software development lifecycle: final security review and automatization, taras ivashchenko

Report

Post on 12-Apr-2017

77 Views

Category:

Internet

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Security

Software developmentlifecycle: final security reviewand automatizationTaras Ivashchenko

Software Development Lifecycle

https://msdn.microsoft.com/library/cc307406 3

Final Security Review

› OWASP Security Testing Guide

› Managers apply for FSR through the form

› Supposed to be done 1-2 weeks before the release

› But this is not true in real world ;-(

Taras Ivashchenko 4

Pain

› We still find XSSes on the FSR :(

› Release is planned for tomorrow but we still have security issues to fix

› FSR is a bottleneck in SDL

› Not enough time for FSR

Taras Ivashchenko 5

Plan

› We need to implement security controls at the early stages of SDL

Taras Ivashchenko 8

It’s obvious!

Plan

› We need to implement security controls at the early stages of SDL

› As more automation as possible! We love it! :-)

› We need super form and robots!

Taras Ivashchenko 10

Tasks’ distribution

› Task is automaticaly assigned to available security specialist

› Skills and abilities are taken into consideration during ticket assigning process

Taras Ivashchenko 13

Answer questions and get recommendations

14

Automatically creates tasks for security controls

15

Runs security tools in time

› Web application security scanner

› Static code analysis

› Mobile applications additional security checks

Taras Ivashchenko 16

Predicts security risks

17

Risk metrics for the service/release

› Status of security controls

› Last results of tools scanning

› Results of previous FSR

› Karma of the service

› Questionnaire answers

Taras Ivashchenko 18

Win

› Not completely yet but we believe it will be soon...

› Now we get well written tasks for FSR with security risks assessment

› Managers and developers get recommendations while filling the form

› Typical FSR takes less time

Taras Ivashchenko 20

Automate as much things aspossible to get more free timefor complex and interestingtasks ;-)

Questions?

ContactsTaras IvashchenkoProduct Security Team Lead

oxdef@yandex-team.ru

23

top related

the automatization of music
Documents
taras shevchenko.ppt
Documents
saving energy through automatization - …saving energy...
Documents
meet magento belarus - sergey ivashchenko
Presentations & Public Speaking
running head: mindfulness and de-automatization
Documents
taras shevchenko
Documents
dnssec -provisioning and automatization using bind
Documents
automatization of decision processes in conflict situations:...
Documents
gogol - taras bulba.pdf
Documents
taras tarentum taranto
Documents
automatization from a to z …
Documents
taras bulba
Documents
taras shevchenko -_vdovkina_sveta
Entertainment & Humor
taras shevchenko
Documents
taras bulba - rezumat
Documents
seth taras lifestyle
Art & Photos
automatization and control of a didactic plant
Documents
problematico sergey ivashchenko
Documents
taras shevchenko 25
Education
sergey ivashchenko manual of chess combinations
Documents