Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

47a3212bc9721c62f1135ead56569f17?s=47 OWASP Moscow
December 04, 2017
Technology
0
130

"Software development lifecycle: final security review and automatization", Taras Ivashchenko

OWASP Russia Meetup #5

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
150
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
290
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
520
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
260
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
230
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
260
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
220
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
210
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
1
190

Other Decks in Technology

See All in Technology
[SRE NEXT 2022]ヤプリのSREにおけるセキュリティ強化の取り組みを公開する
Ee9f5f5b17a075129d7c48ad157a9ab3?s=48 mmochi23
1
420
SRE_チーム立ち上げから1年_気づいたら_SRE_っぽくない仕事まで貢献しちゃってる説
B35fa97f982d550e358a8c689c3f0fef?s=48 bitkey
PRO
0
2.1k
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
E12b5afe5b4e6552019c09d6ac4128c3?s=48 tocyuki
3
480
LINEのData Platform室が実践する大規模分散環境のCapacity Planning
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
0
380
Data-Driven Healthcare - Techplay
Bc9f06dc792f2ab663c7bf10326e649e?s=48 kotaroito
0
110
Embedded SRE at Mercari
Ecb3acc2d246962361a4f8b3f7a6dd12?s=48 tcnksm
0
830
[SRE NEXT 2022]メルカリグループにおけるSREs
667ad57b416187cb22589158805603b4?s=48 srenext
0
100
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
D2322aa2c45d0190205b3ed8bfdd6717?s=48 takatama
0
590
プルリク作ったらデプロイされる仕組み on ECS / SRE NEXT 2022
2537ce662eb08182e617ec7944981437?s=48 carta_engineering
1
190
TypeScript 4.7と型レベルプログラミング
993ef638264def4334358f986fb4a91d?s=48 uhyo
6
3.4k
Kubernetesの上に作る、統一されたマイクロサービス運用体験
5292dd0924f5e440a4b7ff40b165a0b4?s=48 tkuchiki
1
880
YAMLを書くだけで構築できる分散ストレージ
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
PRO
0
180

Featured

See All Featured
Producing Creativity
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
333
37k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
88f4e84b94fe07cddbd9e6479d689192?s=48 soudai
38
12k
Documentation Writing (for coders)
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
48
2.5k
What's in a price? How to price your products and services
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
229
9.3k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
11
1.3k
Streamline your AJAX requests with AmplifyJS and jQuery
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
125
8.5k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
39
58k
We Have a Design System, Now What?
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
35
2.9k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
4
2k
Put a Button on it: Removing Barriers to Going Fast.
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.3k
BBQ
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
74
7.9k

Transcript

  1. None

  2. Security Software development lifecycle: final security review and automatization Taras

    Ivashchenko

  3. Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3

  4. Final Security Review › OWASP Security Testing Guide › Managers

    apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4

  5. Pain › We still find XSSes on the FSR :(

    › Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
  6. None
  7. None

  8. Plan › We need to implement security controls at the

    early stages of SDL Taras Ivashchenko 8

  9. It’s obvious!

  10. Plan › We need to implement security controls at the

    early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
  11. None
  12. None

  13. Tasks’ distribution › Task is automaticaly assigned to available security

    specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13

  14. Answer questions and get recommendations 14

  15. Automatically creates tasks for security controls 15

  16. Runs security tools in time › Web application security scanner

    › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16

  17. Predicts security risks 17

  18. Risk metrics for the service/release › Status of security controls

    › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
  19. None

  20. Win › Not completely yet but we believe it will

    be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20

  21. Automate as much things as possible to get more free

    time for complex and interesting tasks ;-)

  22. Questions?

  23. Contacts Taras Ivashchenko Product Security Team Lead oxdef@yandex-team.ru 23