Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
webサイトのセキィリティまとめ
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
nyoshiky
July 29, 2017
Technology
0
68
webサイトのセキィリティまとめ
webサイトのセキュリティ対策にはどのようなものがあるか、まとめてみました。
nyoshiky
July 29, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
OpenShiftでllm-dを動かそう!
jpishikawa
0
130
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
ama_ch
0
180
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
soudai
PRO
12
5.6k
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
tsukaman
1
160
配列に見る bash と zsh の違い
kazzpapa3
3
160
Amazon Bedrock Knowledge Basesチャンキング解説!
aoinoguchi
0
150
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
khmoryz
0
200
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
Red Hat OpenStack Services on OpenShift
tamemiya
0
120
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
minorun365
4
220
Digitization部 紹介資料
sansan33
PRO
1
6.8k
Featured
See All Featured
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
330
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
120
The Pragmatic Product Professional
lauravandoore
37
7.1k
How to train your dragon (web standard)
notwaldorf
97
6.5k
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.2k
Unsuck your backbone
ammeep
671
58k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
93
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
110
The agentic SEO stack - context over prompts
schlessera
0
640
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
akademiya2063
PRO
1
54
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.2k
Transcript
WEBαΠτͷηΩϡϦςΟରࡦ ͡ΊͷҰา
͜ͷεϥΠυͷత - webαΠτͷηΩϡϦςΟରࡦʹ͍ͭͯ֓ཁΛѲ͢Δɻ
ใηΩϡϦςΟ10େڴҖ ग़లɿใॲཧਪਐػߏʮใηΩϡϦςΟ10େڴҖ 2016ʯ https://www.ipa.go.jp/security/vuln/10threats2016.html ηΩϡϦςΟΠϯγσϯτͷࣄྫ ඪతܕ߈ܸ ɾJTB(2016) ɾຊۚػߏ(2015) ෦ෆਖ਼ʹΑΔใ࿙͍͑ ɾϕωοηίʔϙϨʔγϣϯ(2014)
ɾΤσΟΦϯ(2015) ΣϒαʔϏε͔Βͷݸਓใͷऔ ɾApache Struts2ͷ੬ऑੑΛ͍ͭͨ߈ܸ(2017) ɹɹ- ࠃަলɺ૯লɺGMO-PGͳͲ
WEBΞϓϦέʔγϣϯͷηΩϡϦςΟରԠਤ ਤܗ࡞ɿdraw.io
IDS / IPSʹ͍ͭͯ IDS / IPS ͱ IDSʹIntrusion Detection Systemʢ৵ೖݕγεςϜʣɻݕग़ޙʹޚાஔΛͱΒͳ͍ɻ
IPSʹIntrusion Prevention Systemʢ৵ೖޚγεςϜʣɻݕग़ޙʹޚાஔΛͱΔɻ IDS / IPS ͕ग़དྷΔ͜ͱ IDS৵ೖΛݕ͠ɺཧऀʹ௨͢Δ͜ͱ͕ओతɻ௨Λड͚ͨཧऀ͕ରࡦΛߨ͡Δඞཁ͕͋ΔͷͰɺ͕͔͔࣌ؒΔɻ IPSIDSʹޚͷػೳΛ༩ɻ৵ೖͷݕͱಉ࣌ʹ௨৴Λःஅ͢ΔͳͲɻ ֎෦͔ΒͷDDos߈ܸͷޚɺ෦͔Β֎෦ͷෆਖ਼ͳ௨৴ͷϒϩοΫͳͲ͕Մೳɻ IDS / IPS ͷछྨ ઃஔॴʹΑͬͯԼهͷछྨ͕͋Δ ʲϗετܕʳ OS͝ͱͷରࡦͱͳΔͨΊɺରίϯϐϡʔλʹݸผʹιϑτΣΞΛΠϯετʔϧ͢Δඞཁ͕͋Δɻ ʲωοτϫʔΫܕʳ ωοτϫʔΫ্ʹஔɻύέοτͷ༰Λผ͢ΔͨΊɺ৵ೖ߈ܸͷରԠ͕ૉૣ͘Ͱ͖Δɻ ͞Βʹઃஔॴ͕ʮϑΝΠΞΥʔϧͷ֎ଆʯʮDMZ্ʯʮ෦ωοτϫʔΫʯͷ̏ύλʔϯ͕͋Δɻ ɹɹ- ϑΝΠΞΥʔϧͷ֎ଆɿϩάऔಘʹΑΔ߈ܸͷѲɺੳ͕ओతɻ ɹɹ- DMZ্ɿϑΝΠΞΥʔϧͰϒϩοΫͰ͖ͳ͔ͬͨ߈ܸͷݕग़ɺޚ͕తɻ ɹɹ- ෦ωοτϫʔΫɿ෦͔Βͷෆਖ਼ͳ௨৴Λࢹ͢Δ͜ͱ͕తɻ
WAFʹ͍ͭͯ WAFʢWeb Application Firewallʣͱ webΞϓϦέʔγϣϯͷ੬ऑੑΛར༻ͨ͠߈ܸ͔ΒwebαΠτΛอޢ͢ΔηΩϡϦςΟରࡦͷͨΊͷޚπʔϧɻ ΞϓϦέʔγϣϯϨϕϧͷηΩϡϦςΟରࡦɻ WAFͷछྨ Ϋϥυܕ / ιϑτΣΞܕʢϗετܕʣ
/ ήʔτΣΠܕʢωοτϫʔΫܕʣ FirewallɺIDS / IPSͱͷҧ͍ FWɿωοτϫʔΫϨϕϧͷରࡦɻύέοτͷৼΓ͚ͷΈͰ௨৴ͷதݟͳ͍ͨΊɺ80/443൪ϙʔτͷਖ਼ৗͳ௨৴Λͬͨ߈ܸʹରԠͰ͖ͳ͍ɻ IDS/IPSɿϓϥοτϑΥʔϜϨϕϧͷରࡦʢOSϛυϧΣΞͷ੬ऑੑରԠͳͲʣɻSQLΠϯδΣΫγϣϯͳͲߴԽͨ͠߈ܸͷݕऑ͍ɻ WAFͰޚՄೳͳ߈ܸʢ˞1ʣ SQLΠϯδΣΫγϣϯɺόοϑΝΦʔόʔϑϩʔɺηογϣϯϋΠδϟοΫɺڧ੍ϒϥζɺOSίϚϯυΠϯδΣΫγϣϯ ύεϫʔυϦετ߈ܸɺXXSɺCSRFɺύϥϝλվ͟ΜɺύετϥόʔαϧɺΤϥʔίʔυ ※1ɿNECʮ InfoCage SiteShell ʯͷ߹
શHTTPSԽʹ͍ͭͯ શHTTPSԽʢৗ࣌HTTPSԽʣͱ WebαΠτͷͯ͢ͷϖʔδΛHTTPSԽʢSSL / TLS҉߸Խʣ͢Δ͜ͱɻ શHTTPSԽͷϝϦοτɾσϝϦοτ ʲϝϦοτʳ ɾηΩϡϦςΟ໘ͷڧԽ ɾݕࡧॱҐͰͷ༏۰ʢgoogleʣ ɾ௨৴ͷ্ʢHTTP/2ར༻࣌ʹHTTPS͕ඞਢʣ
ɾΞΫηεϩάղੳͷਫ਼্ʢϦϑΝϥडͷվળʣ ɾαΠτͷ৴པੑΛΞϐʔϧ ʲσϝϦοτʳ ɾطଘαΠτͷҠߦ࡞ۀͷίετ͕͔͔Δ ɾAdSenseऩӹݮগͷՄೳੑ͕͋Δ ɾSSLূ໌ॻͷൃߦඅ༻ͱӡ༻ίετ͕͔͔Δ ɾSNSͳͲͷιʔγϟϧϘλϯͷΧϯτϦηοτ
ϦόʔεϓϩΩγʹΑΔηΩϡϦςΟରࡦ ϦόʔεϓϩΩγߏʹ͢Δ͜ͱͰɺηΩϡϦςΟڧԽ͕ظग़དྷΔ 90ඵͷಈըͰֶͿITΩʔϫʔυɿϦόʔεϓϩΩγʢReverse Proxyʣ - ˏIT http://www.atmarkit.co.jp/ait/articles/1608/25/news034.html ͦͷଞϦόʔεϓϩΩγͷϝϦοτ - IPΞυϨεͷϑΟϧλϦϯάʢڐՄɺःஅʣ
- URLͷܗ - ෛՙࢄɺϝϞϦ༻ͷ্ʢ੩త / ಈతϦιʔεͷৼΓ͚ʣ - ෳαʔϏεͷαʔό౷߹ - SSLͷूதཧ
αʔόࢹʢOSSπʔϧʣ Munin Ϧιʔε༻ঢ়گͷϞχλϦϯάɻूதཧαʔόͱΫϥΠΞϯτΤʔδΣϯτܕ Nagios ωοτϫʔΫαʔϏεͷࢹɺϗετͷϦιʔεࢹ Zabbix ωοτϫʔΫࢹɺσʔλϕʔεࢹɺԾϚγϯࢹɺγφϦΦΛར༻ͨ͠ΣϒࢹɺZabbixϓϩΩγʹΑΔࢄࢹɺোݕͱΞ ϥʔτ௨ɺZabbixAPIͷఏڙ Pandora FMS
αʔόɾωοτϫʔΫػثͷࢮ׆ࢹɺSNMPࢹͳͲɻWindows ServerΛαϙʔτɻΦʔϓϯιʔε൛ͱEnterprise൛͕͋Δ sensu / uchiwa αʔόɺԾίϯςφɺσʔλϕʔεɺωοτϫʔΫػثɺϦϞʔτϦιʔεࢹͳͲɻuchiwaμογϡϘʔυͷػೳΛఏڙ͢Δผϓϩ μΫτ͕ͩɺ௨ৗsensuͱηοτͰ༻͞ΕΔɻNagiosͷεέʔϧΞτ໘ͰͷղܾͷͨΊʹ࡞ΒΕͨɻ Xymon αʔόɺωοτϫʔΫͷࢹɻSNMPରԠ͕ͩΤʔδΣϯτϨεࢹՄೳɻRRDToolͰࢹσʔλͷཧɺάϥϑදࣔɻ
ʲ͓·͚ʳCSIRTͱ γʔαʔτʢCSIRTɿ Computer Security Incident Response Teamʣ ίϯϐϡʔληΩϡϦςΟʹ͔͔ΔΠϯγσϯτʹରॲ͢ΔͨΊͷ৫ͷ૯শɻ Πϯγσϯτؔ࿈ใɺ੬ऑੑใɺ߈ܸ༧ஹใΛऩूɺੳ͠ɺରԠํखॱͷࡦఆͳͲͷ׆ಈΛ͓͜ͳ͏ɻ ຊγʔαʔτڠٞձͱʛCSIRT
- ຊγʔαʔτڠٞձʢhttp://www.nca.gr.jp/outline/index.htmlʣ ถࠃCERT Coordination CenterʹΑΔ6ྨ ৫CSIRTɿ৫Ͱൃੜͨ͠ΠϯγσϯτʹରԠ ࠃࡍ࿈ܞCSIRTɿຊͰJPCERT/CCͳͲ ίʔσΟωʔγϣϯηϯλʔɿڠྗؔʹ͋ΔଞͷCSIRTͱͷ࿈ܞɾௐ ੳηϯλʔɿΠϯγσϯτͷੳɺϚϧΣΞղੳɺࠟੳɺҙשىͳͲ ϕϯμνʔϜɿࣗࣾͷ੬ऑੑʹରԠ ΠϯγσϯτɾϨεϙϯεϓϩόΠμɿηΩϡϦςΟϕϯμɺSOCʢηΩϡϦςΟΦϖϨʔγϣϯηϯλʔʣࣄۀऀͳͲ େखಋೖࣄྫ େݐઃɺANAγεςϜζɺδϟύϯωοτۜߦɺδΣʔγʔϏʔɺ໌࣏҆ాੜ໋ɺ౦ژిྗϗʔϧσΟϯάεɺJFEϗʔϧσΟϯάε Έͣ΄ϑΟφϯγϟϧάϧʔϓɺSOMPOϗʔϧσΟϯάεɺΦϦϯύεɺϠϚϋൃಈػɺαΠϘζɺઍ༿େֶ etc… αΠόʔ߈ܸͷଟ༷ԽɺଟൃԽ͕ܦӦϦεΫͱͳΔࡢࠓʹ͓͍ͯɺ֤ࣾͱCSIRTͷߏஙΛٸϐονͰਐΊ͍ͯΔ͕ɺηΩϡϦςΟਓࡐٕज़ͷෆɺࣾ֎ ͱͷ࿈ܞɺܦӦݱͷηΩϡϦςΟҙࣝվֵɺνʔϜͷܧଓൃలͳͲ͕՝ͱͳ͍ͬͯΔɻ
ʲ͓·͚ʳϝϧΧϦݸਓใ࿙͍͑ʹݟΔΩϟογϡͷ᠘ 20176݄22ʹൃੜͨ͠ϑϦϚΞϓϦʮϝϧΧϦʯweb൛αΠτͰͷใ࿙͍͑ࣄ݅ɺCDNαʔόͷΓସ͑ʹࡍͯ͠ɺHTTPϨεϙϯ εͷʮCache-ControlϔομʔʯͷઃఆʹΑΓຊདྷΩϟογϡ͞Ε͍͚ͯͳ͍ίϯςϯπ͕Ωϟογϡ͞Εͯ͠·ͬͨ͜ͱ͕ݪҼɻ ◆Γସ͑લͷΩϟογϡઃఆ - CDNଆͰΩϟογϡઃఆʢԼهͷΩϟογϡ͕ແޮʹͳΒͳ͍߹͕͋ΔϨεϙϯεϔομͷઃఆద༻͞Ε͍ͯͳ͔ͬͨʣ ◆Γସ͑ޙͷΩϟογϡઃఆ - ସઌͷCDNϓϩόΠμ͕Cache-ControlϔομͰΩϟογϡΛແޮʹͰ͖ͨͨΊɺCDNଆͰͳ͘nginxʹΑΔઃఆʢԼهʣͷΈͱͨ͠ɻ -
͔ͦ͠͠ͷCDNϓϩόΠμͰΩϟογϡ͕ߦΘΕͳ͍ͷɺCache-Controllϔομ͕ʮprivateʯͷ߹͚ͩͩͬͨɻ - ସॳɺϝϧΧϦͰCache-Controlʹʮno-cacheʯΛઃఆ͍ͯͨ͠ɻno-cacheʮΩϟογϡ͠ͳ͍ʯͰͳ͘ɺʮʢϓϩΩγαʔό Ωϟογϡαʔόʹରͯ͠ʣΩϟογϡʹه͞Εͨίϯςϯπ͕ݱࡏ༗ޮ͔൱͔ΛɺΦϦδϯͷWebαʔόʹ͍߹Θͤͯ֬ೝ͠ͳ͚Ε ࠶ར༻ͯ͠ͳΒͳ͍ʢͱ͍͏ࢦࣔΛ͢Δʣʯͱ͍͏ҙຯͷHTTPϨεϙϯεɻWebαʔό͕ʮ304 Not Modifiedʢมߋͳ͠ʣʯͷεςʔλε ίʔυΛฦ͢ͱɺΩϟογϡ͕ΘΕͯ͠·͏ɻ - ҰํɺCache-Controlʹmax-age·ͨs-maxageͷ͍ͣΕࢦఆ͍ͯ͠ͳ͔ͬͨͨΊɺExpiresϔομ͕࠾༻͞Ε͍ͯͨɻ - ExpiresϔομʹΞΫηεͷ1ඵલͱ͍͏ҙຯͰʮ -1 ʯΛࢦఆ͠ΩϟογϡΛແޮԽ͍͕ͯͨ͠ɺաڈͷ߹0ඵͱͯ͠ѻΘΕ͍ͯͨɻ - Expiresϔομ͕0ඵͷ߹ɺCDN͔ΒΦϦδϯͷϦΫΤετதʹಉ͡URLͷϦΫΤετ͕ൃੜ͢Δͱɺ2ͭҎ߱ͷಉ͡URLͷϦΫΤε τʹಉ͡Ϩεϙϯε͕ฦΔ༷ʹͳ͍ͬͯͨʢʹଞਓͷใؚ͕·ΕΔίϯςϯπ͕ӾཡͰ͖ͯ͠·ͬͨʣ - ΩϟογϡΛ͠ͳ͍Α͏ʹ͢Δʹʮno-storeʯΛࢦఆ͢ΕΑ͍ʢϝϧΧϦସޙͷCDNͷ߹ʮprivateʯͷΈΩϟογϡແޮԽʁʣ - ·ͨCDNͷΩϟογϡݸਓใΛؚ·ͳ͍ը૾js / css ϑΝΠϧʹݶΔΑ͏ʹ͢ΔɺͳͲͷରࡦ͕ߟ͑ΒΕΔɻ
ࢀߟจݙɺαΠτ ͯ͢Θ͔ΔηΩϡϦςΟେશ2018 (ܦBPϜοΫ) ใηΩϡϦςΟ10େڴҖ 2016ɿIPA ಠཱߦ๏ਓ ใॲཧਪਐػߏ https://www.ipa.go.jp/security/vuln/10threats2016.html WebαΠτશମͷHTTPSԽʮৗ࣌SSLʯ͕ඞཁͳཧ༝ͱϝϦοτΛཧղ͠Α͏ :
ϏδωεͱIT׆༻ʹཱͭใ http://www.asobou.co.jp/blog/web/ssl-2 WAFͱʁʛSiteGuardʛΩϠϊϯITιϦϡʔγϣϯζ https://www.canon-its.co.jp/products/siteguard/waf/ 5Ͱઈରʹ͔Δɿ5Ͱઈରʹ͔ΔIDSʗIPS (1/6) - ˏIT http://www.atmarkit.co.jp/ait/articles/0203/16/news001.html idsͱipsͷҧ͍ʛϑϦʔϏοτΫϥυ | ϑϦʔϏοτΫϥυ https://cloud.freebit.com/contents/security/161/ CDNΓସ͑࡞ۀʹ͓͚ΔɺWeb൛ϝϧΧϦͷݸਓใྲྀग़ͷݪҼʹ͖ͭ·ͯ͠ - Mercari Engineering Blog http://tech.mercari.com/entry/2017/06/22/204500 ηΩϡϦςΟରࡦͱͯ͠ͷ Cache-Conrol ϔομʹ͍ͭͯ - ཧܥֶੜه http://kiririmode.hatenablog.jp/entry/20170625/1498389317