Security

Software developmentlifecycle: final security reviewand automatizationTaras Ivashchenko

Software Development Lifecycle

https://msdn.microsoft.com/library/cc307406 3

Final Security Review

› OWASP Security Testing Guide

› Managers apply for FSR through the form

› Supposed to be done 1-2 weeks before the release

› But this is not true in real world ;-(

Taras Ivashchenko 4

Pain

› We still find XSSes on the FSR :(

› Release is planned for tomorrow but we still have security issues to fix

› FSR is a bottleneck in SDL

› Not enough time for FSR

Taras Ivashchenko 5

Plan

› We need to implement security controls at the early stages of SDL

Taras Ivashchenko 8

It’s obvious!

Plan

› We need to implement security controls at the early stages of SDL

› As more automation as possible! We love it! :-)

› We need super form and robots!

Taras Ivashchenko 10

Tasks’ distribution

› Task is automaticaly assigned to available security specialist

› Skills and abilities are taken into consideration during ticket assigning process

Taras Ivashchenko 13

Answer questions and get recommendations

14

Automatically creates tasks for security controls

15

Runs security tools in time

› Web application security scanner

› Static code analysis

› Mobile applications additional security checks

Taras Ivashchenko 16

Predicts security risks

17

Risk metrics for the service/release

› Status of security controls

› Last results of tools scanning

› Results of previous FSR

› Karma of the service

› Questionnaire answers

Taras Ivashchenko 18

Win

› Not completely yet but we believe it will be soon...

› Now we get well written tasks for FSR with security risks assessment

› Managers and developers get recommendations while filling the form

› Typical FSR takes less time

Taras Ivashchenko 20

Automate as much things aspossible to get more free timefor complex and interestingtasks ;-)

Questions?

ContactsTaras IvashchenkoProduct Security Team Lead

oxdef@yandex-team.ru

23