Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
590
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
710
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
970
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
710
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
580
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
630
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
630
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
580
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
570
Other Decks in Technology
See All in Technology
【Ubie】AIを活用した広告アセット「爆速」生成事例 | AI_Ops_Community_Vol.2
yoshiki_0316
1
110
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
480
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
240
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
kekke_n
1
510
OCI Database Management サービス詳細
oracle4engineer
PRO
1
7.4k
データの整合性を保ちたいだけなんだ
shoheimitani
8
3.2k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.6k
配列に見る bash と zsh の違い
kazzpapa3
3
160
22nd ACRi Webinar - NTT Kawahara-san's slide
nao_sumikawa
0
100
usermode linux without MMU - fosdem2026 kernel devroom
thehajime
0
240
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
kworkdev
PRO
1
490
Webhook best practices for rock solid and resilient deployments
glaforge
2
300
Featured
See All Featured
Are puppies a ranking factor?
jonoalderson
1
2.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.4k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
380
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
techseoconnect
PRO
0
86
Google's AI Overviews - The New Search
badams
0
910
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.6k
sira's awesome portfolio website redesign presentation
elsirapls
0
150
Documentation Writing (for coders)
carmenintech
77
5.3k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.3k
Technical Leadership for Architectural Decision Making
baasie
2
250
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.1k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
SiteGround - Reliable hosting with speed, security, and support you can count on.
owaspmoscow
yoshiki_0316
torounit
taketakekaho
kekke_n
oracle4engineer
shoheimitani
sansantech
kazzpapa3
nao_sumikawa
thehajime
kworkdev
glaforge
jonoalderson
rmw
marktimemedia
techseoconnect
badams
ivargrimstad
philnash
elsirapls
carmenintech
inesmontani
baasie
garrettdimon
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}