Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
590
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
700
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
970
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
700
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
570
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
630
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
630
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
570
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
560
Other Decks in Technology
See All in Technology
Redshift認可、アップデートでどう変わった?
handy
1
120
AIBuildersDay_track_A_iidaxs
iidaxs
4
1.6k
ハッカソンから社内プロダクトへ AIエージェント「ko☆shi」開発で学んだ4つの重要要素
sonoda_mj
6
1.9k
『君の名は』と聞く君の名は。 / Your name, you who asks for mine.
nttcom
1
140
AgentCoreとStrandsで社内d払いナレッジボットを作った話
motojimayu
1
1.2k
Strands AgentsのEvaluatorをLangfuseにぶち込んでみた
andoooooo_bb
0
110
AWS re:Inventre:cap ~AmazonNova 2 Omniのワークショップを体験してきた~
nrinetcom
PRO
0
120
Directions Asia 2025 _ Let’s build my own secretary (AI Agent) Part 1 & 2
ryoheig0405
0
110
The State of AI Agent Security:2025年の総括と2026年の宿題
pict3
0
110
AI with TiDD
shiraji
1
330
ハッカソンから社内プロダクトへ AIエージェント ko☆shi 開発で学んだ4つの重要要素
leveragestech
0
460
Bedrock AgentCore Evaluationsで学ぶLLM as a judge入門
shichijoyuhi
2
300
Featured
See All Featured
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
0
260
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Paper Plane
katiecoart
PRO
0
44k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
350
Testing 201, or: Great Expectations
jmmastey
46
7.8k
Digital Ethics as a Driver of Design Innovation
axbom
PRO
0
130
Building a Scalable Design System with Sketch
lauravandoore
463
34k
Site-Speed That Sticks
csswizardry
13
1k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
Discover your Explorer Soul
emna__ayadi
2
1k
Why Our Code Smells
bkeepers
PRO
340
58k
GraphQLの誤解/rethinking-graphql
sonatard
74
11k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
handy
iidaxs
sonoda_mj
nttcom
motojimayu
andoooooo_bb
nrinetcom
ryoheig0405
pict3
shiraji
leveragestech
shichijoyuhi
katarinadahlin
sstephenson
katiecoart
marktimemedia
jmmastey
axbom
lauravandoore
csswizardry
tanoku
emna__ayadi
bkeepers
sonatard
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}