Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
270
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
480
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
640
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
900
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
620
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
520
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
580
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
560
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
520
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
510
Other Decks in Technology
See All in Technology
SLI/SLO・ラプソディあるいは組織への適用の旅
nwiizo
4
1.1k
DevinはクラウドエンジニアAIになれるのか!? 実践的なガードレール設計/devin-can-become-a-cloud-engineer-ai-practical-guardrail-design
tomoki10
2
1k
【ServiceNow SNUG Meetup LT deck】ServiceNow「検索性の進化」ZingからNow Assistまで
niwato
1
280
Go製のマイグレーションツールの git-schemalex の紹介と運用方法
shinnosuke_kishida
1
350
Cloud Native PG 使ってみて気づいたことと最新機能の紹介 - 第52回PostgreSQLアンカンファレンス
seinoyu
0
120
SaaSプロダクト開発におけるバグの早期検出のためのAcceptance testの取り組み
kworkdev
PRO
0
160
スケールアップ企業のQA組織のバリューを最大限に引き出すための取り組み
tarappo
4
750
年末調整プロダクトの内部品質改善活動について
kaomi_wombat
0
130
RubyKaigi 2025でプロポーザルが初めて採択されるまでにやったこと
yuuu
1
280
初めてのPostgreSQLメジャーバージョンアップ
kkato1
0
260
一人QA時代が終わり、 QAチームが立ち上がった話
ma_cho29
0
230
20250326_管理ツールの権限管理で改善したこと
sasata299
0
150
Featured
See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Testing 201, or: Great Expectations
jmmastey
42
7.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
227
22k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
8
690
Six Lessons from altMBA
skipperchong
27
3.7k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
A Philosophy of Restraint
colly
203
16k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23
owaspmoscow
nwiizo
tomoki10
niwato
shinnosuke_kishida
seinoyu
kworkdev
tarappo
kaomi_wombat
yuuu
kkato1
ma_cho29
sasata299
hatefulcrawdad
jmmastey
eileencodes
lemiorhan
danielanewman
tammyeverts
skipperchong
morganepeng
colly
chriscoyier
vanstee
addyosmani
