This guide will walk through some additional details of our Linear integration.
What are the benefits of the Linear integration?
Our updated Linear integration automates compliance checks and evidence collection for five requirement categories (which are presented as tests in Secureframe).
-
Vulnerability Tracking: Security vulnerabilities are tracked to resolution, as per applicable SLAs
- Example vulnerability sources: internal vulnerability scans, external vulnerability scans, ASV scans, penetration tests, bug bounty programs, inbound reporting, and vendor announcements
- Security Incident Tracking: Security incidents are tracked to resolution, as per applicable SLAs
-
System Change Tracking: Significant system changes are tracked to deployment, as per applicable SLAs
- Note: This is not required for HIPAA compliance
- Example system changes: general infrastructure changes, network & router changes, firewall changes
-
Access Tracking: System access changes are tracked to resolution, as per applicable SLAs
- Example access changes: access onboarding, access offboarding, permission modifications, and transfers
-
Nonconformity and Corrective Action Tracking: Nonconformities are tracked and resolved via corrective actions, as per applicable SLAs
- Note: Requirement is specific to ISO 27001
- Example access changes: access onboarding, access offboarding, permission modifications, and transfers
Feature 1: Issue Tracking
By defining your Linear issue label(s) within Secureframe on a per requirement basis, our integration pulls in all of your issues with matching label(s). This shows auditors that you properly track issues pertaining to these requirement categories.
Feature 2: Timely Issue Close Out
Additionally, for each label defined within Secureframe, you can specify an SLA (# in days) for that label. Secureframe flags issues that remain open longer than the specific SLA for that label. This shows auditors that you close out issues in a timely manner.
- Note: Most compliance frameworks require an SLA to be in place for medium, high, and critical vulnerabilities and for all security incident priorities. Nonconformities are specific to ISO 27001 and SLAs are required.
By taking advantage of these two features, you can avoid taking many screenshots that are traditionally required for audits. Our integration can prove that issues are tracked (labels) and closed out in a timely manner (SLAs).
What are Linear labels?
Within Linear, you can assign labels to issues. This is useful for categorizing issues. You can specify labels in use within Secureframe to pull in issues with the respective labels.
How do I enable the Linear functionality?
- Within "Monitoring," navigate to "Integrations" > "Linear - Settings"
- Edit or acknowledge the "Testing Start Date." This date defaults to the date that you connected Linear in Secureframe. It can be used to prevent issues prior to a certain date from being pulled into Secureframe.
- For each requirement category you wish to automate, specify one or more labels.
- For each label, you can specify data for additional fields - these fields are defined in Secureframe and do NOT pull from Linear.
-
SLA in days: You can assign an SLA to take advantage of Feature 2 mentioned above
- Note: Secureframe will display failing issues underneath tests when those issues exceed specified label-SLA pairs. Even when theses issues are closed, if it breached an SLA, the test will remain failing for your audit as it would count as an exception for sampling evidence. Reverting the ticket to passing after correcting it after it breached SLA would give false confidence going into audit. Please be mindful of this as an auditor could bring this up during your audit and ask for justification. If this particular ticket that has fallen out of SLA is a non-compliance item, you may choose to ignore the result.
- Priority: You can specify the priority of the label.
- Source/description: You can specify other details about the label. This field can be useful for giving auditors context on the label's purpose.
-
SLA in days: You can assign an SLA to take advantage of Feature 2 mentioned above
- If you do not specify a label for a requirement category, the equivalent test called out underneath the requirement category will remain an upload.
- For each label, you can specify data for additional fields - these fields are defined in Secureframe and do NOT pull from Linear.
- Example label setups/strategies for Vulnerability Tracking
Example 1: Tracking all medium+ vulnerabilities to resolution under a single label
Label name | SLA in days | Priority | Source/Description |
Vulnerability | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for all medium+ vulnerability sources (internal, external, and ASV scans, penetration tests, bug bounty program) |
Example 2: Tracking all vulnerabilities to resolution under multiple labels, segmented by priority
Label name | SLA in days | Priority | Source/Description |
Vulnerability-low | 90 | Low | Label for all low severity vulnerabilities & sources |
Vulnerability-medium | 60 | Medium | Label for all medium severity vulnerabilities & sources |
Vulnerability-high | 45 | High | Label for all high severity vulnerabilities & sources |
Vulnerability-critical | 30 | Critical | Label for all critical severity vulnerabilities & sources |
Example 3: Tracking all vulnerabilities to resolution under multiple labels, segmented by source
Label name | SLA in days | Priority | Source/Description |
ASV Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for vulnerabilities pertaining to PCI DSS-mandated ASV scans |
Penetration Test Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for vulnerabilities pertaining to penetration tests |
Internal Vulnerability Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for vulnerabilities pertaining to internal vulnerability scans |
External Vulnerability Scan Results | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for vulnerabilities pertaining to external vulnerability scans |
Bug Bounty Program | 30 | Medium/ CVSS 4.0+, High, Critical |
Label for vulnerabilities pertaining to bug bounty programs |
What API permissions does this integration request?
We request the following permissions when you connect to Linear. No additional permissions are needed to opt into issue tracking.
Permissions, Fields Pulled, Controls, and Automated Tests
- Click the provided link or navigate to the “Integration” page.
- Select the “Available” tab.
- Search for the integration.
- Click “View Details”.
Comments
0 comments
Please sign in to leave a comment.