Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
580
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
700
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
960
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
690
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
570
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
620
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
620
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
570
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
560
Other Decks in Technology
See All in Technology
Fashion×AI「似合う」を届けるためのWEARのAI戦略
zozotech
PRO
2
990
会社紹介資料 / Sansan Company Profile
sansan33
PRO
11
390k
チーリンについて
hirotomotaguchi
6
2.1k
AI との良い付き合い方を僕らは誰も知らない
asei
0
170
1人1サービス開発しているチームでのClaudeCodeの使い方
noayaoshiro
2
500
MariaDB Connector/C のcaching_sha2_passwordプラグインの仕様について
boro1234
0
950
Bedrock AgentCore Memoryの新機能 (Episode) を試してみた / try Bedrock AgentCore Memory Episodic functionarity
hoshi7_n
2
960
AlmaLinux + KVM + Cockpit で始めるお手軽仮想化基盤 ~ 開発環境などでの利用を想定して ~
koedoyoshida
0
120
ペアーズにおけるAIエージェント 基盤とText to SQLツールの紹介
hisamouna
2
880
AWSに革命を起こすかもしれない新サービス・アップデートについてのお話
yama3133
0
150
20251219 OpenIDファウンデーション・ジャパン紹介 / OpenID Foundation Japan Intro
oidfj
0
290
大企業でもできる!ボトムアップで拡大させるプラットフォームの作り方
findy_eventslides
1
860
Featured
See All Featured
The untapped power of vector embeddings
frankvandijk
1
1.5k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.3k
Mozcon NYC 2025: Stop Losing SEO Traffic
samtorres
0
75
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
0
26
Agile that works and the tools we love
rasmusluckow
331
21k
What's in a price? How to price your products and services
michaelherold
246
13k
Writing Fast Ruby
sferik
630
62k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandezseo
0
83
Faster Mobile Websites
deanohume
310
31k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.8k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
1
400
How STYLIGHT went responsive
nonsquared
100
6k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
zozotech
sansan33
hirotomotaguchi
asei
noayaoshiro
boro1234
hoshi7_n
koedoyoshida
hisamouna
yama3133
oidfj
findy_eventslides
frankvandijk
eileencodes
samtorres
akademiya2063
rasmusluckow
michaelherold
sferik
sarafernandezseo
deanohume
inesmontani
nonsquared
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}