"Software development lifecycle: final security review and automatization", Taras Ivashchenko

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Security Software development lifecycle: ﬁnal security review and automatization Taras Ivashchenko

Slide 3

Slide 3 text

Software Development Lifecycle https://msdn.microsoft.com/library/cc307406 3

Slide 4

Slide 4 text

Final Security Review › OWASP Security Testing Guide › Managers apply for FSR through the form › Supposed to be done 1-2 weeks before the release › But this is not true in real world ;-( Taras Ivashchenko 4

Slide 5

Slide 5 text

Pain › We still ﬁnd XSSes on the FSR :( › Release is planned for tomorrow but we still have security issues to ﬁx › FSR is a bottleneck in SDL › Not enough time for FSR Taras Ivashchenko 5

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Plan › We need to implement security controls at the early stages of SDL Taras Ivashchenko 8

Slide 9

Slide 9 text

It’s obvious!

Slide 10

Slide 10 text

Plan › We need to implement security controls at the early stages of SDL › As more automation as possible! We love it! :-) › We need super form and robots! Taras Ivashchenko 10

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Tasks’ distribution › Task is automaticaly assigned to available security specialist › Skills and abilities are taken into consideration during ticket assigning process Taras Ivashchenko 13

Slide 14

Slide 14 text

Answer questions and get recommendations 14

Slide 15

Slide 15 text

Automatically creates tasks for security controls 15

Slide 16

Slide 16 text

Runs security tools in time › Web application security scanner › Static code analysis › Mobile applications additional security checks Taras Ivashchenko 16

Slide 17

Slide 17 text

Predicts security risks 17

Slide 18

Slide 18 text

Risk metrics for the service/release › Status of security controls › Last results of tools scanning › Results of previous FSR › Karma of the service › Questionnaire answers Taras Ivashchenko 18

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Win › Not completely yet but we believe it will be soon... › Now we get well written tasks for FSR with security risks assessment › Managers and developers get recommendations while ﬁlling the form › Typical FSR takes less time Taras Ivashchenko 20

Slide 21

Slide 21 text

Automate as much things as possible to get more free time for complex and interesting tasks ;-)

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text