Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
300
0
Share
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
610
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
720
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
980
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
720
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
590
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
640
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
650
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
590
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
580
Other Decks in Technology
See All in Technology
SaaSの操作主体は人間からAIへ - 経理AIエージェントが目指す深い自動化
nishihira
0
130
ハーネスエンジニアリング×AI適応開発
aictokamiya
1
910
来期の評価で変えようと思っていること 〜AI時代に変わること・変わらないこと〜
estie
0
130
Amazon Qはアマコネで頑張っています〜 Amazon Q in Connectについて〜
yama3133
1
170
Why we keep our community?
kawaguti
PRO
0
350
Oracle AI Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
5
1.3k
AIエージェント勉強会第3回 エージェンティックAIの時代がやってきた
ymiya55
0
180
【社内勉強会】新年度からコーディングエージェントを使いこなす - 構造と制約で引き出すClaude Codeの実践知
nwiizo
34
16k
SaaSに宿る21g
kanyamaguc
2
180
Kiro Meetup #7 Kiro アップデート (2025/12/15〜2026/3/20)
katzueno
2
270
20260326_AIDD事例紹介_ULSC.pdf
findy_eventslides
0
270
AWS DevOps Agent or Kiro の使いどころを考える_20260402
masakiokuda
0
120
Featured
See All Featured
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
160
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
340
We Are The Robots
honzajavorek
0
210
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
120
Building Flexible Design Systems
yeseniaperezcruz
330
40k
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
320
The Spectacular Lies of Maps
axbom
PRO
1
660
Automating Front-end Workflow
addyosmani
1370
200k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
180
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
64
53k
The Cult of Friendly URLs
andyhume
79
6.8k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
nishihira
aictokamiya
estie
yama3133
kawaguti
oracle4engineer
ymiya55
nwiizo
kanyamaguc
katzueno
findy_eventslides
masakiokuda
katarinadahlin
mfonobong
honzajavorek
marketingsoph
yeseniaperezcruz
reverentgeek
axbom
addyosmani
lemiorhan
baasie
soudai
andyhume
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}