be Windows running Powershell or much more commonly, Linux running just about any language. These could be in a cloud provider as well. This server provides the necessary compute resources when they are not available on the endpoints.
We at Qualys are often asked to consider building an integration for a specific customer’s use case. When considering the request, we ask a number of questions:
- Does the software to be integrated provide us with an integration point and compute resources to use? Examples of those that do are ServiceNow and Splunk.
- Can the software reach the internet, and by extension, the Qualys Cloud Platform? One example is other internet SaaS products like ServiceNow.
- Does the software give us the ability to manipulate the data (the Transform stage of ETL)?
- Can we build an integration that’s scalable and supportable?
If any of the answer to these questions is “no”, then it’s more difficult for us to build an integration.
JIRA Integration with Qualys VMDR
One integration that has been requested by customers for quite some time is to integrate Qualys VMDR with JIRA, a common tool that engineering teams use to build and modify software. It’s not really designed to be a large-scale trouble ticketing system, but many organizations use it for this purpose anyway. There is a JIRA Service Management tool available that is an extension to the JIRA application and issue tracking used by most organizations. As of this writing, this blog post applies to both use cases. The Jira Service Management would be the better tool to integrate with, in any case.
The answers to the questions posed above in JIRA’s case are No, Yes, No, and No – at least at this time. Jira does not provide an integration point, compute resources, or data manipulation. So, the only way to build the integration would be using the integration server model, and currently Qualys doesn’t have a method to do so that is scalable and supportable.
However, many customers have successfully built this solution in-house. Here’s a white paper to help you get started.
We also have a large network of partners who can build custom integrations. Visit our website to find a partner that will fit your needs.
This post was first first published on Qualys Security Blog’ website by Jeff Leggett. You can view it by clicking here