Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
590
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
710
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
970
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
710
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
580
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
630
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
630
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
580
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
570
Other Decks in Technology
See All in Technology
EventBridge API Destination × AgentCore Runtimeで実現するLambdaレスなイベント駆動エージェント
har1101
7
290
Introduction to Bill One Development Engineer
sansan33
PRO
0
350
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
aeonpeople
6
450
書籍執筆での生成AIの活用
sat
PRO
1
240
学生・新卒・ジュニアから目指すSRE
hiroyaonoe
1
260
re:Inventで出たインフラエンジニアが嬉しかったアップデート
nagisa53
4
230
ゼロから始めたFindy初のモバイルアプリ開発
grandbig
2
550
Meshy Proプラン課金した
henjin0
0
140
Digitization部 紹介資料
sansan33
PRO
1
6.7k
CDKで始めるTypeScript開発のススメ
tsukuboshi
1
110
全員が「作り手」になる。職能の壁を溶かすプロトタイプ開発。
hokuo
1
640
Deno・Bunの標準機能やElysiaJSを使ったWebSocketサーバー実装 / ラーメン屋を貸し切ってLT会! IoTLT 2026新年会
you
PRO
0
180
Featured
See All Featured
KATA
mclloyd
PRO
34
15k
Context Engineering - Making Every Token Count
addyosmani
9
640
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
130
Designing for humans not robots
tammielis
254
26k
New Earth Scene 8
popppiees
1
1.5k
My Coaching Mixtape
mlcsv
0
44
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.8k
Stop Working from a Prison Cell
hatefulcrawdad
273
21k
A Modern Web Designer's Workflow
chriscoyier
698
190k
How to make the Groovebox
asonas
2
1.9k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
66
36k
Making the Leap to Tech Lead
cromwellryan
135
9.7k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
SiteGround - Reliable hosting with speed, security, and support you can count on.
owaspmoscow
har1101
sansan33
aeonpeople
sat
hiroyaonoe
nagisa53
grandbig
henjin0
tsukuboshi
hokuo
you
mclloyd
addyosmani
techseoconnect
tammielis
popppiees
mlcsv
aleyda
hatefulcrawdad
chriscoyier
asonas
akihiro_kokubo
cromwellryan
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}