OSS で知ってほしい セキュリティのこと

Transcript

1. 044
   Ͱ஌ͬͯ΄͍͠
   ηΩϡϦςΟͷ͜ͱ
   UFDISBNFODPOG

2. SIerɺSoftware Engineerɺ֤छ੬ऑੑ਍அαʔϏεͷ্ཱͪ͛ ͔Βͷ PSIRT ͳͲɺ௕Β͘ηΩϡϦςΟΤϯδχΞɻ ਍அαʔϏεΛ্ཱͪ͛Δͱ͖͸ݽ܉ฃಆͰݽಠΛטΈకΊͯ ͍͕ͨ OSS ʹॿ͚ΒΕΔɻOWASP Lifetime

   Membership. ࠷ۙʢ2024/7ʣ͸ΞϓϦέʔγϣϯΤϯδχΞʹճؼɻ ೔ʑϚΠΫϩαʔϏεͱ৮Ε߹͍ͬͯ·͢ɻ ޷͖ͳ੬ऑੑ͸
   4FSWFS
   4JEF
   3FRVFTU
   'PSHFSZ ϓϩϑΟʔϧը૾ͷ τϦϛϯάํ๏ yu fujioka

3. 044
   ͷηΩϡϦςΟͷ͓࿩ 044
   ΛऔΓר͘ڴҖ
   ڴҖ΁ͷରࡦ
   044
   ͷา͖ํ

4. 1PMZ fi MMJPͷ͓࿩ ೥݄ɺ1PMZ fi MMJPͷυϝΠϯͱ(JU)VCΞΧ΢ϯτ͕தࠃͷاۀ 'VOOVMMʹΑͬͯങऩ
   ಛఆ৚݅ԼͰѱҙͷ͋Δ8FCαΠτʹϦμΠϨΫτ͢ΔΑ͏ίʔυ͕ ஫ೖ͞Εͨ
   యܕతͳαϓϥΠνΣʔϯ߈ܸ

5. 9;
   ͷόοΫυΞͷ͓࿩ +JB
   5BO
   ͱ͍͏։ൃऀʹΑΔ਺೥ʹٴͿʮݙ਎తͳʯ$POUSJCVUJPO
   Ξοϓσʔτ͕஗͍ͱ͍͏ۤ৘ʹΑΔίΞϝϯςφͷർฐ
   ͜͏ͨ͠Ϣʔβʔ͔Βͷۤ৘΋ɺͦͷλΠϛϯά͔Β߈ܸͷҰ؀ͩͬͨՄೳੑ͕͋Δ
   ίΞϝϯςφͷࣗવͳަ୅͔ܶΒͷαϓϥΠνΣʔϯ߈ܸ
   +JB
   5BO
   ࣗ਎͸ࠃՈతͳ߈ܸΞΫλʔʹΑͬͯ࡞ΒΕͨળྑͳ
   044
   ϝϯςφͱ͍͏ ϖϧιφʢͱݟΒΕ͍ͯΔʣͰ͋ΓɺதࠃͷΞΫλʔΛ૷ͬͨଞࠃʹΑΔ߈ܸͱௐ ͕ࠪग़͍ͯΔʢ͠ɺதࠃΛ૷ͬͨଞࠃΛ૷ͬͨୈࡾࠃͱ͔΋શવ͋Δʣ
   ͜͏ͨ͠৐ͬऔΓΛ
   044
   ։ൃऀ͕ࣗӴ͢Δͷ͸೉͍͠͠ɺ
   ɹͦ͏ͨ͠੹຿ΛϝϯςφͨͪʹෛΘͤΔ΂͖Ͱ΋ͳ͍
   

   ɹ
   
   
   ͳΜ͔
   44)
   ઀ଓඵ͘Β͍஗͍ͳʙɺͬͯؾ͍ͮͨ
   "OESFT
   'SFVOE
   ͕Ғେ͗͢Δ

6. 'BLF
   74$PEF
   &YUFOTJPO
   ͷ͓࿩ 4FDVSJUZ
   3FTFBSDIFS
   ِ͕ͷ
   WTDPEF
   FYUFOTJPO
   Λެ։͠ɺِͷϨϏϡʔΛੜ੒ ͠ɺ৭Μͳ։ൃऀʹΠϯετʔϧ͞Εɺ74$PEF
   .BSLFUQMBDFʢ݄ؒສ ϏϡʔΛ֫ಘ͢ΔϖʔδʣͰτϨϯυೖΓ͠ɺෳ਺ͷ࣌Ձ૯ֹ਺ेԯυϧن໛ͷ #JH
   5FDI
   ୡʹΠϯετʔϧ͞Εͨ
   3FTFBSDIFS
   ͸ِͷ
   1SFUUJFS
   $PEF
   GPSNBUUFS
   ͱ͍͏ѱҙͷ͋Δ
   &YUFOTJPO
   ʹΠϯεύΠΞ͞ Εͨͱͷ͜ͱ
   %SBDVMB
   0 ffi DJBM
   ͱ͍͏ਓؾͷςʔϚΛ໛฿ͨ͠
   %BSDVMB
   0

   ff i DJBM
   Λ࡞੒ɺݩͷ ίʔυΛվม͠ιʔείʔυΛ౪೉͢ΔίʔυΛ௥Ճ
   ߈ܸͷ४උʹ͔͔ͬͨ࣌ؒ͸෼ͱͷ͜ͱ
   IUUQTNFEJVNDPN!BNJUBTTBSBGUIFTUPSZPGFYUFOTJPOUPUBMIPXXFIBDLFEUIFWTDPEFNBSLFUQMBDFDFBFE
   

7. αϓϥΠνΣʔϯ߈ܸ͕લఏͷ࣌୅Λ
   ੜ͖Δ͔͠ͳͦ͞͏ %PDLFS
   )VC
   ʹެ։͞Ε͍ͯΔສҎ্ͷϦϙδτϦͷ͏ͪɺˋۙ͘ ʢ໿ສʣ͕ѱҙͷ͋ΔίϯςϯπΛϗετ͍ͯͨ͠ͱ͍͏ௐࠪใࠂ
   IUUQTKGSPHDPNCMPHBUUBDLTPOEPDLFSXJUINJMMJPOTPGNBMJDJPVTSFQPTJUPSJFTTQSFBE NBMXBSFBOEQIJTIJOHTDBNT
   
   τϩΠͷ໦അԽͨ͠K2VFSZ͕(JU)VC΍$%/ܦ༝Ͱ֦ࢄɹถηΩϡϦςΟاۀ ͕ܯࠂ
   IUUQTXXXJUNFEJBDPKQOFXTBSUJDMFTOFXTIUNM
   
   OQN
   ΍
   QJQ
   ʹຮԆΔ
   5ZQP4RVBUUJOH

   ͦͷଞ΋Ζ΋Ζ

8. IUUQTXXXHIJCMJKQXPSLTLJNJUBDIJ

9. ૣظݕ஌͢Δ࢓૊Έ (JU)VC
   ͷ
   %FQFOEBCPU
   "MFSUT
   ͱ͸Կ͔ʢաڈهࣄʣ
   %FQFOEFODZ
   (SBQI
   ͔ΒϦϙδτϦʹؚ·ΕΔ
   044
   ͷ੬ऑੑΛݕग़
   ΋͸΍ݱ୅ʹ͓͍ͯඞਢͷػೳͱݴ͑Δ

10. 4"45
    
    ੩తղੳͷ࢓૊Έ (JU)VC
    %PDT
    ίʔυ
    εΩϟϯʹ͍ͭͯ
    ࣗ෼͕ॻ͍ͨ
    044
    ͷղੳ΍ɺར༻͍ͨ͠
    044
    ͷ੬ऑੑݕग़ʹ΋ศར
    4ZOD
    ͱ
    5BJOU
    5SBDLJOH
    ͱ͍͏֓೦Ͱߴਫ਼౓ͳղੳΛߦ͏ʢ΋ͪΖΜِཅੑ͸͋Δʣ
    4FDSFU
    4DBOOJOH
    ΋ྑ͍ͧ

11. ͦͷଞ΋Ζ΋Ζ ʮؾΛ͚ͭΔʯʢࠜੑ࿦ʣ͸࢒೦ͳ͕Β·ͩඞཁ
    खଧͪ
    JOTUBMM
    ؾΛ͚ͭΔɺग़ࣗͷո͍͠΋ͷ͸࢖Θͳ͍ͱ͔͸جຊಈ࡞ʹ
    4#0.
    ʹ΋ظ଴ɻ͚Ͳ·ͩਓྨʹ͸ૣͦ͏
    /FUXPSL
    'JSFXBMM
    ΍ػඍ৘ใͷΞʔΩςΫνϟ෼཭ɺ$41
    ͳͲͷ
    4FDVSF
    IFBEFSɺ؂ࢹɺ৘ใऩूͳͲͷऔΓ૊Έ͸ґવॏཁ
    ߈ܸ͞Εͯ΋ؾ͚ͮΔɺରॲͰ͖Δ࢓૊Έͮ͘Γ
    5SJWZ
    ͱ͍ͬͨ
    044
    ʹΑΔ੬ऑੑ৘ใͷૣظݕग़΋༗ޮ ˜ʰφχϫۚ༥ʱ
    ੨໦༤ೋ

12. ࢒೦ͳ͕Βɺݱ୅ͷιϑτ΢ΣΞ։ൃ͸·ͩ৻ॏʹา͔ͳ͍ͱ͍͚ͳ͍
    ͚Ͳ৺ڧ͍෢ث΋ͨ͘͞Μ͋ΔɻͦΕΒ΋
    044
    ʹ୔ࢁ͋Δɻ׆༻͠Α͏
    044
    ʹ͓ۚ෷͏ͷ΋େࣄͩ͠ɺͦΕʹ఍߅͕͋Ε͹
    $POUSJCVUF
    ͍ͯ͜͠
    (JU)VC
    "EWBODFE
    4FDVSJUZ
    ͸͍͍ͧ ৻ॏʹา͘ೣ

13. 3FGFSFODF )PX
    8F
    )BDLFE
    .VMUJ#JMMJPO
    %PMMBS
    $PNQBOJFT
    JO
    
    .JOVUFT
    6TJOH
    B
    'BLF
    74$PEF
    &YUFOTJPO
    IUUQTNFEJVNDPN!BNJUBTTBSBGUIFTUPSZPGFYUFOTJPOUPUBMIPXXFIBDLFEUIFWTDPEFNBSLFUQMBDFDFBFE
    
    +'SPH
    4FDVSJUZ
    SFTFBSDI
    EJTDPWFST
    DPPSEJOBUFE
    BUUBDLT
    PO
    %PDLFS
    )VC
    UIBU
    QMBOUFE
    NJMMJPOT
    PG
    NBMJDJPVT
    SFQPTJUPSJFT
    IUUQTKGSPHDPNCMPHBUUBDLTPOEPDLFSXJUINJMMJPOTPGNBMJDJPVTSFQPTJUPSJFTTQSFBENBMXBSFBOEQIJTIJOHTDBNT
    
    τϩΠͷ໦അԽͨ͠K2VFSZ͕(JU)VC΍$%/ܦ༝Ͱ֦ࢄɹถηΩϡϦςΟاۀ͕ܯࠂ
    IUUQTXXXJUNFEJBDPKQOFXTBSUJDMFTOFXTIUNM
    
    ܅ͨͪ͸Ͳ͏ੜ͖Δ͔ʢʣ
    IUUQTXXXHIJCMJKQXPSLTLJNJUBDIJ
    
    

    (JU)VC
    ͷ
    %FQFOEBCPU
    "MFSUT
    ͱ͸Կ͔
    IUUQT[FOOEFWZVVIVBSUJDMFTBCPVUHJUIVCBMFSU
    (JU)VC
    %PDT
    ίʔυ
    εΩϟϯʹ͍ͭͯ
    IUUQTEPDTHJUIVCDPNKBDPEFTFDVSJUZDPEFTDBOOJOHJOUSPEVDUJPOUPDPEFTDBOOJOHBCPVUDPEFTDBOOJOH