Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
Search
OWASP Moscow
December 04, 2017
Technology
0
200
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
330
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
520
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
760
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
450
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
400
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
460
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
450
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
390
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
380
Other Decks in Technology
See All in Technology
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.1k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
3
1.4k
Why we expect the Microservices
shkitayama
2
320
Let's get started with Ruby && Rails Tips
sinsoku
0
190
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
180
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
110
Databricks:『生成AI World Cup』のご案内
databricksjapan
1
110
Algyan イベント振り返り
linyixian
0
170
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM and Prompt Engineering and Building Tutors
ks91
PRO
0
200
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
1
630
【SORACOM UG】(2024年度版) SIMってなんだ? ~セルラー通信がつながる仕組み、解説します~
soracom
PRO
0
170
オブザーバビリティの Primary Signals
onk
PRO
0
530
Featured
See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Large-scale JavaScript Application Architecture
addyosmani
502
110k
Optimising Largest Contentful Paint
csswizardry
7
2.3k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Writing Fast Ruby
sferik
619
60k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
Clear Off the Table
cherdarchuk
82
310k
The Invisible Side of Design
smashingmag
293
49k
In The Pink: A Labor of Love
frogandcode
137
21k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
272
12k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
visional_engineering_and_design
lycorptech_jp
shkitayama
sinsoku
toshi_atsumi
kaonavi
databricksjapan
linyixian
ks91
inesmontani
soracom
onk
kastner
destraynor
addyosmani
csswizardry
bcantrill
sferik
lynnandtonic
cherdarchuk
smashingmag
frogandcode
stephaniewalter
samanthasiow
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}