Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
"Software development lifecycle: final security...
Search
OWASP Moscow
December 04, 2017
Technology
0
290
"Software development lifecycle: final security review and automatization", Taras Ivashchenko
OWASP Russia Meetup #5
OWASP Moscow
December 04, 2017
Tweet
Share
More Decks by OWASP Moscow
See All by OWASP Moscow
"Evolution of Application Security Programs through OWASP SAMM 2.0", Yan Kravchenko
owaspmoscow
0
580
«Проекты OWASP: SAMM выпуск 2», Тарас Иващенко, OZON
owaspmoscow
0
700
«Типичные ошибки реализации SMS-аутентификации», Ramazan (r0hack), DETEACT
owaspmoscow
0
960
«Dev, Sec, Oops: How Agile Security increases Attack Surface», Денис Макрушин
owaspmoscow
0
690
«From captcha to RCE. Сложности реализации механизма CAPTCHA в изолированных системах», Виталий Малкин
owaspmoscow
0
570
«OWASP Сheat Sheet Series. Microservices-based security architecture documentation», Александр Барабанов
owaspmoscow
0
620
«Проекты OWASP: следим за безопасностью 3rd-party-компонент с помощью Dependency Track», Тарас Иващенко, OZON.
owaspmoscow
0
620
«Будущее без паролей: про FIDO2/WebAuthN и не только», Сергей Белов, Mail.Ru Group.
owaspmoscow
0
570
«CTFZone, или как перестать ресёрчить и полюбить CTF», Никита Вдовушкин, BI.ZONE.
owaspmoscow
1
560
Other Decks in Technology
See All in Technology
命名から始めるSpec Driven
kuruwic
1
570
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
15k
【ASW21-02】STAMP/CAST分析における生成AIの支援 ~羽田空港航空機衝突事故を題材として (Support of Generative AI in STAMP/CAST Analysis - A Case Study Based on the Haneda Airport Aircraft Accident -)
hianraku9498
1
260
ローカルVLM OCRモデル + Gemini 3.0 Proで日本語性能を試す
gotalab555
1
210
IPv6-mostly field report from RubyKaigi 2026
sorah
0
220
段階的に進める、 挫折しない自宅サーバ入門
yu_kod
3
460
今すぐGoogle Antigravityを触りましょう
rfdnxbro
0
230
マルチドライブアーキテクチャ: 複数の駆動力でプロダクトを前進させる
knih
0
12k
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
sansan33
PRO
0
2.9k
一億総業務改善を支える社内AIエージェント基盤の要諦
yukukotani
4
1.6k
Claude Code はじめてガイド -1時間で学べるAI駆動開発の基本と実践-
oikon48
9
4.7k
Data Hubグループ 紹介資料
sansan33
PRO
0
2.3k
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
55
9.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.3k
Writing Fast Ruby
sferik
630
62k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
659
61k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
31
2.7k
The Cult of Friendly URLs
andyhume
79
6.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
37
2.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
24
3.8k
Fireside Chat
paigeccino
41
3.7k
Transcript
None
Security Software development lifecycle: final security review and automatization Taras
Ivashchenko
Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3
Final Security Review › OWASP Security Testing Guide › Managers
apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4
Pain › We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5
None
None
Plan › We need to implement security controls at the
early stages of SDL Taras Ivashchenko 8
It’s obvious!
Plan › We need to implement security controls at the
early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10
None
None
Tasks’ distribution › Task is automaticaly assigned to available security
specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13
Answer questions and get recommendations 14
Automatically creates tasks for security controls 15
Runs security tools in time › Web application security scanner
› Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16
Predicts security risks 17
Risk metrics for the service/release › Status of security controls
› Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18
None
Win › Not completely yet but we believe it will
be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while filling the form › Typical FSR takes less time Taras Ivashchenko 20
Automate as much things as possible to get more free
time for complex and interesting tasks ;-)
Questions?
Contacts Taras Ivashchenko Product Security Team Lead
[email protected]
23
owaspmoscow
kuruwic
sansan33
hianraku9498
gotalab555
sorah
yu_kod
rfdnxbro
knih
yukukotani
oikon48
addyosmani
caitiem20
bermonpainter
samanthasiow
sferik
lemiorhan
bluesmoon
andyhume
denniskardys
eileencodes
productmarketing
paigeccino
![Contacts Taras Ivashchenko Product Security Team Lead [email protected] 23](https://files.speakerdeck.com/presentations/5c6e41a22ba94c999db4c66a0032d383/slide_22.jpg){kind=link}