2. /me
โ Product security team lead at Yandex
โ OWASP Russia chapter board member
โ ยซSome thoughts on web securityยป
https://oxdef.info
3. The problem
The faster you release
new features for users
the better service you
have
Product Security: how to
be a bottle opener, not
a bottleneck
Mortal Kombat, Warner Bros. Interactive Entertainment
12. Molly
โ Web application security scanning solution
โ Rest API & web interface
โ Integrated with internal tools: QA framework
Aqua, CI, bug tracker
โ Python, Celery and Django inside
โ w3af as scanner
โ Used by QA and security team
13. Crasher
โ Younger brother of Molly
โ Testing of production environment
โ Find all our web services and scan it for
security issues
โ Optimized to scan large number of targets
โ Mostly for system administrators
14. CAT
โ Static Application Security Testing (SAST)
โ Checkmarx and Coverity
โ Integrated into CI
โ API
โ Mostly for developers
15. Vulnman
โ Notification robot
โ Python (yes, we like it :)
โ Unresolved critical issues
โ Daily digest
โ Monitor 3rd party CVEs
17. Ampelmann
โ Help to keep an eye on things
โ Help to improve security processes
โ Get security related information from multiple
sources via APIs
โ Show various lists, graphics and diagrams
โ Python, Flask, Mongo
18. Summary
โ Automate everything as much as possible
โ Measure and improve security processes
โ It is not for removing manual activities! It frees
up time for more complex things (which we
really like to do).