Putting system owners in Security Bug Jail

Some organization have this interesting concept of a bug jail to prevent new feature development when there are too many existing flaws in the system.

For instance, if an engineer has 5 or more bugs assigned they aren’t allowed to work on anything else but fixing their bugs.

What is the Security Bug Jail?

A security bug jail goes along the same lines. The owner of a system can never have more than a certain upper limit of active security bugs.

Let’s say your organization agrees on setting the security bug jail at 3. This means that no new features will be worked on until the count of security vulnerabilities for the system is below 3.

Bug jail

Introducing a security bug jail can help to ensure that there is no run-away aggregation of security debt over time.

As always, feel free to follow or DM me on Twitter: @wunderwuzzi23

Reference