Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

OWASP Russia Meetup #5


OWASP Moscow

December 04, 2017


  1. None
  2. Security Software development lifecycle: final security review and automatization Taras

  3. Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3

  4. Final Security Review › OWASP Security Testing Guide › Managers

    apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
  5. Pain › We still find XSSes on the FSR :(

    › Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
  6. None
  7. None
  8. Plan › We need to implement security controls at the

    early stages of SDL Taras Ivashchenko 8
  9. It’s obvious!

  10. Plan › We need to implement security controls at the

    early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
  11. None
  12. None
  13. Tasks’ distribution › Task is automaticaly assigned to available security

    specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
  14. Answer questions and get recommendations 14

  15. Automatically creates tasks for security controls 15

  16. Runs security tools in time › Web application security scanner

    › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
  17. Predicts security risks 17

  18. Risk metrics for the service/release › Status of security controls

    › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
  19. None
  20. Win › Not completely yet but we believe it will

    be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
  21. Automate as much things as possible to get more free

    time for complex and interesting tasks ;-)
  22. Questions?

  23. Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23