$30 off During Our Annual Pro Sale. View Details »
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
580
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
700
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
970
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
700
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
570
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
630
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
630
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
570
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
560
Other Decks in Technology
See All in Technology
さくらのクラウド開発ふりかえり2025
kazeburo
2
660
100以上の新規コネクタ提供を可能にしたアーキテクチャ
ooyukioo
0
240
Building Serverless AI Memory with Mastra × AWS
vvatanabe
0
370
AIエージェント開発と活用を加速するワークフロー自動生成への挑戦
shibuiwilliam
4
810
[2025-12-12]あの日僕が見た胡蝶の夢 〜人の夢は終わらねェ AIによるパフォーマンスチューニングのすゝめ〜
tosite
0
160
モダンデータスタックの理想と現実の間で~1.3億人Vポイントデータ基盤の現在地とこれから~
taromatsui_cccmkhd
2
260
ExpoのインダストリーブースでみたAWSが見せる製造業の未来
hamadakoji
0
190
普段使ってるClaude Skillsの紹介(by Notebooklm)
zerebom
8
2k
re:Invent2025 3つの Frontier Agents を紹介 / introducing-3-frontier-agents
tomoki10
0
400
2025年 開発生産「可能」性向上報告 サイロ解消からチームが能動性を獲得するまで/ 20251216 Naoki Takahashi
shift_evolve
PRO
2
220
Lookerで実現するセキュアな外部データ提供
zozotech
PRO
0
200
松尾研LLM講座2025 応用編Day3「軽量化」 講義資料
aratako
1
1.2k
Featured
See All Featured
First, design no harm
axbom
PRO
1
1.1k
The agentic SEO stack - context over prompts
schlessera
0
560
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
0
250
Abbi's Birthday
coloredviolet
0
3.6k
Navigating Weather and Climate Data
rabernat
0
49
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
49
39k
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
73
A Tale of Four Properties
chriscoyier
162
23k
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
93
New Earth Scene 8
popppiees
0
1.2k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
kazeburo
ooyukioo
vvatanabe
shibuiwilliam
tosite
taromatsui_cccmkhd
hamadakoji
zerebom
tomoki10
shift_evolve
zozotech
.jpg){kind=avatar}
aratako
axbom
schlessera
chriscoyier
denniskardys
joshbly
coloredviolet
rabernat
madoxten
techseoconnect
mkilby
popppiees
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}