Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Software development lifecycle: final security...

Avatar for OWASP Moscow OWASP Moscow
December 04, 2017
Technology
0
280

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

OWASP Russia Meetup #5
Avatar for OWASP Moscow

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
Avatar for OWASP Moscow owaspmoscow
0
530
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
Avatar for OWASP Moscow owaspmoscow
0
660
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
Avatar for OWASP Moscow owaspmoscow
0
920
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
Avatar for OWASP Moscow owaspmoscow
0
640
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
Avatar for OWASP Moscow owaspmoscow
0
540
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
Avatar for OWASP Moscow owaspmoscow
0
590
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
Avatar for OWASP Moscow owaspmoscow
0
590
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
Avatar for OWASP Moscow owaspmoscow
0
540
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
Avatar for OWASP Moscow owaspmoscow
1
530

Other Decks in Technology

See All in Technology
25分で解説する「最小権限の原則」を実現するための AWS「ポリシー」大全 / 20250625-aws-summit-aws-policy
Avatar for opelab opelab
6
680
ユーザーのプロフィールデータを活用した推薦精度向上の取り組み
Avatar for Yudai Hayashi yudai00
0
470
Snowflake Summit 2025 データエンジニアリング関連新機能紹介 / Snowflake Summit 2025 What's New about Data Engineering
Avatar for t-hiroto tiltmax3
0
220
IAMのマニアックな話 2025を執筆して、​ 見えてきたAWSアカウント管理の現在
Avatar for NRI Netcom nrinetcom
PRO
4
650
CSS、JSをHTMLテンプレートにまとめるフロントエンド戦略
Avatar for Saito Ayumu d120145
0
200
Кто отправит outbox? Валентин Удальцов, автор канала Пых
Avatar for Lamoda Tech lamodatech
0
260
ローカルLLMでファインチューニング
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
0
120
TechLION vol.41~MySQLユーザ会のほうから来ました / techlion41_mysql
Avatar for sakaik sakaik
0
140
AI技術トレンド勉強会 #1 MCPの基礎と実務での応用
Avatar for Nisei Kimura nisei_k
1
240
Azure AI Foundryでマルチエージェントワークフロー
Avatar for 瀬尾佳隆 seosoft
0
140
Uniadex__公開版_20250617-AIxIoTビジネス共創ラボ_ツナガルチカラ_.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
140
菸酒生在 LINE Taiwan 的後端雙刀流
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.1k

Featured

See All Featured
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
228
22k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
41
7.3k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.8k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
68
11k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.6k
Fireside Chat
Avatar for paigeccino paigeccino
37
3.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
3k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
188
11k

Transcript

  1. None

  2. Security Software development lifecycle: final security review and automatization Taras

    Ivashchenko

  3. Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3

  4. Final Security Review › OWASP Security Testing Guide › Managers

    apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4

  5. Pain › We still find XSSes on the FSR :(

    › Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
  6. None
  7. None

  8. Plan › We need to implement security controls at the

    early stages of SDL Taras Ivashchenko 8

  9. It’s obvious!

  10. Plan › We need to implement security controls at the

    early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
  11. None
  12. None

  13. Tasks’ distribution › Task is automaticaly assigned to available security

    specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13

  14. Answer questions and get recommendations 14

  15. Automatically creates tasks for security controls 15

  16. Runs security tools in time › Web application security scanner

    › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16

  17. Predicts security risks 17

  18. Risk metrics for the service/release › Status of security controls

    › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
  19. None

  20. Win › Not completely yet but we believe it will

    be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20

  21. Automate as much things as possible to get more free

    time for complex and interesting tasks ;-)

  22. Questions?

  23. Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23