Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
OWASP Moscow
December 04, 2017
Technology
300
0
Share
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
620
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
730
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
1k
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
730
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
600
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
650
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
650
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
600
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
580
Other Decks in Technology
See All in Technology
バイブコーディング、仕様駆動、その先へ - 「不確実性に対する検査‧適応のサイクル」を設計する
littlehands
1
520
鹿野さんに聞く!CSSの最新トレンド Ver.2026
tonkotsuboy_com
6
3.4k
会社説明資料|株式会社ギークプラス ソフトウェア事業部
geekplus_tech
0
290
Oracle AI Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
6
1.4k
AI飲み会幹事エージェントを作っただけなのに
ykimi
0
230
生成AI時代に信頼性をどう保ち続けるか - Policy as Code の実践
akitok_
1
440
AI-Assisted Contributions and Maintainer Load - PyCon US 2026
pauloxnet
1
160
SpeechTranscriber + AIによる文字起こし機能
kazuki1220
0
110
【関西製造業祭り2026春】現場を変える技術はここまで来た〜世界最大の製造業見本市から持って帰ってきたもの〜
tanakaseiya
0
170
Agent Skillsで実現する記憶領域の運用とその後
yamadashy
2
1.9k
ESP32 IoTを動かしながらメモリ使用量を観測してみた話
zozotech
PRO
0
140
2026-05-14 要件定義からソース管理まで!IBM Bob基礎ハンズオン
yutanonaka
0
160
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Building AI with AI
inesmontani
PRO
1
990
How STYLIGHT went responsive
nonsquared
100
6.1k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
190
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
910
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
340
So, you think you're a good person
axbom
PRO
2
2k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
140
Typedesign – Prime Four
hannesfritz
42
3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
210
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
SiteGround - Reliable hosting with speed, security, and support you can count on.
owaspmoscow
littlehands
tonkotsuboy_com
geekplus_tech
oracle4engineer
ykimi
akitok_
pauloxnet
kazuki1220
tanakaseiya
yamadashy
zozotech
yutanonaka
chriscoyier
aleyda
inesmontani
nonsquared
stephenakadiri
tammyeverts
tmiket
axbom
ryanjones
hannesfritz
bermonpainter
nikkihalliwell
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}