Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Moscow
December 04, 2017
Technology
0
89
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
owaspmoscow
0
73
owaspmoscow
0
200
owaspmoscow
0
400
owaspmoscow
0
180
owaspmoscow
0
150
owaspmoscow
0
170
owaspmoscow
0
140
owaspmoscow
0
130
owaspmoscow
1
120
Other Decks in Technology
See All in Technology
tuhin1729
0
160
yujimiyashita
0
500
trickart
3
340
hisaotsu
2
270
darquro
2
290
ikeda7010
0
620
aviciida
1
310
mu2in
0
240
moriyuya
2
160
kazumanagano
0
100
kikuzo
2
360
giginet
3
1.1k
Featured
See All Featured
nonsquared
84
3.6k
jrom
119
7.4k
jonyablonski
37
1.7k
jacobian
260
20k
sferik
612
56k
tenderlove
58
3.8k
holman
464
280k
shpigford
167
19k
schacon
152
6.8k
stephaniewalter
263
11k
chriscoyier
147
20k
shlominoach
177
8.1k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23
owaspmoscow
tuhin1729
yujimiyashita
trickart
hisaotsu
darquro
ikeda7010
aviciida
mu2in
moriyuya
kazumanagano
kikuzo
giginet
nonsquared
jrom
jonyablonski
jacobian
sferik
tenderlove
holman
shpigford
schacon
stephaniewalter
chriscoyier
shlominoach
