Azure Boards Ticketing Integration

Overview

Bugcrowd integration with Azure Boards provides the ability to easily and efficiently integrate vulnerabilities found within your security program in Crowdcontrol into Azure Boards.

Bugcrowd’s bi-directional Azure Boards integration provides the following functionalities:

  • When the submission status changes from Triaged to Unresolved state, the Azure Boards work item is automatically generated and all the vulnerability details are synchronized from Crowdcontrol to Azure Work item.
  • When a vulnerability is fixed and the developer moves the Azure Boards work item to a Done state, the associated submission is automatically closed (moved to a Resolved state) in Crowdcontrol.
  • All activities (comments, priority changes, and other activities) on a single submission in Crowdcontrol are automatically updated in the associated Azure Boards work item.
  • Azure Boards work item fields can be mapped to Crowdcontrol submission fields using the custom field mapping settings.
  • When you set up the integration between Crowdcontrol and Azure Boards, you can choose the security programs that you want to integrate with Azure Boards.

To set up Azure Boards integration with Crowdcontrol, you must be a Program Admin or Org Owner role in Bugcrowd and have administrator access to Azure Boards.

  1. Go to Settings and click the Integrations tab.
    Image Placeholder - Settings > Integrations tab

  2. In Azure Boards, click Add integration.
    Image Placeholder - Add integration

  3. The Azure Boards integrations page is displayed.
    Click on Add Azure Boards instance.
    Image Placeholder - Add Azure Boards instance

The Configuration page is displayed.

Crowdcontrol supports integrating multiple Azure Boards project instances. Each integration instance is linked to a different Azure Boards project.

Authorizing Crowdcontrol to Access Azure Boards

To manage issues within Azure Boards, Crowdcontrol must have access to your Azure Board instance. Currently, Bugcrowd provides Personal Access Token (PAT) based authentication for Azure Boards. The Authentication will be extended to support additional type Microsoft Entra ID OAuth in the future.

To authorize Crowdcontrol to access your Azure Board instance, specify the following information on the Configuration page:

Display name: Name for the integration.

Organization: Name of your Azure DevOps Organization. From your project URL
https://dev.azure.com/org-name/project-name, enter ‘org-name’.

Azure DevOps uses either of the following URLs to access organizational resources:

  • https://dev.azure.com/{organization} (new)
  • https://{organization}.visualstudio.com (legacy)

The ‘org-name’ is the {organization} in the above URLs. For more information, please refer to Azure DevOps documentation.

Authentication

  • Personal Access Token (PAT): To create a Personal Access Token (PAT) follow the Azure DevOps instructions.
  • Enter the PAT and click Authorize
  • Crowdcontrol will try to authorize and if successful, it will show Authorized
  • A typical reason for authorization failure would be that the PAT is not generated for the organization, specified in the Organization field above.

authentication pat

  • Project configuration: Once authorized, it will show a list of projects the user has access to. Select the project that you want to use for this integration.
  • Click on “Save & go to Work Items settings”

Configuring Azure Boards Work Item

Configure Work Item

The next step in the configuration is to specify the parameters when a Work item is created.

  • Work item type: When a new work item is created, specify what work item type that it should be, such as Issue, Task or any other custom type for the project.
  • Include Public or Private comments: Specify if the work item should include any new comments made on the submission. Any new comments added in the submission will be updated in the corresponding work item.
  • Include Attachments: Specify if all the attachments from the submission details and comments should be sent to the work item. Also when any new attachments are added, those will be sent to the work item as well.
  • Automatically create work item on specific submission state: Specify if a new work item should be created automatically, when a submission changes to a specific state. For example whenever a submission transitions from Triaged state to Unresolved state, a new work item can be created automatically. The state can be specified by selecting a value from the drop down menu Submission state auto push.

If this checkbox is unchecked, then each time to create a work item, the user needs to manually click on the button in the submission.

Please note that, for the automatic work item creation to function, a Saved Search should be present to include the submission and the Saved search is mapped to the integration.

Mapping Fields Between Crowdcontrol and Azure Boards

You must map the fields between Crowdcontrol and Azure Boards so that when a submission is pushed from Crowdcontrol, the submission information is properly updated in Azure Boards. By default, the Title and Details fields in Crowdcontrol submission are mapped to Title and Description fields in the Azure Boards work item, respectively.

Azure Boards Markdown support: When Markdown fields from Crowdcontrol are pushed to Azure Boards, they will convert to the respective markdown flavors to render appropriately.

You can map the following submission details to Azure Boards:

  • Priority
  • Reward Amount
  • Reference Number
  • ID
  • Description
  • Chosen VRT Category
  • Bug URL
  • Submission Target
  • Submission Url

Crowdcontrol provides the following mapping types that allows mapping Crowdcontrol submission fields to your Azure Boards ticket fields:

  • Apply a Bugcrowd submission attribute to a text field in Azure Boards
  • Apply a Bugcrowd submission custom field to a text field in Azure Boards
  • Apply a static string to a text field in Azure Boards

A field marked with an asterisk indicates it is a mandatory field that is required for creating work items in Azure Boards.

Mapping Crowdcontrol Submission fields to Azure Boards work item fields

To map the Crowdcontrol submission fields to Azure Boards work item fields, follow these steps:

  • On the Azure Boards integrations page, click Field mapping on the left side.

Image Placeholder - Field mapping

  • By default, the Title and Details fields in Crowdcontrol submission are mapped to Title and Description fields in the Azure Boards work item, respectively.

  • To add additional mapping, click Add mapping. In Add new field mapping modal, select the Crowdcontrol field that needs to be mapped.

field select

  • Select the Crowdcontrol field that needs to be mapped. The Crowdcontrol field contains the following fields that you can choose:

  • Amount
  • Bug URL
  • Priority
  • Reference Number
  • Researcher Username
  • Substate
  • Title
  • Id
  • CVSS String
  • CVSS Score
  • VRT Classification
  • Description
  • Extra Info
  • Remediation Advice
  • Vulnerability References
  • Details
  • Submission Url

select bc field

  • Crowdcontrol allows administrators to define custom submission fields at the program level. This means that you can add information specific to your organization on a per-submission basis. Custom fields are displayed as [Custom Field] (custom_field_name) in the field selection drop-down menu.
  • In the Azure Boards field, select the Azure Boards field that you want to map. Bugcrowd uses Azure Boards API to fetch all the fields from the specified project.

select ab field

  • Specify an optional Default value to use if there is no value in the Crowdcontrol field during the sync. The default value for the field will be used to update the value in the Azure Boards field.
  • In the Set field column, select any of the following options for configuring how often Crowdcontrol field must synchronize with Azure Boards field:
  • On Every Update: Each time a submission field is updated in Bugcrowd, the updated information is pushed to Azure Boards. The corresponding Azure Boards field is overwritten and displays the changes.
  • Once: Bugcrowd submission field’s data is synchronized with the Azure Boards field when a Azure Boards ticket is created and remains fixed regardless of the updates made within that field in Crowdcontrol.

field update

  • Click Save to save the field mapping.

Removing Field Mapping

To remove a field mapping, click on the Delete icon right next to the mapping.
Image Placeholder - Delete field mapping

The Field mapping removed message is displayed and the mapped field is removed from the table.

Enabling Integration

After configuring the Azure Boards project and issue type, you must enable integration so that you can push the submission from Crowdcontrol to Azure Boards. By default, this option is disabled.

To enable this option, use the slider Enable Instance.
The Enable Instance option is available only after you have selected the Azure Boards project and completed the Work items configuration.

You can now push Bugcrowd submissions.

Pushing Crowdcontrol Submissions to Azure Boards

Bugcrowd Azure Boards integration supports creating a Azure Boards Work item automatically when the submission state changes to Unresolved. This suits the majority of workflows because it is often undesirable for a submission to be pushed into Azure Boards unless it is a confirmed vulnerability.

In case you use a different vulnerability triage, software development, and issue resolution workflow, you can use the Push to Azure Boards functionality and manually push the submission into Azure Boards at any point in the workflow.

Manually Pushing Crowdcontrol Submission Upstream to Azure Boards

push

When you enable the Integration, the Push to Azure Boards link is available for each submission.
To manually push the submission to Azure Boards, click Push to Azure Boards. A new Work item is created in Azure Boards based on the configured Work item type.

If the submission was already pushed to Azure Boards, then any data updated in the Crowdcontrol submission can be updated in the Azure Boards work item, by clicking the Update Azure Work Item. update

Automatically Pushing Crowdcontrol Submission to Azure Boards

You can automatically push the submission from Crowdcontrol to Azure Boards when the submission’s state changes to Unresolved or Triaged in Crowdcontrol.

To enable this, on the Work item Configuration page, perform the following: automatic

  • Check the box automatically create work item on specific submission state
  • In Submission State, select Unresolved or Resolved, or Triaged or Informational

The Integration updated message is displayed and the setting is saved. Now whenever a submission changes state and reaches the state specified in the above check box, a work item is automatically created and the fields are synced, and the work item is linked to the submission.

Please note that for the Automatic creation of work items, a Saved search should be created in the Submissions page. The Saved searches can be viewed under the Program Settings, Saved Search menu on the left navigation screen.

Please make sure to link the Saved search to the correct integration, so that the submissions upon reaching a certain state are pushed to the correct Azure Boards project. For further information, please refer to documentation on linking Saved searches to integrations.

Configuring Bi-directional Azure Boards Integration

Bi-directional Azure Boards integration between Azure Boards and Crowdcontrol enables you to automatically track vulnerabilities from validation to remediation. It allows the following:

  • When a submission is marked as Resolved in Crowdcontrol, automatically updates the corresponding work item in Azure Boards to a pre-defined state.
  • When a work item is marked as Done in Azure Boards, it automatically marks submission as Resolved in Crowdcontrol.

Only valid substates will trigger the submission closure. For information about valid substates, see understanding substates.

To set up bi-directional Azure Boards integration:
In the Azure Work item configuration page, under the Closure section perform the following steps: two way

  1. Define the status in Azure Boards that signifies a Work item as Closed
  2. To enable, When a submission is marked as Resolved, update the linked Work item to the closed state. Click on the check box Sync closure from Crowdcontrol into Azure Boards
  3. To enable, when a work item is moved to the Closed state, the linked Submission is marked as Resolved. To do this, click on the slider Two way Azure Boards integration and check the box Sync Closure from Azure Boards into Crowdcontrol
  4. Click on Save
  5. A Webhook URL is shown. Copy the Webhook URL and follow the direction specified in the Azure DevOps Webhook documentation.

Image Placeholder - Webhook configuration

Now a two-way integration is configured for automatically updating the states between the Crowdcontrol submission and Azure Boards work item.

Quickstart Expand to see sub-pages
Onboarding Expand to see sub-pages
Organization Management Expand to see sub-pages
Security Program Management Expand to see sub-pages
Engagement Management Expand to see sub-pages
Target Management Expand to see sub-pages
Single-Sign-On Expand to see sub-pages
Security Expand to see sub-pages
Roles and Permissions Expand to see sub-pages
Submission Management Expand to see sub-pages
Funds Management Expand to see sub-pages
Integration Management Expand to see sub-pages
Reporting Organization Expand to see sub-pages
Reporting Security Program Expand to see sub-pages
Incident management Expand to see sub-pages
Visit bugcrowd.com