Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
280
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
530
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
670
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
930
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
640
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
540
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
600
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
590
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
540
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
530
Other Decks in Technology
See All in Technology
Reach American Airlines®️ Instantly: 19 Calling Methods for Fast Support in the USA
flyamerican
1
160
Sansanのデータプロダクトマネジメントのアプローチ
sansantech
PRO
0
150
OSSのSNSツール「Misskey」をさわってみよう(右下ワイプで私のOSCの20年を振り返ります) / 20250705-osc2025-do
akkiesoft
0
160
CDKTFについてざっくり理解する!!~CloudFormationからCDKTFへ変換するツールも作ってみた~
masakiokuda
1
130
What’s new in Android development tools
yanzm
0
310
AI専用のリンターを作る #yumemi_patch
bengo4com
5
4.3k
SmartNewsにおける 1000+ノード規模 K8s基盤 でのコスト最適化 – Spot・Gravitonの大規模導入への挑戦
vsanna2
0
130
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
47
19k
Tokyo_reInforce_2025_recap_iam_access_analyzer
hiashisan
0
180
Core Audio tapを使ったリアルタイム音声処理のお話
yuta0306
0
190
Beyond Kaniko: Navigating Unprivileged Container Image Creation
f30
0
130
NewSQLや分散データベースを支えるRaftの仕組み - 仕組みを理解して知る得意不得意
hacomono
PRO
2
130
Featured
See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
How to Think Like a Performance Engineer
csswizardry
25
1.7k
How to train your dragon (web standard)
notwaldorf
95
6.1k
How to Ace a Technical Interview
jacobian
278
23k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
5.9k
Code Reviewing Like a Champion
maltzj
524
40k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Raft: Consensus for Rubyists
vanstee
140
7k
Designing Experiences People Love
moore
142
24k
Writing Fast Ruby
sferik
628
62k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
flyamerican
sansantech
akkiesoft
masakiokuda
yanzm
bengo4com
vsanna2
soudai
hiashisan
yuta0306
f30
hacomono
keithpitt
csswizardry
notwaldorf
jacobian
tanoku
sstephenson
kevinliebholz
maltzj
mraible
vanstee
moore
sferik
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}