Full Report
Bring Wiz Issues directly into Backstage, so developers can act on security issues in the tools they use everyday
Analysis Summary
# Best Practices: Integrating Security Findings into Developer Workflows (Wiz + Backstage)
## Overview
These practices focus on bridging the gap between security findings (vulnerabilities and issues generated by a cloud security platform like Wiz) and the daily workflow of application developers by leveraging a centralized developer portal like Spotify Backstage. The goal is to assign clear ownership, increase developer engagement with security remediation, and accelerate the time-to-fix.
## Key Recommendations
### Immediate Actions
1. **Enable Core Integration:** Install and configure the Wiz plugin within the Spotify Backstage portal to enable the display of security issues.
2. **Map Resources to Components:** Immediately begin mapping Wiz Projects (which define governance boundaries like business units or teams) to corresponding Backstage Components (services, applications, microservices) to establish clear security ownership.
3. **Display Severity at a Glance:** Ensure that the integration immediately surfaces vulnerability counts and severity levels directly alongside each Backstage component listing for rapid triage.
### Short-term Improvements (1-3 months)
1. **Implement Search Functionality:** Enable developers to search and filter reported security findings (Wiz Issues and Vulnerabilities) within Backstage by rule, resource ID, or CVE identifier for focused remediation efforts.
2. **Establish Contextual Linking:** Test and verify the "one-click-to-Wiz" functionality, ensuring that clicking a finding takes the developer directly into the Wiz platform with full context regarding the specific resource and remediation guidance.
3. **Surface Key Metadata:** Configure the plugin to display critical metadata such as the Issue/Vulnerability status, the date/time of first and last detection, to aid in prioritization (e.g., ignoring transient findings).
### Long-term Strategy (3+ months)
1. **Formalize Ownership Model:** Fully adopt the Wiz Service Catalog model, leveraging Wiz Projects and Services to create a consistent, horizontal/vertical view of asset ownership that aligns precisely with the structure defined in Backstage.
2. **Integrate Remediation Guidance:** Embed remediation status tracking directly into the developer workflow via Backstage, making security findings actionable steps within the standard development process, rather than external ticket dependencies.
3. **Measure Developer Security Engagement:** Track metrics such as the average time taken to investigate and address findings originating from Backstage versus those delivered through traditional channels (e.g., ticketing systems) to validate the effectiveness of the integration.
## Implementation Guidance
### For Small Organizations
- **Focus on Direct Ownership:** Prioritize mapping your core, high-risk applications in Backstage to the corresponding Wiz Projects immediately, as ownership is often flatter and easier to define initially.
- **Manual Verification:** Since resources may be limited, rely heavily on the direct inspection of vulnerability counts and severity within Backstage before escalating to the full Wiz platform for deeper analysis.
### For Medium Organizations
- **Standardize Naming/Tagging:** Use the integration as an opportunity to enforce standardized tagging or naming conventions in both Wiz Projects and Backstage Components to ensure reliable, automated mapping across broader asset inventories.
- **Team-Level Dashboards:** Encourage team leads to use the Backstage component view as their primary dashboard for weekly security prioritization meetings, leveraging the aggregated risk view.
### For Large Enterprises
- **Scale Mapping Automation:** Develop scalable, automated processes to define and maintain the complex relationships between organizational structure (Business Units, geographic teams) reflected in Wiz Projects and the corresponding service definitions in Backstage.
- **Federated Access Control:** Ensure that access control within Backstage correctly reflects the context needed to view sensitive Wiz findings, utilizing the integration to democratize *visibility* without compromising necessary security controls around remediation access in the Wiz platform itself.
## Configuration Examples
*The provided text describes the *functionality* of the integration but does not include specific technical configuration syntax (e.g., YAML files, API calls). The following is based on the described interaction:*
Configuration relies on defining the relationship between:
1. **Wiz Project/Service:** The security boundary defining scope and governance.
2. **Backstage Component:** The service definition used by developers (often tied to a repository or CI/CD pipeline).
When configuring the plugin, the primary step is ensuring the internal identifiers used in Backstage for a `Component` successfully link to the corresponding assets categorized under a `Wiz Project`.
## Compliance Alignment
*While the article doesn't name specific compliance standards, integrating security findings directly into developer tools supports the general principles of:*
- **NIST CSF (Identify & Respond):** By clearly defining ownership and rapidly surfacing risks related to identified assets.
- **ISO/IEC 27001 (A.14/A.18):** Supporting vulnerability management and supplier/service agreement controls through clear accountability.
- **CIS Critical Security Controls (Control 1 - Inventory and Control of Enterprise Assets):** By linking software-defined service definitions (Backstage) with runtime risk posture (Wiz).
## Common Pitfalls to Avoid
1. **Ignoring Ownership Mapping:** Failing to accurately align Wiz Projects or Services with Backstage Components results in security findings being seen by the wrong teams, negating the benefit of context.
2. **"Dashboard Fatigue" Duplication:** Only using the integration to duplicate existing external ticketing systems. The value lies in the *immediate actionability* and *context* provided within the developer's existing UI, not just reproducing dashboards.
3. **Overwhelming Developers:** Displaying every single, low-severity finding immediately without proper filtering or bundling by rule can cause developers to ignore the entire security feed. Utilize the search/filter capabilities to guide focus.
4. **Untested Deep Links:** Assuming the one-click jump to Wiz works correctly without testing the full resolution path from Backstage to the vulnerability context within Wiz.
## Resources
- **Security Platform:** Wiz (for cloud security posture management and findings generation)
- **Developer Portal:** Spotify Backstage (for service catalog and workflow integration)
- **Detailed Setup Guide:** Refer to the official **Wiz Docs** for the specific setup guide for the Backstage Integration (login required for joint customers).