Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
260
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
450
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
620
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
870
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
580
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
500
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
560
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
550
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
500
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
480
Other Decks in Technology
See All in Technology
トラブルシュートを楽しもう (wakamonog meeting 15)
recuraki
0
130
2025年に挑戦したいこと
molmolken
0
170
生成AI × 旅行 LLMを活用した旅行プラン生成・チャットボット
kominet_ava
0
160
タイミーのデータ活用を支えるdbt Cloud導入とこれから
ttccddtoki
1
270
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
6
55k
深層学習と3Dキャプチャ・3Dモデル生成(土木学会応用力学委員会 応用数理・AIセミナー)
pfn
PRO
0
460
東京Ruby会議12 Ruby と Rust と私 / Tokyo RubyKaigi 12 Ruby, Rust and me
eagletmt
3
890
Amazon Route 53, 待ちに待った TLSAレコードのサポート開始
kenichinakamura
0
180
メンバーがオーナーシップを発揮しやすいチームづくり
ham0215
2
180
Godot Engineについて調べてみた
unsoluble_sugar
0
430
あなたの知らないクラフトビールの世界
miura55
0
140
re:Invent2024 KeynoteのAmazon Q Developer考察
yusukeshimizu
1
150
Featured
See All Featured
Why Our Code Smells
bkeepers
PRO
335
57k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
A better future with KSS
kneath
238
17k
Building Adaptive Systems
keathley
38
2.4k
Raft: Consensus for Rubyists
vanstee
137
6.7k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Typedesign – Prime Four
hannesfritz
40
2.5k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
RailsConf 2023
tenderlove
29
970
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Navigating Team Friction
lara
183
15k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
recuraki
molmolken
kominet_ava
ttccddtoki
oracle4engineer
pfn
eagletmt
kenichinakamura
ham0215
unsoluble_sugar
miura55
yusukeshimizu
bkeepers
wjessup
kneath
keathley
vanstee
reverentgeek
jeffersonlam
hannesfritz
keavy
tenderlove
jlugia
lara
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}