Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
セキュリティ勉強会 / How do we confront the threat
Search
TomoyaKitaura
April 14, 2021
Technology
0
120
セキュリティ勉強会 / How do we confront the threat
TomoyaKitaura
April 14, 2021
Tweet
Share
More Decks by TomoyaKitaura
See All by TomoyaKitaura
セキュリティ活動をちょっとずつやる戦略を実行した気づき / Incremental Security Initiatives
tomoyakitaura
0
87
社内共通コンテナレジストリを設立して、開発者体験向上を狙ってみた /Establishing container registry to improve DX
tomoyakitaura
2
170
LTワークショップ3日目 / LT Workshop Day 3
tomoyakitaura
0
140
LTワークショップ2日目 / LT Workshop Day 2
tomoyakitaura
0
130
LTワークショップ(1日目) / LT workshop day 1
tomoyakitaura
1
140
これまでの監視とクラウド時代の監視 / Monitoring the Past and the Cloud
tomoyakitaura
1
220
エンタープライズにおけるSRE立ち上げとNew Relic選定に至った背景とは / SRE Startup and New Relic in the Enterprise
tomoyakitaura
2
720
AWSとNew Relicのデータ連携を超高速で実装した話 / The story of a super-fast implementation of data integration between AWS and New Relic
tomoyakitaura
0
1.4k
Resilience Hubの登場が騒がれないなんておかしい!? / Resilience Hub is the best.
tomoyakitaura
0
220
Other Decks in Technology
See All in Technology
Taming you application's environments
salaboy
0
180
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
750
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
190
AGIについてChatGPTに聞いてみた
blueb
0
130
TypeScript、上達の瞬間
sadnessojisan
46
13k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.2k
Terraform Stacks入門 #HashiTalks
msato
0
350
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Featured
See All Featured
RailsConf 2023
tenderlove
29
900
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Into the Great Unknown - MozCon
thekraken
32
1.5k
The Pragmatic Product Professional
lauravandoore
31
6.3k
How to train your dragon (web standard)
notwaldorf
88
5.7k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
Building a Modern Day E-commerce SEO Strategy
aleyda
38
6.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
We Have a Design System, Now What?
morganepeng
50
7.2k
Unsuck your backbone
ammeep
668
57k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Transcript
ηΩϡϦςΟษڧձ ~ Ͳ͏ͬͯڴҖʹ ཱ͔͍͚͍͍ͪͬͯͷ͔ฤ ~ 2021/04/12 ͖ͨ͏Β
ຊͷΰʔϧ 2 ηΩϡϦςΟରࡦɺ ࠓޙͲ͏ͬͯऔΓΜͰ͍͜͏ ↓ ʢΘ͔͔ͬͨΒʣ࣮ࡍʹऔΓΜͰΈΑ͏!
͎͘͡ 3 1.ηΩϡϦςΟ͓͍͍ͬͯ͠ͷʁ - ߈ܸ͕ޭͨ͠ΒͲΜͳඃΛड͚Δ͔ - ҰݴͰઆ໌͍ͯ͘͠10େڴҖ 2.ηΩϡϦςΟͱͷ͖߹͍ํ ▪৫ͱͯ͠ -
Ͳ͏͢Ε҆৺ͱݴ͍ΕΔͷ͔ - ͔͚Δඅ༻ͱͲͷఔ͕దͳͷ͔ ▪ΤϯδχΞͱͯ͠ - ୭͕ԿΛҙࣝ͢Ε͍͍ͷ͔ - Ͳ͏ͬͯษڧͨ͠Β͍͍ͷ͔
4 1.ηΩϡϦςΟ͓͍͍ͬͯ͠ͷʁ
߈ܸΛड͚ͨΒͲΜͳඃΛड͚Δ͔ 5 - ۚમͷଛࣦ ଛഛঈͷࢧ͍ ෮چରԠ։ൃඅ༻༷ʑͳରԠඅ༻ - ސ٬ͷଛࣦ
ࣾձతධՁԼʹΑΔސ٬ྲྀग़ औҾઌ͔Βͷडఀࢭ - ࣄۀܧଓͷ્ ਓࡐྲྀग़ - ৽ػೳ։ൃͷԆ ճ෮ରԠ༏ઌʹΑΔͷݮଛ
ҰݴͰઆ໌͢Δ10େڴҖ 6 - ΠϯδΣΫγϣϯ - ೝূͷෆඋ - ػີใͷ࿐ग़ - XML֎෦ΤϯςΟςΟࢀরʢXXEʣ
- ΞΫηε੍ޚͷෆඋ - ෆదͳηΩϡϦςΟઃఆ - ΫϩεαΠτεΫϦϓςΟϯά - ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ - طͷ੬ऑੑΛ࣋ͭίϯϙʔωϯτͷ༻ - ෆेͳϩΪϯάͱࢹ https://wiki.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf
ΠϯδΣΫγϣϯ 7 ▪༰ ੬ऑੑͷ͋ΔγεςϜʹରͯ͠ɺ։ൃऀͷఆ ֎ʹΑΔจࣈྻೖྗΛߦ͏͜ͱʹΑΓɺγες ϜΛͬऔͬͨΓվ᜵͢ΔڴҖ
ೝূͷෆඋ 8 ▪༰ ʮਖ਼͍͠ΞΫηεݖΛ࣋ͭਓ͕ਖ਼͘͠ΞΫηε ݖΛ࣋ͭʯͱ͍͏͋Δ͖ঢ়ଶ͕ෆඋʹΑͬ ͯ৵͞Εͯ͠·͏ڴҖ
ػີใͷ࿐ग़ 9 ▪༰ ҙਤͤͣॏཁσʔλ͕҉߸Խ͞Ε͍ͯͳ͍/ެ ։͞Εͯ͠·͍ͬͯΔͰୈࡾऀ͕ӾཡͰ͖ ͯ͠·͏ڴҖ
XML֎෦ΤϯςΟςΟࢀরʢXXEʣ 10 ▪༰ XMLϓϩηοαͷ༷Λٯखʹͱͬͯɺ ༷ʑͳ߈ܸΛՄೳͱͯ͠͠·͏ڴҖ
ΞΫηε੍ޚͷෆඋ 11 ▪༰ ຊདྷඞཁͱ͞ΕΔΞΫηεݖݶҎ্ͷػೳΛ ࣮ߦͰ͖ͯ͠·͏͜ͱʹΑΓɺΞΫηεݖݶ ཧશମ͕੬ऑͱͳ͍ͬͯΔ༷ͷڴҖ
ෆదͳηΩϡϦςΟઃఆ 12 ▪༰ ਓతϛεෆదͳઃఆʹΑͬͯɺ༷ʑͳ੬ ऑੑΛҾ͖ى͍ͯ͜͠Δ༷ͷڴҖ
ΫϩεαΠτεΫϦϓςΟϯά 13 ▪߈ܸ༰ ੬ऑੑͷ͋ΔඪతαΠτͷυϝΠϯݖݶʹΑͬͯѱ ҙͷ͋ΔεΫϦϓτΛ࣮ߦͤ͞Δ͜ͱ͕Ͱ͖ΔڴҖ
҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 14 ▪߈ܸ༰ ੬ऑੑͷ͋ΔσʔλมΛߦ͏ॲཧʹ͓͍ͯɺ ѱҙͷ͋ΔϓϩάϥϜΛ࣮ߦͤͯ͞͠·͏ͱ͍͏ڴҖ
طͷ੬ऑੑΛ࣋ͭίϯϙʔωϯτͷ༻ 15 ▪߈ܸ༰ ೝ͞Εͨ੬ऑੑΛରࡦ͠ͳ͍··ར༻͢Δ͜ͱ ʹΑΓɺ༷ʑͳ߈ܸΛڐ༰ͱͯ͠͠·͏ڴҖ
ෆेͳϩΪϯάͱϞχλϦϯά 16 ▪߈ܸ༰ ߈ܸͷૣظൃݟ߈ܸऀʹରͯ͠ૌুΛߦ͏ͨΊ ͷূڌ͕ඞཁͱͳΔ͕ɺෆेͰ͋Δ͕ނʹͦͷ ճ෮ߦಈ͕ߦ͑ͳ͍ڴҖ
17 2.ηΩϡϦςΟͱͷ͖߹͍ํ
18 ~৫ͱͯ͠ฤ~ Ͳ͏͢Ε҆৺ͱ͍͍͖ΕΔͷ͔
Ͳ͏͢Ε҆৺ͱ͍͍͖ΕΔͷ͔ 19 - WAFΛద༻ࡁΈ - ΞΫηεݖݶ࠷దԽࡁΈ - ଟཁૉೝূඞਢԽࡁΈ - IDSಋೖࡁΈ
- σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ࣮ߦࡁΈ - …etc ͜͜·ͰΕόονϦɾɾɾ
Ͳ͏͢Ε҆৺ͱ͍͍͖ΕΔͷ͔ 20 ɾɾɾͱͳΒͳ͍ͷͳΜͰͩΖ͏͔
21 ʲ࣮2લʹߟ͑ͨೝྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ࠷దԽࡁΈ - ଟཁૉೝূඞਢԽࡁΈ - IDSಋೖࡁΈ
- σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ࣮ߦࡁΈ - …etc ʲൃੜ͓͔ͯ͘͠͠ͳ͍ڴҖʳ - 1લʹೝ͞Εͨ৽ͨͳڴҖ - ೝྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹԽͨ͜͠ͱʹΑΔڴҖ
22 ʲ࣮2લʹߟ͑ͨೝྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ࠷దԽࡁΈ - ଟཁૉೝূඞਢԽࡁΈ - IDSಋೖࡁΈ
- σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ࣮ߦࡁΈ - …etc ʲൃੜ͓͔ͯ͘͠͠ͳ͍ڴҖʳ - 1લʹೝ͞Εͨ৽ͨͳڴҖ - ೝྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹԽͨ͜͠ͱʹΑΔڴҖ ͳʹ͕͍͚ͳ͔ͬͨɾɾɾʁ
ܧଓతࢿͷେࣄ͞ 23 - ηΩϡϦςΟͷ͕ى͖ͨͱ͖ʹ ៦Δ͖ϓϩηε͕ଘࡏ͠ͳ͍͜ͱ͕ Ұ൪ͷෆ҆ཁૉ - Ծʹܧଓతͳ׆ಈΛ্ͨ͠Ͱ͕ൃੜͨ͠߹ɺ
ͦͷ׆ಈࣗମͷϓϩηεΛݟ͢͠ΕΑ͘ɺ ͦ͏ͬͯ৫ڧ͘ͳ͍ͬͯ͘ͷͩͱݸਓతʹ ࢥ͍·͢ɻ
24 ~৫ͱͯ͠ฤ~ ͔͚Δඅ༻ͱͬͯͲͷఔ͕దͳͷ
͔͚Δඅ༻ͱͬͯͲͷఔ͕దͳͷ 25 ݱࡏͷྫ ӡ༻ 40% ৽ػೳ։ൃ 60%
͔͚Δඅ༻ͱͬͯͲͷఔ͕దͳͷ 26 ྫ1 ηΩϡϦςΟ 40% ӡ༻ 40% ৽ػೳ։ൃ 20% ηΩϡϦςΟਖ਼ٛͰ͢!!
ྫ2 ηΩϡϦςΟ 5% ӡ༻ 40% ৽ػೳ։ൃ 55% ސ٬֫ಘ͕ୈҰ༏ઌͰ͢!!
͕ൃੜͨ͠ͱ͖ͷͲ͏ͳΔͷ͔ 27 ൃੜ࣌ͷྫ োରԠ 60% ӡ༻ 40% - ηΩϡϦςΟʹΑΔ͕ൃੜ ͨ͠߹ɺ৽ػೳ։ൃͷதࢭΛ
༨ّͳ͘͞ΕΔέʔε͕ଟʑ - ৽ػೳ։ൃΛࢭΊͳ͍ͨΊͱ͍ ͏ҙຯͰηΩϡϦςΟ׆ಈ ࢿͰ͋Δͱ͍͏ߟ͑ํ༗ޮ
ࢿదʹܭը͠ɺಘΒΕΔརӹ࠷େԽ͢Δ 28 - ·ͣݱঢ়ௐࠪͷλεΫ͔Βߦ͢Δ - ௐࠪ݁Ռ͔ΒҰ൪ࢿରޮՌ͕ߴͦ͏ͳࢪࡦΛܭը͠ɺ࣮ߦ͢ΔɻͦͷͨΊ ͷΛ֬อ͢Δͱ͍͏αΠΫϧΛճ͢͜ͱͰ࠷దԽ͍ͯ͘͠(มಈ͢Δ͜ͱ Λલఏͱ͢Δ) - ௐࠪλεΫܧଓతʹߦ͍ɺௐࠪ༰ɾํ๏ΕͣʹΞοϓσʔτΛ͔͚ͯ
͍͘ - ࢪࡦ༰ʹ͓͍ͯɺ͍҆ɺ͏·͍ɺૣ͍ਖ਼ٛ
29 ~ΤϯδχΞͱͯ͠ฤ~ ୭͕ԿΛҙࣝ͢ΕΑ͍ͷ͔
୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ 30 ଟޚͱ ηΩϡϦςΟରࡦΛΈ߹Θͤͯ֊Λங͘͜ͱͰɺ Ұͭͷରࡦ͕ഁΒΕͯ࣍ͷʢͦͷ·ͨ࣍ͷʣରࡦ͕ ߈ܸΛࢭ͠ɺ߈ܸͷݕٴͼରԠͰ͖ΔΑ͏ʹ͢Δ ૯߹తͳηΩϡϦςΟΞϓϩʔνΛࢦ͢ɻ
୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ 31 ͭ·Γɺ ϑϩϯτΤϯυ όοΫΤϯυ Πϯϑϥ ֊Λ্هʹݟཱͯͨ߹ɺͦΕͧΕ͕ηΩϡϦςΟରࡦΛ ࢪ͢͜ͱʹΑͬͯɺΑΓڧݻͳηΩϡϦςΟΛங͘͜ͱ͕Ͱ͖Δ ΑΓޮՌతͳରࡦΛݕ౼͢ΔʹɺΈΜͳͷྗ͕ෆՄܽ
୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ -> શһ 32
33 ~ΤϯδχΞͱͯ͠ฤ~ Ͳ͏ͬͯษڧͨ͠Β͍͍ͷ͔
ηΩϡϦςΟͷษڧํ๏ʢश׳ฤʣ 34 - Qiita https://qiita.com/ - Zenn https://zenn.dev/
- Developer io https://dev.classmethod.jp/
ηΩϡϦςΟͷษڧํ๏ʢಡॻฤʣ 35
ηΩϡϦςΟͷษڧํ๏ʢWebฤʣ 36 - OWASP Top 10 ~2017~ ڴҖͷτϨϯυ͕ΕΔ -
OWASP Top 10 Proactive Controls ~2018~ શ։ൃνʔϜʹ͚ͯޮՌతͱ͞ΕΔରࡦͷհ - Google ChromeͷηΩϡϦςΟΞοϓσʔτ ΞοϓσʔτΛ͢ΔʹࢸͬͨܦҢഎܠΛ ղઆͯ͘͠ΕͯΔέʔε͕͋Δ - ҆શͳΣϒαΠτͷ࡞ΓํʢIPAʣ ۩ମతͳ߈ܸ༰ͷৄࡉͱͦͷରࡦͳͲ͕ཏతʹهࡌ͞ΕͯΔ
վΊͯຊͷΰʔϧ 37 ηΩϡϦςΟରࡦɺ ࠓޙͲ͏ͬͯऔΓΜͰ͍͜͏ ↓ ʢΘ͔͔ͬͨΒʣ࣮ࡍʹऔΓΜͰΈΑ͏!
վΊͯຊͷΰʔϧ 38 ͳʹ͔ҰͭͰ࣋ͪؼͬͯ ࣮ફʹͭͳ͛ͯΒ͑ͨΒ خ͍͠Ͱ͢
39 ͝੩ௌ͋Γ͕ͱ͏ޚ࠲͍·ͨ͠