Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
310
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
630
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
740
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
1k
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
730
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
600
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
650
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
660
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
610
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
590
Other Decks in Technology
See All in Technology
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
0
720
SONiCのLinuxベースを活かしたZabbix監視
sonic
0
280
PostgreSQL 19 新機能概要 OSC Hokkaido 2026
nori_shinoda
0
230
SONiC実機とGNS3 SONiC VSによる事前コンフィグ検証 ― 生成AIエージェントを環境構築・検証支援に使ってみた ―
sonic
0
110
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
1
880
【2026年版】 ベクトル検索とEmbedding最前線
mocobeta
23
7.3k
Kiro Ambassador を目指す話
k_adachi_01
0
120
ロボティクスの技術 / Robotics Technology
ks91
PRO
0
130
AIAU_UMEMOGU_ninomiya_slide
ninomiya_ii
0
260
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
830
“詰む”前に仕組みを作れ 〜技術の波に溺れないためのキャッチアップ術〜
takasyou
7
3.5k
複数のSONiCディストリビューションを触りながら比較してみた
sonic
0
110
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
96
14k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
uxyall
0
320
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
860
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
66
55k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
1
540
From π to Pie charts
rasagy
0
220
4 Signs Your Business is Dying
shpigford
187
22k
Done Done
chrislema
186
16k
Test your architecture with Archunit
thirion
1
2.3k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
The Power of CSS Pseudo Elements
geoffreycrofte
82
6.3k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
akkiesoft
sonic
nori_shinoda
kazu_kichi_67
mocobeta
k_adachi_01
ks91
ninomiya_ii
yoshimi0227
takasyou
gr2m
uxyall
baasie
soudai
honzajavorek
rasagy
shpigford
chrislema
thirion
inesmontani
chriscoyier
geoffreycrofte
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}