Upgrade to Pro — share decks privately, control downloads, hide ads and more …

応募課題(’25広島)

Avatar for BocchiMan BocchiMan
March 22, 2026
Education
1.3k
0

 応募課題(’25広島)

Avatar for BocchiMan

BocchiMan

March 22, 2026

More Decks by BocchiMan

See All by BocchiMan
セキュリティ・キャンプミニ@26in東京 Aトラック応募課題
Avatar for BocchiMan forget1900
0
7
セキュリティ・キャンプミニ@26in東京 Bトラック応募課題
Avatar for BocchiMan forget1900
0
6

Other Decks in Education

See All in Education
Lectura 1 (PIT : Python Basico)
Avatar for Abraham Zamudio robintux
0
200
Design Guidelines and Principles - Lecture 7 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
0
3k
吉祥寺.pmは1つじゃない
— 複数イベント並走運営の12年 —
Avatar for Magnolia.K magnolia
0
680
Interaction - Lecture 10 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
0
2.6k
コミュニティを通じた_キャリア設計のススメ_20260424.pdf
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
0
270
Catecismo 26 #1 - Aula inaugural
Avatar for Congregação Mariana da Imaculada Conceição e Santo Afonso de Ligório cm_manaus
0
130
Interactive Tabletops and Surfaces - Lecture 5 - Next Generation User Interfaces (4018166FNR)
Avatar for Beat Signer signer
PRO
1
2.2k
[2026前期火5] 論理学(京都大学文学部 前期 第5回)「 ならばの問題演習・proof net・かつの規則」
Avatar for Shunsuke Yatabe yatabe
0
150
P3NFEST 2026 Spring ハンズオン「ハッキング・ラブ!はじめてのハッキングをやってみよう」資料
Avatar for Nomizo Nomizo nomizone
0
460
Gitがない時代 インターネットがない時代の 開発話
Avatar for sapi_kawahara sapi_kawahara
0
110
Protecting Patrons with Digital Vendors
Avatar for Dorothea Salo dsalo
0
120
Fulbright DAI 2025 學人經驗分享
Avatar for Joannie Huang joannie
0
830

Featured

See All Featured
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
57
14k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
300
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
67k
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
3
350
Docker and Python
Avatar for Tania Allard trallard
47
3.8k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
10k
A Soul's Torment
Avatar for Nat Ma seathinner
6
2.8k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
440
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
780
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
180

Transcript

  1. ηΩϡϦςΟɾΩϟϯϓϛχ'25 ޿ౡ։࠵ Ԡื՝୊ࡽ͠ ΅ͬͪ·Μ/ @forget1900

  2. ʲ໰̍ʳ Ԡืಈػʹ͍ͭͯ

  3. ճ౴ ɹࢲ͸౷ܭղੳݚڀࣨʹॴଐ͠ɺ౷ܭֶͷ஌ࣝ΍PythonɾRΛ༻͍ ͨσʔλ෼ੳΛֶश͍ͯ͠·͢ɻ΋ͱ΋ͱ୅਺ֶʹؔ৺͕͋Γࣗओ ֶशΛਐΊ͓ͯΓ·͕ͨ͠ɺେֶͷߨٛͰɺ୅਺ֶ΍੔਺࿦͕҉߸ ཧ࿦΍ූ߸ཧ࿦Λհͯ͠৘ใཧ࿦ͱີ઀ʹ݁ͼ͍͍ͭͯΔ͜ͱΛ஌ Γ·ͨ͠ɻಛʹɺ਺ֶతͳཧ࿦͕͍͔ʹͯ͠৘ใͷ҆ఆ͔ͭਖ਼֬ͳ ఻ୡΛ࣮ݱ͍ͯ͠Δͷ͔ͱ͍͏࢓૊Έʹڧ͍޷ح৺Λ๊͍͍ͯ· ͢ɻɹຊϛχΩϟϯϓ΁ͷࢀՃΛ௨͡ɺ͜Ε·ͰֶΜͰ͖ͨཧ࿦͕ ࣮ࣾձʹ͸ٕज़ͱͯ͠ͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λਂֶ͘ͼͨ ͍ͱߟ͑ɺԠื͍ͨ͠·ͨ͠ɻ

  4. ʲ໰͖̍ͭͮʳ ͜ͷߨٛͰֶΜͩ͜ͱΛԿʹ໾ཱ͍͔ͯͨ

  5. ճ౴ ɹຊߨٛΛ௨ͯ͡ɺ৘ใཧ࿦ͷந৅తͳ֓೦͕ɺ࣮ࡍͷ௨৴΍σʔ λॲཧͷݱ৔Ͱ۩ମతʹͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λֶͼ͍ͨ ͱߟ͍͑ͯ·͢ɻ·ͨɺཧ࿦Λ࣮૷ʹམͱ͠ࠐΉࡍͷٕज़తͳ޻෉ ΍ɺݱࡏ௚໘͍ͯ͠Δ՝୊ͱͦͷରॲ๏ΛֶͿ͜ͱͰɺଟ֯తͳࢹ ఺Λཆ͍͍ͨͰ͢ɻকདྷ͸ɺ͜͜Ͱಘͨ஌ݟΛࣗ਎ͷݚڀʹ׆͔͢ ͱͱ΋ʹɺΑΓݎ࿚ͳ҉߸ٕज़ͷൃల౳ʹߩݙͰ͖ΔਓࡐΛ໨ࢦ͠ ͍ͨͱߟ͍͑ͯ·͢ɻ

  6. ʲ໰2ʳ TLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτ͸αʔόʔ͔Βૹ৴͞Ε Δূ໌ॻͷݕূΛߦ͍·͢ɻ ͜ͷূ໌ॻݕূͷ࢓૊Έʹ͍ͭͯௐ΂ɺαʔόʔͷਖ਼౰ੑΛͲͷΑ ͏ͳखॱͰ֬ೝ͍ͯ͠Δͷ͔ɺॱংཱͯͯઆ໌͍ͯͩ͘͠͞ɻ

  7. ճ౴(1/3) ɹTLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτʢWebϒϥ΢β౳ʣ͸઀ଓઌͷ αʔόʔ͕ਅਖ਼ͳ΋ͷͰ͋Δ͔Λ֬ೝ͢ΔͨΊɺʮެ։伴ূ໌ॻʯ Λ༻͍ͨݕূΛߦ͍·͢ɻݕূͷྲྀΕʹ͍ͭͯҎԼͰઆ໌͢Δɻ 1. ূ໌ॻͷडྖͱ༗ޮੑͷ֬ೝ αʔόʔ͔Βૹ৴͞Εͨʮαʔόʔূ໌ॻʯΛड͚औΓɺ·ͣ༗ ޮظݶ಺ʢNot Before ʙ

    Not AfterʣͰ͋Δ͜ͱΛ֬ೝ͠·͢ɻ ͋Θͤͯɺূ໌ॻ͕ࣦޮϦετʢCRL΍OCSPʣʹؚ·Ε͍ͯͳ͍ ͔΋νΣοΫ͠·͢ɻ

  8. (2/3) 2. ॺ໊ͷݕূͱ৴པͷ࿈࠯ͷ֬ೝ ূ໌ॻʹ෇༩͞Εͨσδλϧॺ໊ΛɺൃߦݩͰ͋ΔೝূہʢCAʣ ͷެ։伴Λ༻͍ͯݕূ͠·͢ɻ͜ͷࡍɺதؒೝূہ͔ΒɺOS΍ϒ ϥ΢βʹϓϦΠϯετʔϧ͞Ε͍ͯΔʮϧʔτCAূ໌ॻʯ·Ͱḷ Γɺ৴པͷ࿈࠯͕੒ཱ͍ͯ͠Δ͔Λ֬ೝ͠·͢ɻ 3. υϝΠϯͷ੔߹ੑ֬ೝ ઀ଓ͠Α͏ͱ͍ͯ͠ΔURLͷϗετ໊͕ɺূ໌ॻ಺ͷʮSubject

    Alternative Name (SAN)ʯ·ͨ͸ʮCommon Name (CN)ʯʹه ࡌ͞Ε͍ͯΔ໊લͱҰக͢Δ͔Λর߹͠·͢ɻ

  9. (3/3) 4. ݕূ׬ྃͱ҉߸Խ௨৴ͷ։࢝ ্هͷݕূ͕͢΂ͯ੒ޭͨ͠৔߹ɺΫϥΠΞϯτ͸αʔόʔΛਖ਼ ౰ͳ΋ͷͱ൑அ͠·͢ɻͦͷޙɺڞ௨伴ͷڞ༗ʢTLSϋϯυγΣ ΠΫʣΛܧଓ͠ɺ҆શͳ҉߸Խ௨৴Λཱ֬͠·͢ɻ

  10. ʲ໰3ʳ OWASP ASVSͱ͸ɺιϑτ΢ΣΞ΍WebϓϩμΫτʹ͓͍ ͯɺͲͷΑ͏ͳ໾ׂΛ͸ͨ͢ϦετͰ͠ΐ͏͔ʁ LLMͳͲΛ༻͍ͳ͕Βௐ΂ɺࣗ෼ͷݴ༿Ͱ500จࣈҎ্Ͱ౴͑ͯ͘ ͍ͩ͞ɻ

  11. ճ౴(1/4) OWASP ASVSʢApplication Security Verification Standardʣ͸ɺ ೔ຊޠͰʮΞϓϦέʔγϣϯηΩϡϦςΟݕূඪ४ʯͱ༁͞Εɺ WebΞϓϦέʔγϣϯͷ҆શੑΛ٬؍తʹධՁɾ୲อ͢ΔͨΊͷ ʮڞ௨ͷ΋ͷ͞͠ʯͱͯ͠ͷ໾ׂΛՌͨ͠·͢ɻੈքతͳηΩϡϦ ςΟίϛϡχςΟͰ͋ΔOWASP͕ࡦఆ͓ͯ͠Γɺ։ൃऀ΍ηΩϡϦ

    ςΟΤϯδχΞ͕ࢀর͢΂͖۩ମతͳཁ͕݅ମܥతʹ·ͱΊΒΕͯ ͍·͢ɻͦͷओͳ໾ׂ͸ҎԼͷ3఺ʹू໿͞Ε·͢ɻ

  12. (2/4) ୈҰʹɺʮηΩϡϦςΟཁ݅ͷ໢ཏతͳΨΠυϥΠϯʯ ͱͯ͠ͷ໾ ׂͰ͢ɻASVS͸୯ͳΔ੬ऑੑ਍அͷνΣοΫϦετʹཹ·Γ·ͤ ΜɻೝূɺΞΫηε੍ޚɺσʔλͷ҉߸ԽɺΤϥʔॲཧͳͲଟذʹ ΘͨΔ߲໨ʢϨϕϧ1Ͱ131߲໨ɺϨϕϧ3Ͱ͸286߲໨ʹٴͼ·͢ʣ Λ໢ཏ͓ͯ͠Γɺ͜ΕΒΛ։ൃͷઃܭஈ֊͔Βࢀর͢Δ͜ͱͰɺη ΩϡϦςΟΛޙ෇͚Ͱ͸ͳ͘ʮઃܭஈ֊͔Β૊ΈࠐΉʢSecurity by Designʣʯ͜ͱ͕ՄೳʹͳΓ·͢ɻ

  13. (3/4) ୈೋʹɺʮϦεΫʹԠͨ͡ஈ֊తͳηΩϡϦςΟࢦඪʯ ͷఏڙͰ ͢ɻASVSͰ͸ɺΞϓϦέʔγϣϯͷॏཁ౓ʹԠͯ͡3ͭͷϨϕϧΛ ఆ͍ٛͯ͠·͢ɻશͯͷΞϓϦ͕࠷௿ݶຬͨ͢΂͖ʮϨϕϧ1ʯɺػ ີσʔλΛѻ͏ҰൠతͳϏδωεΞϓϦʹదͨ͠ʮϨϕϧ2ʯɺͦ͠ ͯॏཁΠϯϑϥ΍܉ࣄϨϕϧͷߴ౓ͳ৴པੑ͕ٻΊΒΕΔʮϨϕϧ 3ʯͰ͢ɻϨϕϧ্͕͕ΔʹͭΕɺݕূ߲໨਺͕૿͑Δ͚ͩͰͳ͘ɺ ݕূख๏΋มԽ͠·͢ɻྫ͑͹Ϩϕϧ1Ͱ͸ϒϥοΫϘοΫεܗࣜͷ DASTʢಈతղੳʣ͕த৺Ͱ͕͢ɺϨϕϧ2Ҏ্Ͱ͸ϗϫΠτϘοΫ

    εܗࣜͷSASTʢ੩తղੳʣ΍ίʔυϨϏϡʔΛ૊Έ߹ΘͤͨɺΑΓ ଟ૚తͳݕূ͕ٻΊΒΕ·͢ɻ

  14. (4/4) ୈࡾʹɺʮ૊৫಺֎ʹ͓͚Δίϛϡχέʔγϣϯͷඪ४Խʯ Ͱ͢ɻ ։ൃνʔϜͱ਍அϕϯμʔɺ͋Δ͍͸ൃ஫ݩͱड஫ऀͷؒͰʮͲ͜ ·Ͱରࡦ͢΂͖͔ʯͱ͍͏߹ҙܗ੒͸ࠔ೉ΛۃΊ·͢ɻ͔͠͠ɺ ASVSΛڞ௨ݴޠͱͯ͠ಋೖ͢Δ͜ͱͰɺʮࠓճ͸ASVS Ϩϕϧ1ʹ ४ڌ͢Δʯͱ͍ͬͨ໌֬ͳ໨ඪઃఆ͕ՄೳʹͳΓɺ૊৫શମͷη ΩϡϦςΟϓϩηεͷಁ໌ੑͱ඼࣭Λ޲্ͤ͞Δ໾ׂΛ୲͍·͢ɻ ͜ͷΑ͏ʹASVS͸ɺٕज़తͳνΣοΫϦετͰ͋Δͱಉ࣌ʹɺ։

    ൃɾӡ༻ɾධՁͷϥΠϑαΠΫϧશମΛ௨ͯ͡ιϑτ΢ΣΞͷ৴པ ੑΛࢧ͑ΔɺۃΊͯॏཁͳϑϨʔϜϫʔΫͰ͋Δͱݴ͑·͢ɻ