Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
260
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
460
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
630
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
880
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
600
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
510
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
570
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
550
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
510
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
500
Other Decks in Technology
See All in Technology
株式会社EventHub・エンジニア採用資料
eventhub
0
4.3k
Platform Engineeringは自由のめまい
nwiizo
4
2.1k
TAMとre:Capセキュリティ編 〜拡張脅威検出デモを添えて〜
fujiihda
2
240
レビューを増やしつつ 高評価維持するテクニック
tsuzuki817
1
710
自動テストの世界に、この5年間で起きたこと
autifyhq
10
8.5k
一度 Expo の採用を断念したけど、 再度 Expo の導入を検討している話
ichiki1023
1
170
個人開発から公式機能へ: PlaywrightとRailsをつなげた3年の軌跡
yusukeiwaki
11
3k
トラシューアニマルになろう ~開発者だからこそできる、安定したサービス作りの秘訣~
jacopen
2
2k
君も受託系GISエンジニアにならないか
sudataka
2
430
抽象化をするということ - 具体と抽象の往復を身につける / Abstraction and concretization
soudai
16
4.3k
データの品質が低いと何が困るのか
kzykmyzw
6
1.1k
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
nwiizo
5
2.6k
Featured
See All Featured
Building Adaptive Systems
keathley
40
2.4k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Optimizing for Happiness
mojombo
376
70k
Designing Experiences People Love
moore
140
23k
Rails Girls Zürich Keynote
gr2m
94
13k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
410
Producing Creativity
orderedlist
PRO
344
39k
Code Review Best Practice
trishagee
67
18k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
Java REST API Framework Comparison - PWX 2021
mraible
28
8.4k
Adopting Sorbet at Scale
ufuk
74
9.2k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
eventhub
nwiizo
fujiihda
tsuzuki817
autifyhq
ichiki1023
yusukeiwaki
jacopen
sudataka
soudai
kzykmyzw
keathley
sugarenia
mojombo
moore
gr2m
csswizardry
tammyeverts
orderedlist
trishagee
thoeni
mraible
ufuk
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}