Group-level Security Dashboard
Problem to solve
We have Security Dashboard MVC (#6709) for a single project, but Security teams normally want to have a wider view of Security for multiple projects at the same time, for example all the projects in a specific group.
Implement the Security Dashboard as a group level feature. It should present an overview of the security for the group, giving a sorted list of vulnerabilities. The list should have vulnerabilities as the actor, and ordered by impact, not by project.
- the dashboard shows a list of vulnerabilities (not occurrences of vulnerabilities), grouping all the occurrences of the same vulnerability in all the projects of the group
- the list is sorted based on the impact, for now it could just be the severity of the vulnerability (but in the future it could be also number of project affected, etc)
- each entry has the vuln impact, vuln name, total project affected, total occurrences
- each entry can be "expanded" (in-line, popup, etc) to show the list of all the occurrences for that specific vuln (project, file, line)
- each occurrence can be selected, getting the popup window as we have in group level reports (details, dismiss, create issue)
With this dashboard, you can have a summary of the status of the security for your entire group. But you can also easily go deep into the resolution of specific issues. When we will improve how impact will be calculated, we don't need to change this view. List will be reordered with the new criteria automatically. Security people should be able to action the report from the group level view, in a similar way they are already doing at project level.
What does success look like, and how can we measure that?
- Number of groups where the Security Dashboard is used
- Number of issues dismissed/addressed because of the actions in the dashboard