[Russia] Building better product security
Transcript of [Russia] Building better product security
Taras Ivashchenko
Building better product security: an engineering approach
/me
● Product security team lead at Yandex● OWASP Russia chapter board member● «Some thoughts on web security»
https://oxdef.info
The problem
The faster you release new features for users the better service you have
Product Security: how to be a bottle opener, not a bottleneck
Mortal Kombat, Warner Bros. Interactive Entertainment
The Security Development Lifecycle
https://msdn.microsoft.com/library/cc307406
DevOoops
DevOps
Technology Operations
https://commons.wikimedia.org/wiki/File:Devops.png
Product security team duties
● Trainings● Architecture consultations● Security audits● Bug bounty manage & response● Develop and deploy security tools & controls● Checklists, policies and security knowledge base● R&D● Other projects
Faster!
Whiplash, 2014, Damien Chazelle, Sony Pictures Classics
Molly
Molly
● Web application security scanning solution● Rest API & web interface● Integrated with internal tools: QA framework
Aqua, CI, bug tracker● Python, Celery and Django inside● w3af as scanner● Used by QA and security team
Crasher
● Younger brother of Molly● Testing of production environment● Find all our web services and scan it for
security issues● Optimized to scan large number of targets● Mostly for system administrators
CAT
● Static Application Security Testing (SAST)● Checkmarx and Coverity● Integrated into CI● API● Mostly for developers
Vulnman
● Notification robot● Python (yes, we like it :)● Unresolved critical issues● Daily digest● Monitor 3rd party CVEs
Ampelmann
Ampelmann
● Help to keep an eye on things● Help to improve security processes● Get security related information from multiple
sources via APIs● Show various lists, graphics and diagrams● Python, Flask, Mongo
Summary
● Automate everything as much as possible● Measure and improve security processes● It is not for removing manual activities! It frees
up time for more complex things (which we really like to do).
Thank you!