4. Final Security Review
› OWASP Security Testing Guide
› Managers apply for FSR through the form
› Supposed to be done 1-2 weeks before the release
› But this is not true in real world ;-(
Taras Ivashchenko 4
5. Pain
› We still find XSSes on the FSR :(
› Release is planned for tomorrow but we still have security issues to fix
› FSR is a bottleneck in SDL
› Not enough time for FSR
Taras Ivashchenko 5
6.
7.
8. Plan
› We need to implement security controls at the early stages of SDL
Taras Ivashchenko 8
10. Plan
› We need to implement security controls at the early stages of SDL
› As more automation as possible! We love it! :-)
› We need super form and robots!
Taras Ivashchenko 10
11.
12.
13. Tasks’ distribution
› Task is automaticaly assigned to available security specialist
› Skills and abilities are taken into consideration during ticket assigning process
Taras Ivashchenko 13
18. Risk metrics for the service/release
› Status of security controls
› Last results of tools scanning
› Results of previous FSR
› Karma of the service
› Questionnaire answers
Taras Ivashchenko 18
19.
20. Win
› Not completely yet but we believe it will be soon...
› Now we get well written tasks for FSR with security risks assessment
› Managers and developers get recommendations while filling the form
› Typical FSR takes less time
Taras Ivashchenko 20
21. Automate as much things as
possible to get more free time
for complex and interesting
tasks ;-)