Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Software development lifecycle: final security...

Avatar for OWASP Moscow OWASP Moscow
December 04, 2017
Technology
0
290

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

OWASP Russia Meetup #5

Avatar for OWASP Moscow

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
Avatar for OWASP Moscow owaspmoscow
0
570
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
Avatar for OWASP Moscow owaspmoscow
0
690
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
Avatar for OWASP Moscow owaspmoscow
0
960
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
Avatar for OWASP Moscow owaspmoscow
0
680
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
Avatar for OWASP Moscow owaspmoscow
0
560
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
Avatar for OWASP Moscow owaspmoscow
0
620
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
Avatar for OWASP Moscow owaspmoscow
0
610
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
Avatar for OWASP Moscow owaspmoscow
0
560
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
Avatar for OWASP Moscow owaspmoscow
1
550

Other Decks in Technology

See All in Technology
ソフトウェア品質を支える テストとレビュー再考 / 吉澤 智美さん
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
0
100
今のコンピュータ、AI にも Web にも 向いていないので 作り直そう!!
Avatar for piacerex piacerex
0
630
CLIPでマルチモーダル画像検索 →とても良い
Avatar for Motoi Washida wm3
2
800
進化する大規模言語モデル評価: Swallowプロジェクトにおける実践と知見
Avatar for Naoaki Okazaki chokkan
PRO
3
460
組織全員で向き合うAI Readyなデータ利活用
Avatar for harry gappy50
5
2.1k
20251029_Cursor Meetup Tokyo #02_MK_「あなたのAI、私のシェル」 - プロンプトインジェクションによるエージェントのハイジャック
Avatar for Masayuki Kawakita mk0721
PRO
6
2.4k
設計に疎いエンジニアでも始めやすいアーキテクチャドキュメント
Avatar for Tomonori Hayashi / ぴーはや phaya72
27
18k
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
2
260
20251102 WordCamp Kansai 2025
Avatar for Chiaki Okamoto chiilog
1
540
MCP サーバーの基礎から実践レベルの知識まで
Avatar for azukiazusa azukiazusa1
14
7.2k
AWSが好きすぎて、41歳でエンジニアになり、AAIを経由してAWSパートナー企業に入った話
Avatar for Yuuki Yamashita yama3133
2
230
[AWS 秋のオブザーバビリティ祭り 2025 〜最新アップデートと生成 AI × オブザーバビリティ〜] Amazon Bedrock AgentCore で実現!お手軽 AI エージェントオブザーバビリティ
Avatar for Hajime Onishi 0nihajim
1
350

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.5k
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
2
260
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.3k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
9
950
Navigating Team Friction
Avatar for Lara Hogan lara
190
15k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.5k
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
10
910

Transcript

  1. None

  2. Security Software development lifecycle: final security review and automatization Taras

    Ivashchenko

  3. Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3

  4. Final Security Review › OWASP Security Testing Guide › Managers

    apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4

  5. Pain › We still find XSSes on the FSR :(

    › Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
  6. None
  7. None

  8. Plan › We need to implement security controls at the

    early stages of SDL Taras Ivashchenko 8

  9. It’s obvious!

  10. Plan › We need to implement security controls at the

    early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
  11. None
  12. None

  13. Tasks’ distribution › Task is automaticaly assigned to available security

    specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13

  14. Answer questions and get recommendations 14

  15. Automatically creates tasks for security controls 15

  16. Runs security tools in time › Web application security scanner

    › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16

  17. Predicts security risks 17

  18. Risk metrics for the service/release › Status of security controls

    › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
  19. None

  20. Win › Not completely yet but we believe it will

    be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20

  21. Automate as much things as possible to get more free

    time for complex and interesting tasks ;-)

  22. Questions?

  23. Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23