Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Software development lifecycle: final security...

OWASP Moscow
December 04, 2017

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

OWASP Russia Meetup #5

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

Other Decks in Technology

Transcript

  1. Final Security Review › OWASP Security Testing Guide › Managers

    apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
  2. Pain › We still find XSSes on the FSR :(

    › Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
  3. Plan › We need to implement security controls at the

    early stages of SDL Taras Ivashchenko 8
  4. Plan › We need to implement security controls at the

    early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
  5. Tasks’ distribution › Task is automaticaly assigned to available security

    specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
  6. Runs security tools in time › Web application security scanner

    › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
  7. Risk metrics for the service/release › Status of security controls

    › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
  8. Win › Not completely yet but we believe it will

    be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
  9. Automate as much things as possible to get more free

    time for complex and interesting tasks ;-)