Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
webサイトのセキィリティまとめ
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
nyoshiky
July 29, 2017
Technology
0
68
webサイトのセキィリティまとめ
webサイトのセキュリティ対策にはどのようなものがあるか、まとめてみました。
nyoshiky
July 29, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
aeonpeople
6
2.5k
15 years with Rails and DDD (AI Edition)
andrzejkrzywda
0
200
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
knishioka
2
680
Oracle AI Database移行・アップグレード勉強会 - RAT活用編
oracle4engineer
PRO
0
100
顧客の言葉を、そのまま信じない勇気
yamatai1212
1
360
OCI Database Management サービス詳細
oracle4engineer
PRO
1
7.4k
20260208_第66回 コンピュータビジョン勉強会
keiichiito1978
0
180
【Ubie】AIを活用した広告アセット「爆速」生成事例 | AI_Ops_Community_Vol.2
yoshiki_0316
1
110
プロダクト成長を支える開発基盤とスケールに伴う課題
yuu26
4
1.3k
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
jonnojun
0
110
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.4k
AWS Network Firewall Proxyを触ってみた
nagisa53
1
240
Featured
See All Featured
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
740
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
1
440
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.2k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
287
14k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Darren the Foodie - Storyboard
khoart
PRO
2
2.4k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
450
Joys of Absence: A Defence of Solitary Play
codingconduct
1
290
Ruling the World: When Life Gets Gamed
codingconduct
0
140
First, design no harm
axbom
PRO
2
1.1k
Heart Work Chapter 1 - Part 1
lfama
PRO
5
35k
Documentation Writing (for coders)
carmenintech
77
5.3k
Transcript
WEBαΠτͷηΩϡϦςΟରࡦ ͡ΊͷҰา
͜ͷεϥΠυͷత - webαΠτͷηΩϡϦςΟରࡦʹ͍ͭͯ֓ཁΛѲ͢Δɻ
ใηΩϡϦςΟ10େڴҖ ग़లɿใॲཧਪਐػߏʮใηΩϡϦςΟ10େڴҖ 2016ʯ https://www.ipa.go.jp/security/vuln/10threats2016.html ηΩϡϦςΟΠϯγσϯτͷࣄྫ ඪతܕ߈ܸ ɾJTB(2016) ɾຊۚػߏ(2015) ෦ෆਖ਼ʹΑΔใ࿙͍͑ ɾϕωοηίʔϙϨʔγϣϯ(2014)
ɾΤσΟΦϯ(2015) ΣϒαʔϏε͔Βͷݸਓใͷऔ ɾApache Struts2ͷ੬ऑੑΛ͍ͭͨ߈ܸ(2017) ɹɹ- ࠃަলɺ૯লɺGMO-PGͳͲ
WEBΞϓϦέʔγϣϯͷηΩϡϦςΟରԠਤ ਤܗ࡞ɿdraw.io
IDS / IPSʹ͍ͭͯ IDS / IPS ͱ IDSʹIntrusion Detection Systemʢ৵ೖݕγεςϜʣɻݕग़ޙʹޚાஔΛͱΒͳ͍ɻ
IPSʹIntrusion Prevention Systemʢ৵ೖޚγεςϜʣɻݕग़ޙʹޚાஔΛͱΔɻ IDS / IPS ͕ग़དྷΔ͜ͱ IDS৵ೖΛݕ͠ɺཧऀʹ௨͢Δ͜ͱ͕ओతɻ௨Λड͚ͨཧऀ͕ରࡦΛߨ͡Δඞཁ͕͋ΔͷͰɺ͕͔͔࣌ؒΔɻ IPSIDSʹޚͷػೳΛ༩ɻ৵ೖͷݕͱಉ࣌ʹ௨৴Λःஅ͢ΔͳͲɻ ֎෦͔ΒͷDDos߈ܸͷޚɺ෦͔Β֎෦ͷෆਖ਼ͳ௨৴ͷϒϩοΫͳͲ͕Մೳɻ IDS / IPS ͷछྨ ઃஔॴʹΑͬͯԼهͷछྨ͕͋Δ ʲϗετܕʳ OS͝ͱͷରࡦͱͳΔͨΊɺରίϯϐϡʔλʹݸผʹιϑτΣΞΛΠϯετʔϧ͢Δඞཁ͕͋Δɻ ʲωοτϫʔΫܕʳ ωοτϫʔΫ্ʹஔɻύέοτͷ༰Λผ͢ΔͨΊɺ৵ೖ߈ܸͷରԠ͕ૉૣ͘Ͱ͖Δɻ ͞Βʹઃஔॴ͕ʮϑΝΠΞΥʔϧͷ֎ଆʯʮDMZ্ʯʮ෦ωοτϫʔΫʯͷ̏ύλʔϯ͕͋Δɻ ɹɹ- ϑΝΠΞΥʔϧͷ֎ଆɿϩάऔಘʹΑΔ߈ܸͷѲɺੳ͕ओతɻ ɹɹ- DMZ্ɿϑΝΠΞΥʔϧͰϒϩοΫͰ͖ͳ͔ͬͨ߈ܸͷݕग़ɺޚ͕తɻ ɹɹ- ෦ωοτϫʔΫɿ෦͔Βͷෆਖ਼ͳ௨৴Λࢹ͢Δ͜ͱ͕తɻ
WAFʹ͍ͭͯ WAFʢWeb Application Firewallʣͱ webΞϓϦέʔγϣϯͷ੬ऑੑΛར༻ͨ͠߈ܸ͔ΒwebαΠτΛอޢ͢ΔηΩϡϦςΟରࡦͷͨΊͷޚπʔϧɻ ΞϓϦέʔγϣϯϨϕϧͷηΩϡϦςΟରࡦɻ WAFͷछྨ Ϋϥυܕ / ιϑτΣΞܕʢϗετܕʣ
/ ήʔτΣΠܕʢωοτϫʔΫܕʣ FirewallɺIDS / IPSͱͷҧ͍ FWɿωοτϫʔΫϨϕϧͷରࡦɻύέοτͷৼΓ͚ͷΈͰ௨৴ͷதݟͳ͍ͨΊɺ80/443൪ϙʔτͷਖ਼ৗͳ௨৴Λͬͨ߈ܸʹରԠͰ͖ͳ͍ɻ IDS/IPSɿϓϥοτϑΥʔϜϨϕϧͷରࡦʢOSϛυϧΣΞͷ੬ऑੑରԠͳͲʣɻSQLΠϯδΣΫγϣϯͳͲߴԽͨ͠߈ܸͷݕऑ͍ɻ WAFͰޚՄೳͳ߈ܸʢ˞1ʣ SQLΠϯδΣΫγϣϯɺόοϑΝΦʔόʔϑϩʔɺηογϣϯϋΠδϟοΫɺڧ੍ϒϥζɺOSίϚϯυΠϯδΣΫγϣϯ ύεϫʔυϦετ߈ܸɺXXSɺCSRFɺύϥϝλվ͟ΜɺύετϥόʔαϧɺΤϥʔίʔυ ※1ɿNECʮ InfoCage SiteShell ʯͷ߹
શHTTPSԽʹ͍ͭͯ શHTTPSԽʢৗ࣌HTTPSԽʣͱ WebαΠτͷͯ͢ͷϖʔδΛHTTPSԽʢSSL / TLS҉߸Խʣ͢Δ͜ͱɻ શHTTPSԽͷϝϦοτɾσϝϦοτ ʲϝϦοτʳ ɾηΩϡϦςΟ໘ͷڧԽ ɾݕࡧॱҐͰͷ༏۰ʢgoogleʣ ɾ௨৴ͷ্ʢHTTP/2ར༻࣌ʹHTTPS͕ඞਢʣ
ɾΞΫηεϩάղੳͷਫ਼্ʢϦϑΝϥडͷվળʣ ɾαΠτͷ৴པੑΛΞϐʔϧ ʲσϝϦοτʳ ɾطଘαΠτͷҠߦ࡞ۀͷίετ͕͔͔Δ ɾAdSenseऩӹݮগͷՄೳੑ͕͋Δ ɾSSLূ໌ॻͷൃߦඅ༻ͱӡ༻ίετ͕͔͔Δ ɾSNSͳͲͷιʔγϟϧϘλϯͷΧϯτϦηοτ
ϦόʔεϓϩΩγʹΑΔηΩϡϦςΟରࡦ ϦόʔεϓϩΩγߏʹ͢Δ͜ͱͰɺηΩϡϦςΟڧԽ͕ظग़དྷΔ 90ඵͷಈըͰֶͿITΩʔϫʔυɿϦόʔεϓϩΩγʢReverse Proxyʣ - ˏIT http://www.atmarkit.co.jp/ait/articles/1608/25/news034.html ͦͷଞϦόʔεϓϩΩγͷϝϦοτ - IPΞυϨεͷϑΟϧλϦϯάʢڐՄɺःஅʣ
- URLͷܗ - ෛՙࢄɺϝϞϦ༻ͷ্ʢ੩త / ಈతϦιʔεͷৼΓ͚ʣ - ෳαʔϏεͷαʔό౷߹ - SSLͷूதཧ
αʔόࢹʢOSSπʔϧʣ Munin Ϧιʔε༻ঢ়گͷϞχλϦϯάɻूதཧαʔόͱΫϥΠΞϯτΤʔδΣϯτܕ Nagios ωοτϫʔΫαʔϏεͷࢹɺϗετͷϦιʔεࢹ Zabbix ωοτϫʔΫࢹɺσʔλϕʔεࢹɺԾϚγϯࢹɺγφϦΦΛར༻ͨ͠ΣϒࢹɺZabbixϓϩΩγʹΑΔࢄࢹɺোݕͱΞ ϥʔτ௨ɺZabbixAPIͷఏڙ Pandora FMS
αʔόɾωοτϫʔΫػثͷࢮ׆ࢹɺSNMPࢹͳͲɻWindows ServerΛαϙʔτɻΦʔϓϯιʔε൛ͱEnterprise൛͕͋Δ sensu / uchiwa αʔόɺԾίϯςφɺσʔλϕʔεɺωοτϫʔΫػثɺϦϞʔτϦιʔεࢹͳͲɻuchiwaμογϡϘʔυͷػೳΛఏڙ͢Δผϓϩ μΫτ͕ͩɺ௨ৗsensuͱηοτͰ༻͞ΕΔɻNagiosͷεέʔϧΞτ໘ͰͷղܾͷͨΊʹ࡞ΒΕͨɻ Xymon αʔόɺωοτϫʔΫͷࢹɻSNMPରԠ͕ͩΤʔδΣϯτϨεࢹՄೳɻRRDToolͰࢹσʔλͷཧɺάϥϑදࣔɻ
ʲ͓·͚ʳCSIRTͱ γʔαʔτʢCSIRTɿ Computer Security Incident Response Teamʣ ίϯϐϡʔληΩϡϦςΟʹ͔͔ΔΠϯγσϯτʹରॲ͢ΔͨΊͷ৫ͷ૯শɻ Πϯγσϯτؔ࿈ใɺ੬ऑੑใɺ߈ܸ༧ஹใΛऩूɺੳ͠ɺରԠํखॱͷࡦఆͳͲͷ׆ಈΛ͓͜ͳ͏ɻ ຊγʔαʔτڠٞձͱʛCSIRT
- ຊγʔαʔτڠٞձʢhttp://www.nca.gr.jp/outline/index.htmlʣ ถࠃCERT Coordination CenterʹΑΔ6ྨ ৫CSIRTɿ৫Ͱൃੜͨ͠ΠϯγσϯτʹରԠ ࠃࡍ࿈ܞCSIRTɿຊͰJPCERT/CCͳͲ ίʔσΟωʔγϣϯηϯλʔɿڠྗؔʹ͋ΔଞͷCSIRTͱͷ࿈ܞɾௐ ੳηϯλʔɿΠϯγσϯτͷੳɺϚϧΣΞղੳɺࠟੳɺҙשىͳͲ ϕϯμνʔϜɿࣗࣾͷ੬ऑੑʹରԠ ΠϯγσϯτɾϨεϙϯεϓϩόΠμɿηΩϡϦςΟϕϯμɺSOCʢηΩϡϦςΟΦϖϨʔγϣϯηϯλʔʣࣄۀऀͳͲ େखಋೖࣄྫ େݐઃɺANAγεςϜζɺδϟύϯωοτۜߦɺδΣʔγʔϏʔɺ໌࣏҆ాੜ໋ɺ౦ژిྗϗʔϧσΟϯάεɺJFEϗʔϧσΟϯάε Έͣ΄ϑΟφϯγϟϧάϧʔϓɺSOMPOϗʔϧσΟϯάεɺΦϦϯύεɺϠϚϋൃಈػɺαΠϘζɺઍ༿େֶ etc… αΠόʔ߈ܸͷଟ༷ԽɺଟൃԽ͕ܦӦϦεΫͱͳΔࡢࠓʹ͓͍ͯɺ֤ࣾͱCSIRTͷߏஙΛٸϐονͰਐΊ͍ͯΔ͕ɺηΩϡϦςΟਓࡐٕज़ͷෆɺࣾ֎ ͱͷ࿈ܞɺܦӦݱͷηΩϡϦςΟҙࣝվֵɺνʔϜͷܧଓൃలͳͲ͕՝ͱͳ͍ͬͯΔɻ
ʲ͓·͚ʳϝϧΧϦݸਓใ࿙͍͑ʹݟΔΩϟογϡͷ᠘ 20176݄22ʹൃੜͨ͠ϑϦϚΞϓϦʮϝϧΧϦʯweb൛αΠτͰͷใ࿙͍͑ࣄ݅ɺCDNαʔόͷΓସ͑ʹࡍͯ͠ɺHTTPϨεϙϯ εͷʮCache-ControlϔομʔʯͷઃఆʹΑΓຊདྷΩϟογϡ͞Ε͍͚ͯͳ͍ίϯςϯπ͕Ωϟογϡ͞Εͯ͠·ͬͨ͜ͱ͕ݪҼɻ ◆Γସ͑લͷΩϟογϡઃఆ - CDNଆͰΩϟογϡઃఆʢԼهͷΩϟογϡ͕ແޮʹͳΒͳ͍߹͕͋ΔϨεϙϯεϔομͷઃఆద༻͞Ε͍ͯͳ͔ͬͨʣ ◆Γସ͑ޙͷΩϟογϡઃఆ - ସઌͷCDNϓϩόΠμ͕Cache-ControlϔομͰΩϟογϡΛແޮʹͰ͖ͨͨΊɺCDNଆͰͳ͘nginxʹΑΔઃఆʢԼهʣͷΈͱͨ͠ɻ -
͔ͦ͠͠ͷCDNϓϩόΠμͰΩϟογϡ͕ߦΘΕͳ͍ͷɺCache-Controllϔομ͕ʮprivateʯͷ߹͚ͩͩͬͨɻ - ସॳɺϝϧΧϦͰCache-Controlʹʮno-cacheʯΛઃఆ͍ͯͨ͠ɻno-cacheʮΩϟογϡ͠ͳ͍ʯͰͳ͘ɺʮʢϓϩΩγαʔό Ωϟογϡαʔόʹରͯ͠ʣΩϟογϡʹه͞Εͨίϯςϯπ͕ݱࡏ༗ޮ͔൱͔ΛɺΦϦδϯͷWebαʔόʹ͍߹Θͤͯ֬ೝ͠ͳ͚Ε ࠶ར༻ͯ͠ͳΒͳ͍ʢͱ͍͏ࢦࣔΛ͢Δʣʯͱ͍͏ҙຯͷHTTPϨεϙϯεɻWebαʔό͕ʮ304 Not Modifiedʢมߋͳ͠ʣʯͷεςʔλε ίʔυΛฦ͢ͱɺΩϟογϡ͕ΘΕͯ͠·͏ɻ - ҰํɺCache-Controlʹmax-age·ͨs-maxageͷ͍ͣΕࢦఆ͍ͯ͠ͳ͔ͬͨͨΊɺExpiresϔομ͕࠾༻͞Ε͍ͯͨɻ - ExpiresϔομʹΞΫηεͷ1ඵલͱ͍͏ҙຯͰʮ -1 ʯΛࢦఆ͠ΩϟογϡΛແޮԽ͍͕ͯͨ͠ɺաڈͷ߹0ඵͱͯ͠ѻΘΕ͍ͯͨɻ - Expiresϔομ͕0ඵͷ߹ɺCDN͔ΒΦϦδϯͷϦΫΤετதʹಉ͡URLͷϦΫΤετ͕ൃੜ͢Δͱɺ2ͭҎ߱ͷಉ͡URLͷϦΫΤε τʹಉ͡Ϩεϙϯε͕ฦΔ༷ʹͳ͍ͬͯͨʢʹଞਓͷใؚ͕·ΕΔίϯςϯπ͕ӾཡͰ͖ͯ͠·ͬͨʣ - ΩϟογϡΛ͠ͳ͍Α͏ʹ͢Δʹʮno-storeʯΛࢦఆ͢ΕΑ͍ʢϝϧΧϦସޙͷCDNͷ߹ʮprivateʯͷΈΩϟογϡແޮԽʁʣ - ·ͨCDNͷΩϟογϡݸਓใΛؚ·ͳ͍ը૾js / css ϑΝΠϧʹݶΔΑ͏ʹ͢ΔɺͳͲͷରࡦ͕ߟ͑ΒΕΔɻ
ࢀߟจݙɺαΠτ ͯ͢Θ͔ΔηΩϡϦςΟେશ2018 (ܦBPϜοΫ) ใηΩϡϦςΟ10େڴҖ 2016ɿIPA ಠཱߦ๏ਓ ใॲཧਪਐػߏ https://www.ipa.go.jp/security/vuln/10threats2016.html WebαΠτશମͷHTTPSԽʮৗ࣌SSLʯ͕ඞཁͳཧ༝ͱϝϦοτΛཧղ͠Α͏ :
ϏδωεͱIT׆༻ʹཱͭใ http://www.asobou.co.jp/blog/web/ssl-2 WAFͱʁʛSiteGuardʛΩϠϊϯITιϦϡʔγϣϯζ https://www.canon-its.co.jp/products/siteguard/waf/ 5Ͱઈରʹ͔Δɿ5Ͱઈରʹ͔ΔIDSʗIPS (1/6) - ˏIT http://www.atmarkit.co.jp/ait/articles/0203/16/news001.html idsͱipsͷҧ͍ʛϑϦʔϏοτΫϥυ | ϑϦʔϏοτΫϥυ https://cloud.freebit.com/contents/security/161/ CDNΓସ͑࡞ۀʹ͓͚ΔɺWeb൛ϝϧΧϦͷݸਓใྲྀग़ͷݪҼʹ͖ͭ·ͯ͠ - Mercari Engineering Blog http://tech.mercari.com/entry/2017/06/22/204500 ηΩϡϦςΟରࡦͱͯ͠ͷ Cache-Conrol ϔομʹ͍ͭͯ - ཧܥֶੜه http://kiririmode.hatenablog.jp/entry/20170625/1498389317