Upgrade to Pro — share decks privately, control downloads, hide ads and more …

応募課題(’25広島)

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for BocchiMan BocchiMan
March 22, 2026
Education
1.6k
0

 応募課題(’25広島)

Avatar for BocchiMan

BocchiMan

March 22, 2026

More Decks by BocchiMan

See All by BocchiMan
セキュリティ・キャンプミニ@26in東京 Aトラック応募課題
Avatar for BocchiMan forget1900
0
8
セキュリティ・キャンプミニ@26in東京 Bトラック応募課題
Avatar for BocchiMan forget1900
0
7

Other Decks in Education

See All in Education
【セーフィー】テクニカルライティング&コミュニケーション実践講座(26新卒エンジニア向け研修資料)
Avatar for 山崎麻衣子 ymzaki_m4
0
190
[2026前期火5] 論理学(京都大学文学部 前期 第1回)「ハルシネーションを外部世界との対応を考えずに見分ける方法」
Avatar for Shunsuke Yatabe yatabe
0
1k
Curso de Consagração ao Sagrado Coração de Jesus - O Sagrado Coração na História (Aula 01)
Avatar for Congregação Mariana da Imaculada Conceição e Santo Afonso de Ligório cm_manaus
0
200
Science Tokyo国際卓越研究大学計画_202604
Avatar for Science Tokyo (東京科学大学) / Science Tokyo (Institute of Science Tokyo) sciencetokyo
PRO
0
3.6k
Padlet opetuksessa
Avatar for Matleena Laakso matleenalaakso
12
15k
AWS Certified Generative AI Developer - Professional Beta 不合格体験記
Avatar for amarelo_n24 amarelo_n24
1
310
事業紹介資料(トレーナー養成講座)
Avatar for 須藤賢太郎 kentaro1981
0
430
勝手にCULTIBASE で広げよう、探究の輪! - CULTIVAL 2026
Avatar for Hiroshi SAKAI hiroc_sk
1
210
Visualisation Techniques - Lecture 8 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
1
3.1k
Course Review - Lecture 13 - Next Generation User Interfaces (4018166FNR)
Avatar for Beat Signer signer
PRO
0
2.3k
Data Processing and Visualisation Frameworks - Lecture 6 - Information Visualisation (4019538FNR)
Avatar for Beat Signer signer
PRO
1
3.1k
良い塩梅を実現する、AWSネットワーク3分クッキング
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
1
260

Featured

See All Featured
The Illustrated Guide to Node.js - THAT Conference 2024
Avatar for David Neal reverentgeek
1
370
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
120k
Money Talks: Using Revenue to Get Sh*t Done
Avatar for Nikki Halliwell nikkihalliwell
0
240
Lightning talk: Run Django tests with GitHub Actions
Avatar for Sarah Abderemane sabderemane
0
190
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.3k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
160
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
Avatar for David Neal reverentgeek
1
460
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
590
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
85
9.5k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
170

Transcript

  1. ηΩϡϦςΟɾΩϟϯϓϛχ'25 ޿ౡ։࠵ Ԡื՝୊ࡽ͠ ΅ͬͪ·Μ/ @forget1900

  2. ʲ໰̍ʳ Ԡืಈػʹ͍ͭͯ

  3. ճ౴ ɹࢲ͸౷ܭղੳݚڀࣨʹॴଐ͠ɺ౷ܭֶͷ஌ࣝ΍PythonɾRΛ༻͍ ͨσʔλ෼ੳΛֶश͍ͯ͠·͢ɻ΋ͱ΋ͱ୅਺ֶʹؔ৺͕͋Γࣗओ ֶशΛਐΊ͓ͯΓ·͕ͨ͠ɺେֶͷߨٛͰɺ୅਺ֶ΍੔਺࿦͕҉߸ ཧ࿦΍ූ߸ཧ࿦Λհͯ͠৘ใཧ࿦ͱີ઀ʹ݁ͼ͍͍ͭͯΔ͜ͱΛ஌ Γ·ͨ͠ɻಛʹɺ਺ֶతͳཧ࿦͕͍͔ʹͯ͠৘ใͷ҆ఆ͔ͭਖ਼֬ͳ ఻ୡΛ࣮ݱ͍ͯ͠Δͷ͔ͱ͍͏࢓૊Έʹڧ͍޷ح৺Λ๊͍͍ͯ· ͢ɻɹຊϛχΩϟϯϓ΁ͷࢀՃΛ௨͡ɺ͜Ε·ͰֶΜͰ͖ͨཧ࿦͕ ࣮ࣾձʹ͸ٕज़ͱͯ͠ͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λਂֶ͘ͼͨ ͍ͱߟ͑ɺԠื͍ͨ͠·ͨ͠ɻ

  4. ʲ໰͖̍ͭͮʳ ͜ͷߨٛͰֶΜͩ͜ͱΛԿʹ໾ཱ͍͔ͯͨ

  5. ճ౴ ɹຊߨٛΛ௨ͯ͡ɺ৘ใཧ࿦ͷந৅తͳ֓೦͕ɺ࣮ࡍͷ௨৴΍σʔ λॲཧͷݱ৔Ͱ۩ମతʹͲͷΑ͏ʹ׆༻͞Ε͍ͯΔͷ͔Λֶͼ͍ͨ ͱߟ͍͑ͯ·͢ɻ·ͨɺཧ࿦Λ࣮૷ʹམͱ͠ࠐΉࡍͷٕज़తͳ޻෉ ΍ɺݱࡏ௚໘͍ͯ͠Δ՝୊ͱͦͷରॲ๏ΛֶͿ͜ͱͰɺଟ֯తͳࢹ ఺Λཆ͍͍ͨͰ͢ɻকདྷ͸ɺ͜͜Ͱಘͨ஌ݟΛࣗ਎ͷݚڀʹ׆͔͢ ͱͱ΋ʹɺΑΓݎ࿚ͳ҉߸ٕज़ͷൃల౳ʹߩݙͰ͖ΔਓࡐΛ໨ࢦ͠ ͍ͨͱߟ͍͑ͯ·͢ɻ

  6. ʲ໰2ʳ TLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτ͸αʔόʔ͔Βૹ৴͞Ε Δূ໌ॻͷݕূΛߦ͍·͢ɻ ͜ͷূ໌ॻݕূͷ࢓૊Έʹ͍ͭͯௐ΂ɺαʔόʔͷਖ਼౰ੑΛͲͷΑ ͏ͳखॱͰ֬ೝ͍ͯ͠Δͷ͔ɺॱংཱͯͯઆ໌͍ͯͩ͘͠͞ɻ

  7. ճ౴(1/3) ɹTLS௨৴ʹ͓͍ͯɺΫϥΠΞϯτʢWebϒϥ΢β౳ʣ͸઀ଓઌͷ αʔόʔ͕ਅਖ਼ͳ΋ͷͰ͋Δ͔Λ֬ೝ͢ΔͨΊɺʮެ։伴ূ໌ॻʯ Λ༻͍ͨݕূΛߦ͍·͢ɻݕূͷྲྀΕʹ͍ͭͯҎԼͰઆ໌͢Δɻ 1. ূ໌ॻͷडྖͱ༗ޮੑͷ֬ೝ αʔόʔ͔Βૹ৴͞Εͨʮαʔόʔূ໌ॻʯΛड͚औΓɺ·ͣ༗ ޮظݶ಺ʢNot Before ʙ

    Not AfterʣͰ͋Δ͜ͱΛ֬ೝ͠·͢ɻ ͋Θͤͯɺূ໌ॻ͕ࣦޮϦετʢCRL΍OCSPʣʹؚ·Ε͍ͯͳ͍ ͔΋νΣοΫ͠·͢ɻ

  8. (2/3) 2. ॺ໊ͷݕূͱ৴པͷ࿈࠯ͷ֬ೝ ূ໌ॻʹ෇༩͞Εͨσδλϧॺ໊ΛɺൃߦݩͰ͋ΔೝূہʢCAʣ ͷެ։伴Λ༻͍ͯݕূ͠·͢ɻ͜ͷࡍɺதؒೝূہ͔ΒɺOS΍ϒ ϥ΢βʹϓϦΠϯετʔϧ͞Ε͍ͯΔʮϧʔτCAূ໌ॻʯ·Ͱḷ Γɺ৴པͷ࿈࠯͕੒ཱ͍ͯ͠Δ͔Λ֬ೝ͠·͢ɻ 3. υϝΠϯͷ੔߹ੑ֬ೝ ઀ଓ͠Α͏ͱ͍ͯ͠ΔURLͷϗετ໊͕ɺূ໌ॻ಺ͷʮSubject

    Alternative Name (SAN)ʯ·ͨ͸ʮCommon Name (CN)ʯʹه ࡌ͞Ε͍ͯΔ໊લͱҰக͢Δ͔Λর߹͠·͢ɻ

  9. (3/3) 4. ݕূ׬ྃͱ҉߸Խ௨৴ͷ։࢝ ্هͷݕূ͕͢΂ͯ੒ޭͨ͠৔߹ɺΫϥΠΞϯτ͸αʔόʔΛਖ਼ ౰ͳ΋ͷͱ൑அ͠·͢ɻͦͷޙɺڞ௨伴ͷڞ༗ʢTLSϋϯυγΣ ΠΫʣΛܧଓ͠ɺ҆શͳ҉߸Խ௨৴Λཱ֬͠·͢ɻ

  10. ʲ໰3ʳ OWASP ASVSͱ͸ɺιϑτ΢ΣΞ΍WebϓϩμΫτʹ͓͍ ͯɺͲͷΑ͏ͳ໾ׂΛ͸ͨ͢ϦετͰ͠ΐ͏͔ʁ LLMͳͲΛ༻͍ͳ͕Βௐ΂ɺࣗ෼ͷݴ༿Ͱ500จࣈҎ্Ͱ౴͑ͯ͘ ͍ͩ͞ɻ

  11. ճ౴(1/4) OWASP ASVSʢApplication Security Verification Standardʣ͸ɺ ೔ຊޠͰʮΞϓϦέʔγϣϯηΩϡϦςΟݕূඪ४ʯͱ༁͞Εɺ WebΞϓϦέʔγϣϯͷ҆શੑΛ٬؍తʹධՁɾ୲อ͢ΔͨΊͷ ʮڞ௨ͷ΋ͷ͞͠ʯͱͯ͠ͷ໾ׂΛՌͨ͠·͢ɻੈքతͳηΩϡϦ ςΟίϛϡχςΟͰ͋ΔOWASP͕ࡦఆ͓ͯ͠Γɺ։ൃऀ΍ηΩϡϦ

    ςΟΤϯδχΞ͕ࢀর͢΂͖۩ମతͳཁ͕݅ମܥతʹ·ͱΊΒΕͯ ͍·͢ɻͦͷओͳ໾ׂ͸ҎԼͷ3఺ʹू໿͞Ε·͢ɻ

  12. (2/4) ୈҰʹɺʮηΩϡϦςΟཁ݅ͷ໢ཏతͳΨΠυϥΠϯʯ ͱͯ͠ͷ໾ ׂͰ͢ɻASVS͸୯ͳΔ੬ऑੑ਍அͷνΣοΫϦετʹཹ·Γ·ͤ ΜɻೝূɺΞΫηε੍ޚɺσʔλͷ҉߸ԽɺΤϥʔॲཧͳͲଟذʹ ΘͨΔ߲໨ʢϨϕϧ1Ͱ131߲໨ɺϨϕϧ3Ͱ͸286߲໨ʹٴͼ·͢ʣ Λ໢ཏ͓ͯ͠Γɺ͜ΕΒΛ։ൃͷઃܭஈ֊͔Βࢀর͢Δ͜ͱͰɺη ΩϡϦςΟΛޙ෇͚Ͱ͸ͳ͘ʮઃܭஈ֊͔Β૊ΈࠐΉʢSecurity by Designʣʯ͜ͱ͕ՄೳʹͳΓ·͢ɻ

  13. (3/4) ୈೋʹɺʮϦεΫʹԠͨ͡ஈ֊తͳηΩϡϦςΟࢦඪʯ ͷఏڙͰ ͢ɻASVSͰ͸ɺΞϓϦέʔγϣϯͷॏཁ౓ʹԠͯ͡3ͭͷϨϕϧΛ ఆ͍ٛͯ͠·͢ɻશͯͷΞϓϦ͕࠷௿ݶຬͨ͢΂͖ʮϨϕϧ1ʯɺػ ີσʔλΛѻ͏ҰൠతͳϏδωεΞϓϦʹదͨ͠ʮϨϕϧ2ʯɺͦ͠ ͯॏཁΠϯϑϥ΍܉ࣄϨϕϧͷߴ౓ͳ৴པੑ͕ٻΊΒΕΔʮϨϕϧ 3ʯͰ͢ɻϨϕϧ্͕͕ΔʹͭΕɺݕূ߲໨਺͕૿͑Δ͚ͩͰͳ͘ɺ ݕূख๏΋มԽ͠·͢ɻྫ͑͹Ϩϕϧ1Ͱ͸ϒϥοΫϘοΫεܗࣜͷ DASTʢಈతղੳʣ͕த৺Ͱ͕͢ɺϨϕϧ2Ҏ্Ͱ͸ϗϫΠτϘοΫ

    εܗࣜͷSASTʢ੩తղੳʣ΍ίʔυϨϏϡʔΛ૊Έ߹ΘͤͨɺΑΓ ଟ૚తͳݕূ͕ٻΊΒΕ·͢ɻ

  14. (4/4) ୈࡾʹɺʮ૊৫಺֎ʹ͓͚Δίϛϡχέʔγϣϯͷඪ४Խʯ Ͱ͢ɻ ։ൃνʔϜͱ਍அϕϯμʔɺ͋Δ͍͸ൃ஫ݩͱड஫ऀͷؒͰʮͲ͜ ·Ͱରࡦ͢΂͖͔ʯͱ͍͏߹ҙܗ੒͸ࠔ೉ΛۃΊ·͢ɻ͔͠͠ɺ ASVSΛڞ௨ݴޠͱͯ͠ಋೖ͢Δ͜ͱͰɺʮࠓճ͸ASVS Ϩϕϧ1ʹ ४ڌ͢Δʯͱ͍ͬͨ໌֬ͳ໨ඪઃఆ͕ՄೳʹͳΓɺ૊৫શମͷη ΩϡϦςΟϓϩηεͷಁ໌ੑͱ඼࣭Λ޲্ͤ͞Δ໾ׂΛ୲͍·͢ɻ ͜ͷΑ͏ʹASVS͸ɺٕज़తͳνΣοΫϦετͰ͋Δͱಉ࣌ʹɺ։

    ൃɾӡ༻ɾධՁͷϥΠϑαΠΫϧશମΛ௨ͯ͡ιϑτ΢ΣΞͷ৴པ ੑΛࢧ͑ΔɺۃΊͯॏཁͳϑϨʔϜϫʔΫͰ͋Δͱݴ͑·͢ɻ