OWT2017JP - OWASP Project Overview for Developers

1.

08"41ͷา͖ํ 085 08"41+BQBO $IBQUFS-FBEFS 4FO6&/0 08"411SPKFDU0WFSWJFX GPS%FWFMPQFST

2.

08"411SPKFDU

3.

'MBHTIJQ1SPKFDUT • 5PPMT – 08"41;FE"UUBDL1SPYZ – 08"418FC5FTUJOH&OWJSPONFOU1SPKFDU – 08"41085' –
08"41%FQFOEFODZ$IFDL – 08"414FDVSJUZ4IFQIFSE</FX> • $PEF – 08"41.PE4FDVSJUZ $PSF3VMF4FU1SPKFDU – 08"41$43'(VBSE 1SPKFDU – 08"41"QQ4FOTPS 1SPKFDU • %PDVNFOUBUJPO – 08"41"QQMJDBUJPO4FDVSJUZ7FSJGJDBUJPO4UBOEBSE1SPKFDU – 08"414PGUXBSF"TTVSBODF.BUVSJUZ.PEFM 4".. – 08"41"QQ4FOTPS 1SPKFDU – 08"415PQ5FO1SPKFDU – 08"415FTUJOH(VJEF1SPKFDU IUUQTXXXPXBTQPSHJOEFYQIQ08"41@1SPKFDU@*OWFOUPSZ'MBHTIJQ@1SPKFDUT

4.

08"415PQ3$ • 8FCΞϓϦέʔγϣϯ੬ऑੑτοϓ 3$3FKFDUFE ݄Լ०ϦϦʔε༧ఆ

5.

08"415PQGPS ೔ຊޠ൛ΞϦ㽂

6.

;"1 • ;"1 ;FE"UUBDL1SPYZ • 8FCΞϓϦέʔγϣϯ੬ऑੑεΩϟφʔ ೔ຊޠ൛ΞϦ㽂

7.

8FC5FTUJOH&OWJSPONFOU • ओʹ08"41ͷΞϓϦέʔγϣϯηΩϡϦςΟπʔϧͱυΩϡϝ ϯτͷ٧Ί߹Θͤ -JOVYEJTU • 08"41ͷ֤छϓϩδΣΫτ – πʔϧ΍υΩϡϝϯτ –
08"41Ҏ֎ͷ8FCΞϓϦέʔγϣϯηΩϡϦςΟπʔϧ΋ऩ࿥ • *40΍7.XBSF 7JSUVBM#PY 1BSBMMFMTɺ-JOVYύοέʔδͳͲͷ ܗࣜͰఏڙ – چ08"41-JWF$%

8.

085' • 085' 0GGFOTJWF8FC5FTUJOH'SBNFXPSL – ࣗಈ਍அπʔϧ – 08"415FTUJOH(VJEF 15&4 UIF1FOFUSBUJPO5FTUJOH&YFDVUJPO
4UBOEBSE /*45

9.

08"41%FQFOEFODZ$IFDL • 8FCΞϓϦέʔγϣϯͷத͔Β੬ऑੑͷ͋ΔίϯϙʔωϯτΛ ൃݟ͢ΔεΩϟφʔ – +BWB /&5ʹରԠ • 3VCZ /PEFKT
1ZUIPO $$ ͸ࢼݧతͳରԠ

10.

08"414FDVSJUZ4IFQIFSE • 8FCͱϞόΠϧͷΞϓϦέʔγϣϯηΩϡϦςΟͷͨΊͷτ Ϩʔχϯάπʔϧ – ηΩϡϦςΟΛֶͿͨΊͷϋϯζΦϯ؀ڥ – $5'ϞʔυɺΦʔϓϯϑϩΞϞʔυɺτʔφϝϯτϞʔυͳͲΛඋ͑Δ • 5FBDIJOH5PPMGPS"MM"QQMJDBUJPO4FDVSJUZ
• 8FC"QQMJDBUJPO1FO5FTUJOH5SBJOJOH • .PCJMF"QQMJDBUJPO1FO5FTUJOH5SBJOJOH • 4BGF1MBZHSPVOEUP1SBDUJTF "QQ4FD 5FDIOJRVFT • 3FBM4FDVSJUZ3JTL&YBNQMFT

11.

.PE4FDVSJUZ $PSF3VMF4FU1SPKFDU • .PE4FDVSJUZ – 0QFO4PVSDF8FC"QQMJDBUJPO'JSFXBMM • .PE4FDVSJUZ Ͱ࢖͑Δϧʔϧηοτ –
1SPUPDPM7BMJEBUJPO – .BMJDJPVT$MJFOU*EFOUJGJDBUJPO – (FOFSJD"UUBDL4JHOBUVSFT – ,OPXO7VMOFSBCJMJUJFT4JHOBUVSFT – 5SPKBO#BDLEPPS"DDFTT – 0VUCPVOE%BUB-FBLBHF – "OUJ7JSVTBOE%P4 VUJMJUZTDSJQUT

12.

$43'(VBSE 1SPKFDU • ΫϩεαΠτɾϦΫΤετϑΥʔδΣϦ $43' ରࡦϥΠϒϥϦ

13.

"QQ4FOTPS 1SPKFDU • ΞϓϦέʔγϣϯϨΠϠʔʹର͢Δ৵ೖݕ஌ͱࣗಈԠ౴ͷͨΊͷ ϑϨʔϜϫʔΫ – ΞϓϦέʔγϣϯʹ๷ޚ૚Λ࣮૷͢Δ • ݕग़ –
Ҏ্ͷݕग़ϙΠϯτͰ߈ܸΛݕ஌ • Ԡ౴ – ߈ܸΛݕग़ͨ͠ޙͷΞΫγϣϯ – ϢʔβʔͷϩάΞ΢τɺΞΧ΢ϯτϩοΫɺ؅ཧऀ΁ͷ௨஌ͳͲ • ΞϓϦέʔγϣϯͷ๷ޚ

14.

"QQMJDBUJPO4FDVSJUZ7FSJGJDBUJPO4UBOEBSE 1SPKFDU • "474 "QQMJDBUJPO4FDVSJUZ7FSJGJDBUJPO4UBOEBSE • ΞϓϦέʔγϣϯͷηΩϡϦςΟධՁͷͨΊͷݕࠪඪ४ – ࣗಈ·ͨ͸खಈͷηΩϡϦςΟςετٴͼίʔυϨϏϡʔํࣜͷཁ݅
• -W0QQPSUVOJTUJD • -W4UBOEBSE • -W"EWBODFE ೔ຊޠ൛ΞϦ㽂

15.

4PGUXBSF"TTVSBODF.BUVSJUZ.PEFM • 4".. 4PGUXBSF"TTVSBODF.BUVSJUZ.PEFM ɿιϑτ΢ΣΞ ηΩϡϦςΟอো੒ख़౓Ϟσϧ • ϦεΫʹ߹Θͤͨιϑτ΢ΣΞηΩϡϦςΟઓུΛ࣮૷͢ΔͨΊ ͷϑϨʔϜϫʔΫ ೔ຊޠ൛ΞϦ㽂

16.

5FTUJOH(VJEF • 8FCαΠτʗΞϓϦέʔγϣϯͷςετΨΠυɺશϖʔδ ʢ7FSʣ • ֤੬ऑੑɺػೳผͷςετํ๏ – *OGPSNBUJPO(BUIFSJOH $POGJHVSBUJPO.BOBHFNFOU5FTUJOH
"VUIFOUJDBUJPO5FTUJOH 4FTTJPO.BOBHFNFOU "VUIPSJ[BUJPO 5FTUJOH #VTJOFTTMPHJDUFTUJOH %BUB7BMJEBUJPO5FTUJOH %P4 5FTUJOH 8FC4FSWJDFT5FTUJOH "+"95FTUJOH

17.

8FCγεςϜʗ8FCΞϓϦέʔγϣϯ ηΩϡϦςΟཁ݅ॻ • 8FCγεςϜʗ8FCΞϓϦέʔγϣϯ։ൃͷͨΊͷཁ݅ఆٛॻ – Ұൠతʹ੝ΓࠐΉ΂͖ηΩϡϦςΟཁ݅ఆٛॻ – ։ൃݴޠ΍ϑϨʔϜϫʔΫʹґଘ͠ͳ͍ • 08"41+BQBOηΩϡϦςΟཁ݅ఆٛॻ8(

18.

੬ऑੑ਍அ࢜εΩϧϚοϓϓϩδΣΫτ • ੬ऑੑ਍அΛߦ͏ݸਓͷٕज़తͳೳྗΛ۩ମతʹ͢Δ • ੬ऑੑ਍அΛߦ͏ٕज़ऀʢҎԼɺ੬ऑੑ਍அ࢜ʣͷεΩϧϚοϓ ͱֶशͷࢦ਑ͱͳΔγϥόεɺ੬ऑੑ਍அΛߦ͏ͨΊͷΨΠυϥ ΠϯͳͲΛ੔උ • *40(+ͱ08"41 +BQBOͷڞಉ8(

19.

8FCΞϓϦέʔγϣϯ੬ऑੑ਍அΨΠυϥΠϯ • खಈ਍அิॿπʔϧΛ࢖ͬͨ8FCΞϓϦέʔγϣϯ੬ऑੑ਍அ ʹ࢖༻͢ΔΨΠυϥΠϯ – 42-J 944ͳͲͷ۩ମతͳ਍அύλʔϯ

20.

੬ऑੑ਍அ ॳ৺ऀϋϯζΦϯτϨʔχϯά • ೥݄೔ ౔ ։࠵ • ืूਓ਺໊ <͢Ͱʹຬ੮> IUUQTQFOUFTUXFCDPOOQBTTDPNFWFOU

21.

օ͞ΜͷڠྗͰ੒Γཱ͍ͬͯ·͢ • ೔ຊޠ൛͕ͳ͍ϓϩδΣΫτ΋͍͔ͭ͘ • ఀ଺͍ͯ͠ΔϓϩδΣΫτ΋͍͔ͭ͘ • ϘϥϯςΟΞͷྗΛඞཁͱ͍ͯ͠·͢

22.

+PJOVT

OWT2017JP - OWASP Project Overview for Developers

OWT2017JP - OWASP Project Overview for Developers

OWASP Japan

Want more?

Transcript

08"41ͷา͖ํ 085 08"41+BQBO $IBQUFS-FBEFS 4FO6&/0 08"411SPKFDU0WFSWJFX GPS%FWFMPQFST

08"411SPKFDU

'MBHTIJQ1SPKFDUT • 5PPMT – 08"41;FE"UUBDL1SPYZ – 08"418FC5FTUJOH&OWJSPONFOU1SPKFDU – 08"41085' –

08"415PQ3$ • 8FCΞϓϦέʔγϣϯ੬ऑੑτοϓ 3$3FKFDUFE ݄Լ०ϦϦʔε༧ఆ

08"415PQGPS ೔ຊޠ൛ΞϦ㽂

;"1 • ;"1 ;FE"UUBDL1SPYZ • 8FCΞϓϦέʔγϣϯ੬ऑੑεΩϟφʔ ೔ຊޠ൛ΞϦ㽂

8FC5FTUJOH&OWJSPONFOU • ओʹ08"41ͷΞϓϦέʔγϣϯηΩϡϦςΟπʔϧͱυΩϡϝ ϯτͷ٧Ί߹Θͤ -JOVYEJTU • 08"41ͷ֤छϓϩδΣΫτ – πʔϧ΍υΩϡϝϯτ –

085' • 085' 0GGFOTJWF8FC5FTUJOH'SBNFXPSL – ࣗಈ਍அπʔϧ – 08"415FTUJOH(VJEF 15&4 UIF1FOFUSBUJPO5FTUJOH&YFDVUJPO

08"41%FQFOEFODZ$IFDL • 8FCΞϓϦέʔγϣϯͷத͔Β੬ऑੑͷ͋ΔίϯϙʔωϯτΛ ൃݟ͢ΔεΩϟφʔ – +BWB /&5ʹରԠ • 3VCZ /PEFKT

08"414FDVSJUZ4IFQIFSE • 8FCͱϞόΠϧͷΞϓϦέʔγϣϯηΩϡϦςΟͷͨΊͷτ Ϩʔχϯάπʔϧ – ηΩϡϦςΟΛֶͿͨΊͷϋϯζΦϯ؀ڥ – $5'ϞʔυɺΦʔϓϯϑϩΞϞʔυɺτʔφϝϯτϞʔυͳͲΛඋ͑Δ • 5FBDIJOH5PPMGPS"MM"QQMJDBUJPO4FDVSJUZ

.PE4FDVSJUZ $PSF3VMF4FU1SPKFDU • .PE4FDVSJUZ – 0QFO4PVSDF8FC"QQMJDBUJPO'JSFXBMM • .PE4FDVSJUZ Ͱ࢖͑Δϧʔϧηοτ –

$43'(VBSE 1SPKFDU • ΫϩεαΠτɾϦΫΤετϑΥʔδΣϦ $43' ରࡦϥΠϒϥϦ

"QQ4FOTPS 1SPKFDU • ΞϓϦέʔγϣϯϨΠϠʔʹର͢Δ৵ೖݕ஌ͱࣗಈԠ౴ͷͨΊͷ ϑϨʔϜϫʔΫ – ΞϓϦέʔγϣϯʹ๷ޚ૚Λ࣮૷͢Δ • ݕग़ –

"QQMJDBUJPO4FDVSJUZ7FSJGJDBUJPO4UBOEBSE 1SPKFDU • "474 "QQMJDBUJPO4FDVSJUZ7FSJGJDBUJPO4UBOEBSE • ΞϓϦέʔγϣϯͷηΩϡϦςΟධՁͷͨΊͷݕࠪඪ४ – ࣗಈ·ͨ͸खಈͷηΩϡϦςΟςετٴͼίʔυϨϏϡʔํࣜͷཁ݅

4PGUXBSF"TTVSBODF.BUVSJUZ.PEFM • 4".. 4PGUXBSF"TTVSBODF.BUVSJUZ.PEFM ɿιϑτ΢ΣΞ ηΩϡϦςΟอো੒ख़౓Ϟσϧ • ϦεΫʹ߹Θͤͨιϑτ΢ΣΞηΩϡϦςΟઓུΛ࣮૷͢ΔͨΊ ͷϑϨʔϜϫʔΫ ೔ຊޠ൛ΞϦ㽂

5FTUJOH(VJEF • 8FCαΠτʗΞϓϦέʔγϣϯͷςετΨΠυɺશϖʔδ ʢ7FSʣ • ֤੬ऑੑɺػೳผͷςετํ๏ – *OGPSNBUJPO(BUIFSJOH $POGJHVSBUJPO.BOBHFNFOU5FTUJOH

8FCγεςϜʗ8FCΞϓϦέʔγϣϯ ηΩϡϦςΟཁ݅ॻ • 8FCγεςϜʗ8FCΞϓϦέʔγϣϯ։ൃͷͨΊͷཁ݅ఆٛॻ – Ұൠతʹ੝ΓࠐΉ΂͖ηΩϡϦςΟཁ݅ఆٛॻ – ։ൃݴޠ΍ϑϨʔϜϫʔΫʹґଘ͠ͳ͍ • 08"41+BQBOηΩϡϦςΟཁ݅ఆٛॻ8(

੬ऑੑ਍அ࢜εΩϧϚοϓϓϩδΣΫτ • ੬ऑੑ਍அΛߦ͏ݸਓͷٕज़తͳೳྗΛ۩ମతʹ͢Δ • ੬ऑੑ਍அΛߦ͏ٕज़ऀʢҎԼɺ੬ऑੑ਍அ࢜ʣͷεΩϧϚοϓ ͱֶशͷࢦ਑ͱͳΔγϥόεɺ੬ऑੑ਍அΛߦ͏ͨΊͷΨΠυϥ ΠϯͳͲΛ੔උ • *40(+ͱ08"41 +BQBOͷڞಉ8(

8FCΞϓϦέʔγϣϯ੬ऑੑ਍அΨΠυϥΠϯ • खಈ਍அิॿπʔϧΛ࢖ͬͨ8FCΞϓϦέʔγϣϯ੬ऑੑ਍அ ʹ࢖༻͢ΔΨΠυϥΠϯ – 42-J 944ͳͲͷ۩ମతͳ਍அύλʔϯ

੬ऑੑ਍அ ॳ৺ऀϋϯζΦϯτϨʔχϯά • ೥݄೔ ౔ ։࠵ • ืूਓ਺໊ <͢Ͱʹຬ੮> IUUQTQFOUFTUXFCDPOOQBTTDPNFWFOU

օ͞ΜͷڠྗͰ੒Γཱ͍ͬͯ·͢ • ೔ຊޠ൛͕ͳ͍ϓϩδΣΫτ΋͍͔ͭ͘ • ఀ଺͍ͯ͠ΔϓϩδΣΫτ΋͍͔ͭ͘ • ϘϥϯςΟΞͷྗΛඞཁͱ͍ͯ͠·͢

+PJOVT