Ilya Govorkov

Application Security Expert, QIWI

About speaker

• Application Security Expert in QIWI JSC • member • Bushwhackers CTF team member
November 16
16:00 — 16:30
Fast Track
Imagine you have SSDLC up and running, all the processes are set up and the released stuff is all secure, but the products start falling into microservices.
It’s getting hard to use this whole lot of different tools, doesn’t it? Tens of scanners, WAF, CI, bug bounty, various trackers; dozens of programmers and admins — what is deployed, where is it deployed and who is responsible?
All this information can be properly connected into a whole by creating an adequate data model and filling it up from various sources. We will tell you about a tool that helped us to systematize the applications and create a playbook out of separate SDL scenarios:
    — scheduled scans;
      — DAST + SAST + OSA scans for a single application;
        — ‘HackMe-mode’: scan all the applications for all the subdomains present in the network given a single domain name.
        The module system allows one to create new checks to be sure not a single application is omitted.
        Profit: the system kernel and several PoC modules will be published on GitHub.