SlideShare a Scribd company logo

Integrating Security to Agile Development Process

SARCCOM
SARCCOM

Integrating Security to Agile Development Process by Edwin Tunggawan - Security Engineer Bukalapak @SARCCOM MEETUP http://sarccom.org https://www.meetup.com/Software-Architect-Indonesia

Technology
1 of 19
Download to read offline
Integrating Security to Agile Development Process
$ whoami ● Edwin Tunggawan (@sdsdkkk) ● Currently Security Engineer at Bukalapak (Formerly Software Engineer) ● Mainly focusing on Bukalapak’s server-side and application security ● Basically I’m still a software engineer, just with a focus on security for now
How software development used to be in Bukalapak Idea Initial Design Development TestingDeploymentMonitoring
How software development currently is in Bukalapak
Then vs Now Then Now Not much parallelism, small team. Huge team broken down to small teams for parallel development. One engineer can keep track of changes and ongoing projects in the company. One engineer is unlikely to be aware of whatever changes are made by other teams. Monolithic. On progress in moving to microservices. Not much external security threat, any vulnerability is unlikely to be a big problem as long as it’s solved ASAP. How many invalid bug bounty and breach reports are we getting on our security mailing list every day again? How about that media coverage regarding our ImageTragick vulnerability?
We need more effort regarding security ● The system’s becoming so complex, it’s easy to miss what’s going on in other teams’ development activities ● The company’s getting more well-known that any small security incident could have a huge brand impact ● Any design/implementation problem in the system could be so much harder to fix as time goes on in a system this big
So, basically we’re moving towards secure SDLC Image from https://www.owasp.org
Bukalapak’s development values ● Execution speed matters ● Ship it ASAP ● Data-driven
What we value in Bukalapak’s security team ● Work without compromising the development values ● Preventing development mistakes instead of fixing them
So... ● We need to ensure the security of the software without adding unnecessary slowdown in the development process ● Too much slowdown is bad
Integrating security to the development process ● The security engineers need to be actively involved in development ● We only have two security engineers and one security analyst, and around 200 people on product + engineering for development ● We need to work in a way that scales well
How we’re doing it ● Conducting security code reviews and blackbox tests to the whole application ● Conducting reviews on libraries and services ● Acting as advisors in the development stage ● Automating security tests
Security code reviews + blackbox tests on apps ● Monthly code audits ● Reviews & blackbox tests by request ● We’re keeping notes of the mistakes we found and summarizing them in a series of internal secure development guide articles ● Raising awareness in the internal product + engineering tech talks based on the common high-value mistakes we found
Reviews on libraries and services ● Sometimes the source of the problem is not the apps ● Some of the libraries and services are developed internally, so the responsibility is the company’s whenever there’s a vulnerability there
Advising development ● Some features need more attention regarding security ● We’re reviewing the requirements and advising revisions if there’s any security issues in it ● We’re advising how the features need to be implemented in order to be secure ● Features that’s considered to be safe don’t need special advisories, as long as it complies with the secure development guide
Automating security tests ● We have automated tests with unit testing and integration testing ● Why not add security tests on it? ● Currently on the way for implementation ● Expected to detect vulnerabilities early and enforcing secure development practices more strictly
Our ideal secure SDLC ● Security team can be involved in any stage of development as needed ● Optimized for development speed ● Using automation whenever possible
What we expect in the future ● Less security vulnerability caused by the lack of security perspective in the design and implementation stage ● Less security vulnerability caused by the lack of awareness on the engineer’s side, especially after automated security testing is enforced
Thank you

Recommended

Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering Culture
SARCCOM
 
Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile Culture
SARCCOM
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?
SARCCOM
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup
SARCCOM
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!
SARCCOM
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skill
SARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & Technology
SARCCOM
 
Tugas i rekayasa web arie firmandani
Tugas i rekayasa web arie firmandaniTugas i rekayasa web arie firmandani
Tugas i rekayasa web arie firmandani
Arie Firmandani
 

Recommended

Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering Culture
SARCCOM
 
Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile Culture
SARCCOM
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?
SARCCOM
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup
SARCCOM
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!
SARCCOM
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skill
SARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & Technology
SARCCOM
 
Tugas i rekayasa web arie firmandani
Tugas i rekayasa web arie firmandaniTugas i rekayasa web arie firmandani
Tugas i rekayasa web arie firmandani
Arie Firmandani
 
Blogger dan bloger, Apa Bedanya?
Blogger dan bloger, Apa Bedanya?Blogger dan bloger, Apa Bedanya?
Blogger dan bloger, Apa Bedanya?
Dot Semarang
 
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
Marco Frassoni
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture Introduction
SARCCOM
 
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
Nurdin Al-Azies
 
Normatividad issste 2014 v6 2
Normatividad issste 2014 v6 2Normatividad issste 2014 v6 2
Normatividad issste 2014 v6 2
Juan Dzul
 
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013 Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
Pam Moore
 
Lirik Lagu
Lirik LaguLirik Lagu
Lirik Lagu
Nurdin Al-Azies
 
Maher zain
Maher zainMaher zain
Maher zain
ilma_choir
 
Clash of Clans
Clash of ClansClash of Clans
Clash of Clans
Istian Aveno
 
Tutorial Blogger parte 1
Tutorial Blogger parte 1Tutorial Blogger parte 1
Tutorial Blogger parte 1
Gabriela158
 
Online Business (startup) Know-how
Online Business (startup) Know-howOnline Business (startup) Know-how
Online Business (startup) Know-how
Amal Agung Cahyadi
 
Materi workshop keuangan kopdar akbar 2016 bukalapak
Materi workshop keuangan kopdar akbar 2016 bukalapakMateri workshop keuangan kopdar akbar 2016 bukalapak
Materi workshop keuangan kopdar akbar 2016 bukalapak
melly lydea
 
Instagram Social Spotlight
Instagram Social SpotlightInstagram Social Spotlight
Instagram Social Spotlight
Nick Westergaard
 
PPT Presentation on Facebook.com
PPT Presentation on Facebook.comPPT Presentation on Facebook.com
PPT Presentation on Facebook.com
Krishan Majumder
 
Design Sprints for Innovation
Design Sprints for InnovationDesign Sprints for Innovation
Design Sprints for Innovation
Dave Hogue
 
Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-On
SARCCOM
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning
SARCCOM
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing Introduction
SARCCOM
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted Geek
SARCCOM
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine Learning
SARCCOM
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data Ecosystem
SARCCOM
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering Culture
SARCCOM
 

More Related Content

Viewers also liked

Viewers also liked (15)

Blogger dan bloger, Apa Bedanya?
Blogger dan bloger, Apa Bedanya?Blogger dan bloger, Apa Bedanya?
Blogger dan bloger, Apa Bedanya?
 
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
Review of "Tastes, ties, and time: A new social network dataset using Faceboo...
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture Introduction
 
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
Buku Studi Islam 3 (Dr. Ahmad Alim, LC. MA.)
 
Normatividad issste 2014 v6 2
Normatividad issste 2014 v6 2Normatividad issste 2014 v6 2
Normatividad issste 2014 v6 2
 
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013 Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
Florida Blogger & Social Media Conference Keynote Presentation Pam Moore 2013
 
Lirik Lagu
Lirik LaguLirik Lagu
Lirik Lagu
 
Maher zain
Maher zainMaher zain
Maher zain
 
Clash of Clans
Clash of ClansClash of Clans
Clash of Clans
 
Tutorial Blogger parte 1
Tutorial Blogger parte 1Tutorial Blogger parte 1
Tutorial Blogger parte 1
 
Online Business (startup) Know-how
Online Business (startup) Know-howOnline Business (startup) Know-how
Online Business (startup) Know-how
 
Materi workshop keuangan kopdar akbar 2016 bukalapak
Materi workshop keuangan kopdar akbar 2016 bukalapakMateri workshop keuangan kopdar akbar 2016 bukalapak
Materi workshop keuangan kopdar akbar 2016 bukalapak
 
Instagram Social Spotlight
Instagram Social SpotlightInstagram Social Spotlight
Instagram Social Spotlight
 
PPT Presentation on Facebook.com
PPT Presentation on Facebook.comPPT Presentation on Facebook.com
PPT Presentation on Facebook.com
 
Design Sprints for Innovation
Design Sprints for InnovationDesign Sprints for Innovation
Design Sprints for Innovation
 

More from SARCCOM

More from SARCCOM (15)

Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-On
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing Introduction
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted Geek
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine Learning
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data Ecosystem
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering Culture
 
Menggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaMenggapai Paripurna Rekayasa
Menggapai Paripurna Rekayasa
 
Requirement Gathering Jump Start
Requirement Gathering Jump StartRequirement Gathering Jump Start
Requirement Gathering Jump Start
 
Legacy code - Taming The Beast
Legacy code - Taming The BeastLegacy code - Taming The Beast
Legacy code - Taming The Beast
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
 
The Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanyThe Role of IT Architect in Startup Company
The Role of IT Architect in Startup Company
 
Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.com
 
Best Practice In Software Development
Best Practice In Software DevelopmentBest Practice In Software Development
Best Practice In Software Development
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Integrating Security to Agile Development Process

  • 1. Integrating Security to Agile Development Process
  • 2. $ whoami ● Edwin Tunggawan (@sdsdkkk) ● Currently Security Engineer at Bukalapak (Formerly Software Engineer) ● Mainly focusing on Bukalapak’s server-side and application security ● Basically I’m still a software engineer, just with a focus on security for now
  • 3. How software development used to be in Bukalapak Idea Initial Design Development TestingDeploymentMonitoring
  • 4. How software development currently is in Bukalapak
  • 5. Then vs Now Then Now Not much parallelism, small team. Huge team broken down to small teams for parallel development. One engineer can keep track of changes and ongoing projects in the company. One engineer is unlikely to be aware of whatever changes are made by other teams. Monolithic. On progress in moving to microservices. Not much external security threat, any vulnerability is unlikely to be a big problem as long as it’s solved ASAP. How many invalid bug bounty and breach reports are we getting on our security mailing list every day again? How about that media coverage regarding our ImageTragick vulnerability?
  • 6. We need more effort regarding security ● The system’s becoming so complex, it’s easy to miss what’s going on in other teams’ development activities ● The company’s getting more well-known that any small security incident could have a huge brand impact ● Any design/implementation problem in the system could be so much harder to fix as time goes on in a system this big
  • 7. So, basically we’re moving towards secure SDLC Image from https://www.owasp.org
  • 8. Bukalapak’s development values ● Execution speed matters ● Ship it ASAP ● Data-driven
  • 9. What we value in Bukalapak’s security team ● Work without compromising the development values ● Preventing development mistakes instead of fixing them
  • 10. So... ● We need to ensure the security of the software without adding unnecessary slowdown in the development process ● Too much slowdown is bad
  • 11. Integrating security to the development process ● The security engineers need to be actively involved in development ● We only have two security engineers and one security analyst, and around 200 people on product + engineering for development ● We need to work in a way that scales well
  • 12. How we’re doing it ● Conducting security code reviews and blackbox tests to the whole application ● Conducting reviews on libraries and services ● Acting as advisors in the development stage ● Automating security tests
  • 13. Security code reviews + blackbox tests on apps ● Monthly code audits ● Reviews & blackbox tests by request ● We’re keeping notes of the mistakes we found and summarizing them in a series of internal secure development guide articles ● Raising awareness in the internal product + engineering tech talks based on the common high-value mistakes we found
  • 14. Reviews on libraries and services ● Sometimes the source of the problem is not the apps ● Some of the libraries and services are developed internally, so the responsibility is the company’s whenever there’s a vulnerability there
  • 15. Advising development ● Some features need more attention regarding security ● We’re reviewing the requirements and advising revisions if there’s any security issues in it ● We’re advising how the features need to be implemented in order to be secure ● Features that’s considered to be safe don’t need special advisories, as long as it complies with the secure development guide
  • 16. Automating security tests ● We have automated tests with unit testing and integration testing ● Why not add security tests on it? ● Currently on the way for implementation ● Expected to detect vulnerabilities early and enforcing secure development practices more strictly
  • 17. Our ideal secure SDLC ● Security team can be involved in any stage of development as needed ● Optimized for development speed ● Using automation whenever possible
  • 18. What we expect in the future ● Less security vulnerability caused by the lack of security perspective in the design and implementation stage ● Less security vulnerability caused by the lack of awareness on the engineer’s side, especially after automated security testing is enforced