2. /me
● Product security team lead at Yandex
● OWASP Russia chapter board member
● «Some thoughts on web security»
https://oxdef.info
3. The problem
The faster you release
new features for users
the better service you
have
Product Security: how to
be a bottle opener, not
a bottleneck
Mortal Kombat, Warner Bros. Interactive Entertainment
12. Molly
● Web application security scanning solution
● Rest API & web interface
● Integrated with internal tools: QA framework
Aqua, CI, bug tracker
● Python, Celery and Django inside
● w3af as scanner
● Used by QA and security team
13. Crasher
● Younger brother of Molly
● Testing of production environment
● Find all our web services and scan it for
security issues
● Optimized to scan large number of targets
● Mostly for system administrators
14. CAT
● Static Application Security Testing (SAST)
● Checkmarx and Coverity
● Integrated into CI
● API
● Mostly for developers
15. Vulnman
● Notification robot
● Python (yes, we like it :)
● Unresolved critical issues
● Daily digest
● Monitor 3rd party CVEs
17. Ampelmann
● Help to keep an eye on things
● Help to improve security processes
● Get security related information from multiple
sources via APIs
● Show various lists, graphics and diagrams
● Python, Flask, Mongo
18. Summary
● Automate everything as much as possible
● Measure and improve security processes
● It is not for removing manual activities! It frees
up time for more complex things (which we
really like to do).