Upgrade to Pro — share decks privately, control downloads, hide ads and more …

スクラム開発経験者のエンジニアが 1年間脆弱性診断してお伝えしたいいくつかのこと

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Misaki Makino Misaki Makino
June 30, 2020
Programming
1.2k
0

スクラム開発経験者のエンジニアが 1年間脆弱性診断してお伝えしたいいくつかのこと

2020/06/30 社内ランチウェビナー
で発表した資料です。

Avatar for Misaki Makino

Misaki Makino

June 30, 2020

More Decks by Misaki Makino

See All by Misaki Makino
社会人がProSecで学んでみて
Avatar for Misaki Makino tsukushi
0
95
脆弱性診断の内製化と外注
Avatar for Misaki Makino tsukushi
9
4.3k
プロダクトセキュリティにおける欠如モデルからの脱却
Avatar for Misaki Makino tsukushi
0
1.4k
Attractions and interests of wasm-bindgen
Avatar for Misaki Makino tsukushi
2
860
wasm-bindgen - その魅力と面白さ -
Avatar for Misaki Makino tsukushi
1
4.2k
Rust + WebAssemblyに入門した話
Avatar for Misaki Makino tsukushi
1
2.7k
未経験新卒エンジニアがRustを学び始めてよかったこと
Avatar for Misaki Makino tsukushi
2
10k

Other Decks in Programming

See All in Programming
Claude Codeをカスタムして自分だけのClaude Codeを作ろう
Avatar for Terisuke terisuke
0
160
Import assertionsが消えた日~ECMAScriptの仕様はどう決まり、なぜ覆るのか~
Avatar for おおいし bicstone
2
170
JOAI2026 1st solution - heron0519 -
Avatar for heron0519 heron0519
0
170
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
360
PHPでバイナリをパースして理解するASN.1
Avatar for muno92 muno92
PRO
0
360
AI時代のPhpStorm最新事情 #phpcon_odawara
Avatar for yusuke yusuke
0
250
エラー処理の温故知新 / history of error handling technic
Avatar for nakaryo ryotanakaya
7
1.8k
10 Tips of AWS ~Gen AI on AWS~
Avatar for matsukada licux
5
520
Spec-Driven Development with AI Agents (Workshop, May 2026)
Avatar for Anton Arhipov antonarhipov
2
240
🦞OpenClaw works with AWS
Avatar for matsukada licux
1
320
WebAssembly を読み込むベストプラクティス 2026年春版 / Best Practices for Loading WebAssembly (Spring 2026)
Avatar for petamoriken / 森建 petamoriken
5
1k
How We Practice Exploratory Testing in Iterative Development( #scrumniigata ) / 反復開発の中で、探索的テストをどう実施しているか
Avatar for teyamagu teyamagu
PRO
3
520

Featured

See All Featured
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.2k
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2.2k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.2k
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
65
54k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
180
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
23k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
55k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
530

Transcript

  1. εΫϥϜ։ൃܦݧऀͷΤϯδχΞ͕ ೥ؒ੬ऑੑ਍அͯ͠ ͓఻͍͍͔͑ͨͭ͘͠ͷ͜ͱ ʙ ਍அσϞΛఴ͑ͯ ʙ .JTBLJ.BLJOP

  2. ຊ΢ΣϏφʔͷഎܠ

  3. ࣗݾ঺հ ˔ ΤϯδχΞͱͯ͠ ৽ଔೖࣾ ˔ ࣄۀ෦ ʹ഑ଐ͞ΕΔ ˓ چΞʔΩͰͷվमɾ৽نػೳ։ൃ ˓

    ৽ΞʔΩ΁ͷҠߦϓϩδΣΫτ ˓ εΫϥϜ։ൃ ˔ ηΩϡϦςΟࣨ ΁ҟಈ ˓ ੬ऑੑ਍அ ˓ ؂ࢹ ˓ ܒ໤׆ಈ

  4. ഑ଐ௚ޙɺ্௕ʹݴΘΕͨ͜ͱ ηΩϡϦςΟ஌ࣝʹછ·͍ͬͯͳ͍ ཰௚ͳؾ࣋ͪ΍ٙ໰Λେ੾ʹ ֶΜͩ͜ͱΛશࣾʹൃ৴ͯ͠ཉ͍͠

  5. શࣾһ޲͚ʹॳาతͳηΩϡϦςΟ஌ࣝΛ഑৴ ࠷ॳͷ࢓ࣄ4MBDL഑৴

  6. ϢʔβʔετʔϦʔʹ ߈ܸऀΛ ௥ՃͰ͖ΔΑ͏ʹͳΔ͜ͱ ຊ΢ΣϏφʔͷΰʔϧ

  7. ຊ೔ͷ͓඼ॻ͖ XFCΞϓϦ੬ऑੑ਍அͷखॱͱϙΠϯτ 08"41+VJDF4IPQΛ༻͍ͨ਍அσϞ ੬ऑੑ਍அۀ຿Λ௨ͯ͠ಘͨؾ͖ͮ ϢʔβʔετʔϦʔΛߟ͑ͯΈΔ ·ͱΊ

  8. XFCΞϓϦ੬ऑੑ਍அͷ खॱͱϙΠϯτ

  9. XFCΞϓϦ੬ऑੑ਍அͷखॱ πʔϧΛ༻͍ͨࣗಈ਍அ ϓϩΩγΛڬΜͩ໢ཏతͳΞϓϦશମͷૢ࡞ ਍அՕॴͷ༏ઌॱҐ෇͚ ਍அγφϦΦ࡞੒ खಈ਍அ ূ੻ه࿥ɺਐḿγʔτه࿥ ਍அ݁ՌϨϙʔτ࡞੒

  10. πʔϧΛ༻͍ͨࣗಈ਍அ ϓϩΩγΛڬΜͩ໢ཏతͳΞϓϦશମͷૢ࡞ ਍அՕॴͷ༏ઌॱҐ෇͚ ਍அγφϦΦ࡞੒ खಈ਍அ ূ੻ه࿥ɺਐḿγʔτه࿥ ਍அ݁ՌϨϙʔτ࡞੒ ϙΠϯτᶃ ΞλϦ Λ͚ͭΔ

  11. πʔϧΛ༻͍ͨࣗಈ਍அ ϓϩΩγΛڬΜͩ໢ཏతͳΞϓϦશମͷૢ࡞ ਍அՕॴͷ༏ઌॱҐ෇͚ ਍அγφϦΦ࡞੒ खಈ਍அ ূ੻ه࿥ɺਐḿγʔτه࿥ ਍அ݁ՌϨϙʔτ࡞੒ ϙΠϯτᶄ ߈ܸͷ ࣮ݱ༰қੑ

    ৘ใࢿ࢈ ͷՁ஋

  12. πʔϧΛ༻͍ͨࣗಈ਍அ ϓϩΩγΛڬΜͩ໢ཏతͳΞϓϦશମͷૢ࡞ ਍அՕॴͷ༏ઌॱҐ෇͚ ਍அγφϦΦ࡞੒ खಈ਍அ ূ੻ه࿥ɺਐḿγʔτه࿥ ਍அ݁ՌϨϙʔτ࡞੒ ϙΠϯτᶅ ೴಺ʹ͋Δ ߈ܸख๏Λ

    ૿΍͢

  13. ۩ମతͳख๏Λ ந৅Խ͍ͯ͘͠

  14. 42- *OHFDUJPO

  15. ೖྗ஋Λ ϓϩάϥϜͩͱ ೝࣝͤ͞Δ߈ܸ 42- *OHFDUJPO

  16. ೖྗ஋Λ ϓϩάϥϜͩͱ ೝࣝͤ͞Δ߈ܸ ໊લΛ஌Βͳͯ͘΋ ࢥ͍ͭ͘͜ͱ͕Ͱ͖Δ ೖྗ஋Λ+4ͩͱ ϒϥ΢βʹ ೝࣝͤ͞Δ߈ܸ 42- *OHFDUJPO

  17. ϙΠϯτᶆ ਍அͷ׬ྃ۩߹Λ ͻͱ໨ͰΘ͔ΔΑ͏ʹ͢Δ πʔϧΛ༻͍ͨࣗಈ਍அ ϓϩΩγΛڬΜͩ໢ཏతͳΞϓϦશମͷૢ࡞ ਍அՕॴͷ༏ઌॱҐ෇͚ ਍அγφϦΦ࡞੒ खಈ਍அ ূ੻ه࿥ɺਐḿγʔτه࿥ ਍அ݁ՌϨϙʔτ࡞੒

  18. 08"41+VJDF4IPQ Λ༻͍ͨ਍அσϞ

  19. ˔ ,BMJ-JOVY ˔ /FTTVT ˔ #VSQ4VJUF ˔ 'JSFGPY"EEPO ˓ 'PYZ1SPYZ

    ˓ 6TFS"HFOU4XJUDIFS ˓ 8SBQQBZ[FS πʔϧҰཡ

  20. ੬ऑੑ਍அۀ຿Λ௨ͯ͠ ಘͨؾ͖ͮ

  21. όά͹͔ΓϨϙʔτʹ ॻ͍ͯ͠·͍ͬͯͨ ੬ऑੑ਍அۀ຿Λ࢝Ίͨͯͷࠒ !

  22. ઌഐ͔ΒΑ࣭͘໰͞Εͨ͜ͱ ߈ܸऀʹ ͲΜͳϝϦοτ͕ ͋Γ·͔͢ʁ ຊ౰ʹ߈ܸ͸ ՄೳͰ͔͢ʁ όά୳͠Ͱ͸ͳ͘ϦεΫ୳͠ ͩͱೝࣝͰ͖ΔΑ͏ʹ 

  23. ࣄۀ෦ͰͷεΫϥϜ։ൃ ϦεΫ୳͠Ͱ͸ͳ͘ όά୳͠Λ͍ͯͨ͠

  24. ࠓͷࣗ෼ͩͬͨΒ ϦεΫ୳͠΋ߦͬͨ ઃܭɾ࣮૷ɾςετ͕Ͱ͖Δ !

  25. όά୳͠ͱϦεΫ୳͠ͷҧ͍ ˔ όά୳͠ͷؾ࣋ͪͰίτʹ޲͔͏ͱ ˓ ػೳΛਖ਼ৗʹಈ͔͢͜ͱ͚ͩʹ໨͕ߦ͘ ˓ ϢʔβʔετʔϦʔ͸ΞϓϦͱϢʔβʔͰ׬݁ ˔ ϦεΫ୳͠ͷؾ࣋ͪͰίτʹ޲͔͏ͱ ˓

    ѱ༻͞ΕΔϦεΫ΋ߟ͑ΔΑ͏ʹͳΔ ˓ ϢʔβʔετʔϦʔʹ߈ܸऀ͕Ճ͑ΒΕΔΑ͏ʹ ͳΔ

  26. ϢʔβʔετʔϦʔΛ ߟ͑ͯΈΔ ϩάΠϯը໘Ͱ͸ɺ ͲͷΑ͏ͳϢʔβʔετʔϦʔ͕ߟ͑ΒΕ·͔͢ʁ

  27. όά୳͠ͰͷϢʔβʔετʔϦʔ ˔ Ϣʔβʔ͕ਖ਼͘͠ೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ύεϫʔυΛؒҧͬͯೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ϝʔϧΞυϨεΛؒҧͬͯೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ڐ༰͞Εͳ͍จࣈΛೖྗͨ͠৔߹ ˓

    શ֯จࣈ ˓ ൒֯Χφจࣈ 

  28. ϦεΫ୳͠ͱͯ͠ଊ͑ͨ৔߹ ߈ܸͷ ࣮ݱ༰қੑ ৘ใࢿ࢈ ͷՁ஋

  29. ߈ܸऀ͔Β؍ͨϩάΠϯը໘ ˔ ߈ܸͷ࣮ݱ༰қੑʹ͍ͭͯ ˓ ୭Ͱ΋ΞΫηεՄೳͳը໘ ˓ ݕূ͢Δ΂͖஋΋ϝʔϧΞυϨεͱύεϫʔυͷ ̎छྨ͚ͩ ˔ ৘ใࢿ࢈ͷՁ஋ʹ͍ͭͯ

    ˓ Ϣʔβʔͷݸਓ৘ใ ˓ ձһొ࿥ࡁΈϢʔβʔϦετ

  30. ! ϦεΫ୳͠ͰͷϢʔβʔετʔϦʔ ˔ Ϣʔβʔ͕ਖ਼͘͠ೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ύεϫʔυΛؒҧͬͯೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ϝʔϧΞυϨεΛؒҧͬͯೖྗͨ͠৔߹ ˔ Ϣʔβʔ͕ڐ༰͞Εͳ͍จࣈΛೖྗͨ͠৔߹

    ˔ ߈ܸऀ͕ϢʔβʔͷΞΧ΢ϯτΛ৐ͬऔΖ͏ͱͨ͠৔߹ ˔ ߈ܸऀ͕ొ࿥ࡁΈϢʔβʔͷϦετΛ࡞Ζ͏ͱͨ͠৔߹

  31. Ϣʔβʔ ߈ܸऀ ͰΑΓ҆શੑ͕ߟྀ͞Εͨઃܭɾ࣮૷ɾςετʹ ύεϫʔυೖྗΛؒҧ͑ͨ৔߹ͷ࣮૷ ˔ ΤϥʔϨεϙϯεΛฦ͢ ˓ ϝʔϧΞυϨεͷొ࿥ͷ༗ແ͕Θ͔Βͳ͍Α͏ʹ͢Δ ˓ ࿈ଓͰࢼߦͰ͖Δճ਺Λ੍ݶ͢Δ

  32. ·ͱΊ

  33. ಛʹ͓఻͍͑ͨ͜͠ͱ XFCΞϓϦ੬ऑੑ਍அͷखॱͱϙΠϯτ ۩ମతͳख๏Λந৅Խ͍ͯ͘͠ 08"41+VJDF4IPQΛ༻͍ͨ਍அσϞ #VSQ4VJUFͷجຊతͳ࢖͍ํ ੬ऑੑ਍அۀ຿Λ௨ͯ͠ಘͨؾ͖ͮ ਍அ͸όά୳͠Ͱ͸ͳ͘ϦεΫ୳͠ ϢʔβʔετʔϦʔΛߟ͑ͯΈΔ Ϣʔβʔ ߈ܸऀͰΑΓ҆શʹ

  34. ϢʔβʔετʔϦʔʹ ߈ܸऀΛ ௥Ճͯ͠Έ͍ͯͩ͘͞Ͷʂ ͦΕͰ͸Έͳ͞·

  35. ͝ਗ਼ௌ ͋Γ͕ͱ͏͍͟͝·ͨ͠