D0207 15:15 - 00
Companies struggle to make their products secure. It is a challenge for even the world’s largest companies. Microsoft, for example, took almost 10 years to fully integrate Microsoft SDL  into their Windows and Office products. It is a challenge when developing using the waterfall approach, and it is even a bigger challenge in an agile approach. Facebook’s research team recently described challenges and opportunities they identified when deploying static and dynamic analysis tools in Facebook . It is not obvious how to design and implement a process that ensures that newly released features are secure. In the first part of this talk, Y Soft’s secure software development lifecycle (SSDL), which includes, but is not limited to, threat modeling, questionnaires and static code analysis will be presented. Y Soft’s SSDL was established with education of engineers, consistency and efficiency aspects in mind. Each of these aspects will be discussed during the talk. During the second part of this talk, the focus will be on tools such as OWASP Dependency Check, SonarQube, FindBugs, FindSecurityBugs  (to which Y Soft contributed by adding new and more reliable detection mechanism), and ODC analyzer  (our extension to OWASP Dependency Check). The integration of these tools into a development lifecycle in such a way that provides the developer with an automatic feedback in a timely and contextual manner, will also be discussed. Automatic feedback contains information about potential security issues such as SQL injection, Cross Site Scripting and much more.