Date post: | 12-Apr-2017 |
Category: |
Internet |
Upload: | owasp-russia |
View: | 73 times |
Download: | 0 times |
Security
Software developmentlifecycle: final security reviewand automatizationTaras Ivashchenko
Software Development Lifecycle
https://msdn.microsoft.com/library/cc307406 3
Final Security Review
› OWASP Security Testing Guide
› Managers apply for FSR through the form
› Supposed to be done 1-2 weeks before the release
› But this is not true in real world ;-(
Taras Ivashchenko 4
Pain
› We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix
› FSR is a bottleneck in SDL
› Not enough time for FSR
Taras Ivashchenko 5
Plan
› We need to implement security controls at the early stages of SDL
Taras Ivashchenko 8
It’s obvious!
Plan
› We need to implement security controls at the early stages of SDL
› As more automation as possible! We love it! :-)
› We need super form and robots!
Taras Ivashchenko 10
Tasks’ distribution
› Task is automaticaly assigned to available security specialist
› Skills and abilities are taken into consideration during ticket assigning process
Taras Ivashchenko 13
Answer questions and get recommendations
14
Automatically creates tasks for security controls
15
Runs security tools in time
› Web application security scanner
› Static code analysis
› Mobile applications additional security checks
Taras Ivashchenko 16
Predicts security risks
17
Risk metrics for the service/release
› Status of security controls
› Last results of tools scanning
› Results of previous FSR
› Karma of the service
› Questionnaire answers
Taras Ivashchenko 18
Win
› Not completely yet but we believe it will be soon...
› Now we get well written tasks for FSR with security risks assessment
› Managers and developers get recommendations while filling the form
› Typical FSR takes less time
Taras Ivashchenko 20
Automate as much things aspossible to get more free timefor complex and interestingtasks ;-)
Questions?