Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Moscow
December 04, 2017
Technology
0
130
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
150
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
290
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
520
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
260
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
230
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
260
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
220
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
210
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
190
Other Decks in Technology
See All in Technology
[SRE NEXT 2022]ヤプリのSREにおけるセキュリティ強化の取り組みを公開する
mmochi23
1
420
SRE_チーム立ち上げから1年_気づいたら_SRE_っぽくない仕事まで貢献しちゃってる説
bitkey
PRO
0
2.1k
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
tocyuki
3
480
LINEのData Platform室が実践する大規模分散環境のCapacity Planning
line_developers
PRO
0
380
Data-Driven Healthcare - Techplay
kotaroito
0
110
Embedded SRE at Mercari
tcnksm
0
830
[SRE NEXT 2022]メルカリグループにおけるSREs
srenext
0
100
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
takatama
0
590
プルリク作ったらデプロイされる仕組み on ECS / SRE NEXT 2022
carta_engineering
1
190
TypeScript 4.7と型レベルプログラミング
uhyo
6
3.4k
Kubernetesの上に作る、統一されたマイクロサービス運用体験
tkuchiki
1
880
YAMLを書くだけで構築できる分散ストレージ
sat
PRO
0
180
Featured
See All Featured
Producing Creativity
orderedlist
PRO
333
37k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
100
5.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
38
12k
Documentation Writing (for coders)
carmenhchung
48
2.5k
What's in a price? How to price your products and services
michaelherold
229
9.3k
Fireside Chat
paigeccino
11
1.3k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
125
8.5k
How to name files
jennybc
39
58k
We Have a Design System, Now What?
morganepeng
35
2.9k
StorybookのUI Testing Handbookを読んだ
zakiyama
4
2k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.3k
BBQ
matthewcrist
74
7.9k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23