Upgrade to Pro — share decks privately, control downloads, hide ads and more …

応募課題(’25広島)

Avatar for BocchiMan BocchiMan
March 22, 2026
Education
1.6k
0

 応募課題(’25広島)

Avatar for BocchiMan

BocchiMan

March 22, 2026

More Decks by BocchiMan

See All by BocchiMan
セキュリティ・キャンプミニ@26in東京 Aトラック応募課題
Avatar for BocchiMan forget1900
0
8
セキュリティ・キャンプミニ@26in東京 Bトラック応募課題
Avatar for BocchiMan forget1900
0
7

Other Decks in Education

See All in Education
Data Management and Analytics Specialisation
Avatar for Beat Signer signer
PRO
0
1.8k
Modern Data Fetching Techniques in Angular
Avatar for Dhananjay Kumar debug_mode
0
210
Design Guidelines and Principles - Lecture 7 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
0
3k
From Days to Minutes: How We Taught an AI to Onboard 50+ Tenants on our AI Features
Avatar for Miguel Cabrera mfcabrera
0
160
「機械学習と因果推論」入門 ⑤ 因果効果推定の一般化
Avatar for MasaKat0 masakat0
0
100
Visualisation Techniques - Lecture 8 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
1
3.1k
Case Studies and Future Research - Lecture 12 - Next Generation User Interfaces (4018166FNR)
Avatar for Beat Signer signer
PRO
0
160
Alumnote inc. Company Deck
Avatar for Alumnote yukinumata
1
19k
コミュニティを通じた_キャリア設計のススメ_20260424.pdf
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
0
290
AI進化史:LLMからAIエージェントへ
Avatar for MIKIO KUBO mickey_kubo
0
180
Protecting Patrons with Digital Vendors
Avatar for Dorothea Salo dsalo
0
180
The Lotus and the Frog
Avatar for Vikash Yadav vyadav
0
100

Featured

See All Featured
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
550
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
160
SERP Conf. Vienna - Web Accessibility: Optimizing for Inclusivity and SEO
Avatar for Sara Fernández Carmona sarafernandez
2
1.5k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9.1k
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
190
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
How to Talk to Developers About Accessibility
Avatar for Jason CranfordTeague jct
2
220
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
7
36k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
320
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
1
600
From Legacy to Launchpad: Building Startup-Ready Communities
Avatar for Dug Song dugsong
0
220

Transcript

  1. ηΩϡϦςΟɾΩϟϯϓϛχ'25 ޿ౡ։࠵ Ԡื՝୊ࡽ͠ ΅ͬͪ·Μ/ @forget1900

  2. ʲ໰̍ʳ Ԡืಈػʹ͍ͭͯ

  3. ճ౴ ɹࢲ͸౷ܭղੳݚڀࣨʹॴଐ͠ɺ౷ܭֶͷ஌ࣝ΍PythonɾRΛ༻͍ ͨσʔλ෼ੳΛֶश͍ͯ͠·͢ɻ΋ͱ΋ͱ୅਺ֶʹؔ৺͕͋Γࣗओ ֶशΛਐΊ͓ͯΓ·͕ͨ͠ɺେֶͷߨٛͰɺ୅਺ֶ΍੔਺࿦͕҉߸ ཧ࿦΍ූ߸ཧ࿦Λհͯ͠৘ใཧ࿦ͱີ઀ʹ݁ͼ͍͍ͭͯΔ͜ͱΛ஌ Γ·ͨ͠ɻಛʹɺ਺ֶతͳཧ࿦͕͍͔ʹͯ͠৘ใͷ҆ఆ͔ͭਖ਼֬ͳ ఻ୡΛ࣮ݱ͍ͯ͠Δͷ͔ͱ͍͏࢓૊Έʹڧ͍޷ح৺Λ๊͍͍ͯ· ͢ɻɹຊϛχΩϟϯϓ΁ͷࢀՃΛ௨͡ɺ͜Ε·ͰֶΜͰ͖ͨཧ࿦͕ ࣮ࣾձʹ͸ٕज़ͱͯ͠ͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λਂֶ͘ͼͨ ͍ͱߟ͑ɺԠื͍ͨ͠·ͨ͠ɻ

  4. ʲ໰͖̍ͭͮʳ ͜ͷߨٛͰֶΜͩ͜ͱΛԿʹ໾ཱ͍͔ͯͨ

  5. ճ౴ ɹຊߨٛΛ௨ͯ͡ɺ৘ใཧ࿦ͷந৅తͳ֓೦͕ɺ࣮ࡍͷ௨৴΍σʔ λॲཧͷݱ৔Ͱ۩ମతʹͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λֶͼ͍ͨ ͱߟ͍͑ͯ·͢ɻ·ͨɺཧ࿦Λ࣮૷ʹམͱ͠ࠐΉࡍͷٕज़తͳ޻෉ ΍ɺݱࡏ௚໘͍ͯ͠Δ՝୊ͱͦͷରॲ๏ΛֶͿ͜ͱͰɺଟ֯తͳࢹ ఺Λཆ͍͍ͨͰ͢ɻকདྷ͸ɺ͜͜Ͱಘͨ஌ݟΛࣗ਎ͷݚڀʹ׆͔͢ ͱͱ΋ʹɺΑΓݎ࿚ͳ҉߸ٕज़ͷൃల౳ʹߩݙͰ͖ΔਓࡐΛ໨ࢦ͠ ͍ͨͱߟ͍͑ͯ·͢ɻ

  6. ʲ໰2ʳ TLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτ͸αʔόʔ͔Βૹ৴͞Ε Δূ໌ॻͷݕূΛߦ͍·͢ɻ ͜ͷূ໌ॻݕূͷ࢓૊Έʹ͍ͭͯௐ΂ɺαʔόʔͷਖ਼౰ੑΛͲͷΑ ͏ͳखॱͰ֬ೝ͍ͯ͠Δͷ͔ɺॱংཱͯͯઆ໌͍ͯͩ͘͠͞ɻ

  7. ճ౴(1/3) ɹTLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτʢWebϒϥ΢β౳ʣ͸઀ଓઌͷ αʔόʔ͕ਅਖ਼ͳ΋ͷͰ͋Δ͔Λ֬ೝ͢ΔͨΊɺʮެ։伴ূ໌ॻʯ Λ༻͍ͨݕূΛߦ͍·͢ɻݕূͷྲྀΕʹ͍ͭͯҎԼͰઆ໌͢Δɻ 1. ূ໌ॻͷडྖͱ༗ޮੑͷ֬ೝ αʔόʔ͔Βૹ৴͞Εͨʮαʔόʔূ໌ॻʯΛड͚औΓɺ·ͣ༗ ޮظݶ಺ʢNot Before ʙ

    Not AfterʣͰ͋Δ͜ͱΛ֬ೝ͠·͢ɻ ͋Θͤͯɺূ໌ॻ͕ࣦޮϦετʢCRL΍OCSPʣʹؚ·Ε͍ͯͳ͍ ͔΋νΣοΫ͠·͢ɻ

  8. (2/3) 2. ॺ໊ͷݕূͱ৴པͷ࿈࠯ͷ֬ೝ ূ໌ॻʹ෇༩͞Εͨσδλϧॺ໊ΛɺൃߦݩͰ͋ΔೝূہʢCAʣ ͷެ։伴Λ༻͍ͯݕূ͠·͢ɻ͜ͷࡍɺதؒೝূہ͔ΒɺOS΍ϒ ϥ΢βʹϓϦΠϯετʔϧ͞Ε͍ͯΔʮϧʔτCAূ໌ॻʯ·Ͱḷ Γɺ৴པͷ࿈࠯͕੒ཱ͍ͯ͠Δ͔Λ֬ೝ͠·͢ɻ 3. υϝΠϯͷ੔߹ੑ֬ೝ ઀ଓ͠Α͏ͱ͍ͯ͠ΔURLͷϗετ໊͕ɺূ໌ॻ಺ͷʮSubject

    Alternative Name (SAN)ʯ·ͨ͸ʮCommon Name (CN)ʯʹه ࡌ͞Ε͍ͯΔ໊લͱҰக͢Δ͔Λর߹͠·͢ɻ

  9. (3/3) 4. ݕূ׬ྃͱ҉߸Խ௨৴ͷ։࢝ ্هͷݕূ͕͢΂ͯ੒ޭͨ͠৔߹ɺΫϥΠΞϯτ͸αʔόʔΛਖ਼ ౰ͳ΋ͷͱ൑அ͠·͢ɻͦͷޙɺڞ௨伴ͷڞ༗ʢTLSϋϯυγΣ ΠΫʣΛܧଓ͠ɺ҆શͳ҉߸Խ௨৴Λཱ֬͠·͢ɻ

  10. ʲ໰3ʳ OWASP ASVSͱ͸ɺιϑτ΢ΣΞ΍WebϓϩμΫτʹ͓͍ ͯɺͲͷΑ͏ͳ໾ׂΛ͸ͨ͢ϦετͰ͠ΐ͏͔ʁ LLMͳͲΛ༻͍ͳ͕Βௐ΂ɺࣗ෼ͷݴ༿Ͱ500จࣈҎ্Ͱ౴͑ͯ͘ ͍ͩ͞ɻ

  11. ճ౴(1/4) OWASP ASVSʢApplication Security Verification Standardʣ͸ɺ ೔ຊޠͰʮΞϓϦέʔγϣϯηΩϡϦςΟݕূඪ४ʯͱ༁͞Εɺ WebΞϓϦέʔγϣϯͷ҆શੑΛ٬؍తʹධՁɾ୲อ͢ΔͨΊͷ ʮڞ௨ͷ΋ͷ͞͠ʯͱͯ͠ͷ໾ׂΛՌͨ͠·͢ɻੈքతͳηΩϡϦ ςΟίϛϡχςΟͰ͋ΔOWASP͕ࡦఆ͓ͯ͠Γɺ։ൃऀ΍ηΩϡϦ

    ςΟΤϯδχΞ͕ࢀর͢΂͖۩ମతͳཁ͕݅ମܥతʹ·ͱΊΒΕͯ ͍·͢ɻͦͷओͳ໾ׂ͸ҎԼͷ3఺ʹू໿͞Ε·͢ɻ

  12. (2/4) ୈҰʹɺʮηΩϡϦςΟཁ݅ͷ໢ཏతͳΨΠυϥΠϯʯ ͱͯ͠ͷ໾ ׂͰ͢ɻASVS͸୯ͳΔ੬ऑੑ਍அͷνΣοΫϦετʹཹ·Γ·ͤ ΜɻೝূɺΞΫηε੍ޚɺσʔλͷ҉߸ԽɺΤϥʔॲཧͳͲଟذʹ ΘͨΔ߲໨ʢϨϕϧ1Ͱ131߲໨ɺϨϕϧ3Ͱ͸286߲໨ʹٴͼ·͢ʣ Λ໢ཏ͓ͯ͠Γɺ͜ΕΒΛ։ൃͷઃܭஈ֊͔Βࢀর͢Δ͜ͱͰɺη ΩϡϦςΟΛޙ෇͚Ͱ͸ͳ͘ʮઃܭஈ֊͔Β૊ΈࠐΉʢSecurity by Designʣʯ͜ͱ͕ՄೳʹͳΓ·͢ɻ

  13. (3/4) ୈೋʹɺʮϦεΫʹԠͨ͡ஈ֊తͳηΩϡϦςΟࢦඪʯ ͷఏڙͰ ͢ɻASVSͰ͸ɺΞϓϦέʔγϣϯͷॏཁ౓ʹԠͯ͡3ͭͷϨϕϧΛ ఆ͍ٛͯ͠·͢ɻશͯͷΞϓϦ͕࠷௿ݶຬͨ͢΂͖ʮϨϕϧ1ʯɺػ ີσʔλΛѻ͏ҰൠతͳϏδωεΞϓϦʹదͨ͠ʮϨϕϧ2ʯɺͦ͠ ͯॏཁΠϯϑϥ΍܉ࣄϨϕϧͷߴ౓ͳ৴པੑ͕ٻΊΒΕΔʮϨϕϧ 3ʯͰ͢ɻϨϕϧ্͕͕ΔʹͭΕɺݕূ߲໨਺͕૿͑Δ͚ͩͰͳ͘ɺ ݕূख๏΋มԽ͠·͢ɻྫ͑͹Ϩϕϧ1Ͱ͸ϒϥοΫϘοΫεܗࣜͷ DASTʢಈతղੳʣ͕த৺Ͱ͕͢ɺϨϕϧ2Ҏ্Ͱ͸ϗϫΠτϘοΫ

    εܗࣜͷSASTʢ੩తղੳʣ΍ίʔυϨϏϡʔΛ૊Έ߹ΘͤͨɺΑΓ ଟ૚తͳݕূ͕ٻΊΒΕ·͢ɻ

  14. (4/4) ୈࡾʹɺʮ૊৫಺֎ʹ͓͚Δίϛϡχέʔγϣϯͷඪ४Խʯ Ͱ͢ɻ ։ൃνʔϜͱ਍அϕϯμʔɺ͋Δ͍͸ൃ஫ݩͱड஫ऀͷؒͰʮͲ͜ ·Ͱରࡦ͢΂͖͔ʯͱ͍͏߹ҙܗ੒͸ࠔ೉ΛۃΊ·͢ɻ͔͠͠ɺ ASVSΛڞ௨ݴޠͱͯ͠ಋೖ͢Δ͜ͱͰɺʮࠓճ͸ASVS Ϩϕϧ1ʹ ४ڌ͢Δʯͱ͍ͬͨ໌֬ͳ໨ඪઃఆ͕ՄೳʹͳΓɺ૊৫શମͷη ΩϡϦςΟϓϩηεͷಁ໌ੑͱ඼࣭Λ޲্ͤ͞Δ໾ׂΛ୲͍·͢ɻ ͜ͷΑ͏ʹASVS͸ɺٕज़తͳνΣοΫϦετͰ͋Δͱಉ࣌ʹɺ։

    ൃɾӡ༻ɾධՁͷϥΠϑαΠΫϧશମΛ௨ͯ͡ιϑτ΢ΣΞͷ৴པ ੑΛࢧ͑ΔɺۃΊͯॏཁͳϑϨʔϜϫʔΫͰ͋Δͱݴ͑·͢ɻ