[Russia] Building better product security

19
Taras Ivashchenko Building better product security: an engineering approach

Transcript of [Russia] Building better product security

Page 1: [Russia] Building better product security

Taras Ivashchenko

Building better product security: an engineering approach

Page 2: [Russia] Building better product security

/me

● Product security team lead at Yandex● OWASP Russia chapter board member● «Some thoughts on web security»

https://oxdef.info

Page 3: [Russia] Building better product security

The problem

The faster you release new features for users the better service you have

Product Security: how to be a bottle opener, not a bottleneck

Mortal Kombat, Warner Bros. Interactive Entertainment

Page 4: [Russia] Building better product security

The Security Development Lifecycle

https://msdn.microsoft.com/library/cc307406

Page 5: [Russia] Building better product security
Page 6: [Russia] Building better product security
Page 7: [Russia] Building better product security

DevOoops

DevOps

Technology Operations

https://commons.wikimedia.org/wiki/File:Devops.png

Page 8: [Russia] Building better product security

Product security team duties

● Trainings● Architecture consultations● Security audits● Bug bounty manage & response● Develop and deploy security tools & controls● Checklists, policies and security knowledge base● R&D● Other projects

Page 9: [Russia] Building better product security

Faster!

Whiplash, 2014, Damien Chazelle, Sony Pictures Classics

Page 10: [Russia] Building better product security
Page 11: [Russia] Building better product security

Molly

Page 12: [Russia] Building better product security

Molly

● Web application security scanning solution● Rest API & web interface● Integrated with internal tools: QA framework

Aqua, CI, bug tracker● Python, Celery and Django inside● w3af as scanner● Used by QA and security team

Page 13: [Russia] Building better product security

Crasher

● Younger brother of Molly● Testing of production environment● Find all our web services and scan it for

security issues● Optimized to scan large number of targets● Mostly for system administrators

Page 14: [Russia] Building better product security

CAT

● Static Application Security Testing (SAST)● Checkmarx and Coverity● Integrated into CI● API● Mostly for developers

Page 15: [Russia] Building better product security

Vulnman

● Notification robot● Python (yes, we like it :)● Unresolved critical issues● Daily digest● Monitor 3rd party CVEs

Page 16: [Russia] Building better product security

Ampelmann

Page 17: [Russia] Building better product security

Ampelmann

● Help to keep an eye on things● Help to improve security processes● Get security related information from multiple

sources via APIs● Show various lists, graphics and diagrams● Python, Flask, Mongo

Page 18: [Russia] Building better product security

Summary

● Automate everything as much as possible● Measure and improve security processes● It is not for removing manual activities! It frees

up time for more complex things (which we really like to do).

Page 19: [Russia] Building better product security

Thank you!