Report from the RISSPA workshop April 20

In April, the Mail.Ru Group office hosted a RISSPA association seminar on information security. We bring to your attention the video recordings and presentations of the presentations made at the seminar.

“Product Security Incident Response Team (PSIRT) - From within Cisco PSIRT,” Alexey Lukatsky, Business Security Consultant, Cisco Systems

Alexey talked about Cisco PSIRT, the vulnerability management life cycle, and the interaction of Cisco PSIRT with users. Also, the speaker disassembled two cases: "Heartbleed" and "Software implant in Cisco IOS".
')

Video of the speech: it.mail.ru/video/567

“Practice of Software Security in Sbertech”, Dmitry Yanchenko and Yuri Shabalin, experts of the department of application information security testing, Sberbank-Technology JSC

The report was devoted to the strategy, goals, main objectives, priorities and methods used in the practice of Software Security of Sberbank-Technologies JSC.


Video of the speech: it.mail.ru/video/569

“Static analysis: pride and prejudice”, Alexey Kuzmenko, analyst at IB Digital Security

Code analysis is one of the effective approaches to detecting defects at the software development stage. This allows you to avoid trivial and not very mistakes that can lead to the appearance of vulnerabilities. There are a number of approaches used in analyzers, on the basis of which the analysis is made, allowing to reduce risks. However, a number of preconceptions arise, for the warning of the analyzer is not always a real defect, especially since not every defect is a vulnerability.


Video of the speech: it.mail.ru/video/570

“Identification, authentication, authorization - built-in functions of applications or tasks of a specialized service of an organization?”, Mikhail Vanin, General Director, REAK SOFT LLC

The report examined possible approaches to solving problems of identification, authentication and authorization at the infrastructure level of the organization.

Protection of the application requires the presence of built-in user identification / authentication / authorization functions. However, it becomes difficult to rely on embedded functions when it is necessary to provide users with a variety of applications deployed inside the organization and in the cloud, and also give users access from a variety of devices (PCs, mobile devices) and from the organization’s network, and outside its perimeter. In such cases, the task of providing identification / authentication / authorization should be solved at the infrastructure level of the organization.


Video of the speech: it.mail.ru/video/568