Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Moscow
December 04, 2017
Technology
0
84
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
owaspmoscow
0
32
owaspmoscow
0
150
owaspmoscow
0
310
owaspmoscow
0
140
owaspmoscow
0
120
owaspmoscow
0
140
owaspmoscow
0
120
owaspmoscow
0
99
owaspmoscow
0
90
Other Decks in Technology
See All in Technology
widstkyi
0
270
443n0511
0
110
widstkyi
0
270
ryoheig0405
0
610
you
0
140
monochromegane
0
130
con_mame
5
3.7k
kenjiasaba
0
540
drumath2237
0
300
amarelo_n24
0
120
tarugoconf
0
360
kakehashi
1
380
Featured
See All Featured
scottboms
252
11k
rmw
13
950
pauljervisheath
194
15k
cassininazir
347
20k
deanohume
293
28k
jonrohan
1020
390k
jlugia
217
16k
keithpitt
401
20k
sugarenia
233
910k
roundedbygravity
243
21k
davidbonilla
72
3.7k
bryan
33
3.6k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23
owaspmoscow
widstkyi
443n0511
ryoheig0405
you
monochromegane
con_mame
kenjiasaba
drumath2237
amarelo_n24
tarugoconf
kakehashi
scottboms
rmw
pauljervisheath
cassininazir
deanohume
jonrohan
jlugia
keithpitt
sugarenia
roundedbygravity
davidbonilla
bryan
