Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NetskopeにみるWebサービスの信頼性評価 / Reliability evaluati...

Avatar for 石川 博 石川 博
December 14, 2018

NetskopeにみるWebサービスの信頼性評価 / Reliability evaluation of Web service by Netskope

OWASP Evening Okinawa #10
https://owasp-okinawa.doorkeeper.jp/events/83993

LTさせていただきました。
「NetskopeにみるWebサービスの信頼性評価」

Avatar for 石川 博

石川 博

December 14, 2018
Tweet

More Decks by 石川 博

Other Decks in Technology

Transcript

  1. ৘γεͷཱ৔Ͱߟ͑Δ w ͜ͷ8FCαʔϏεΛ࢖ͬͯʢ৴པͯ͠ʣେৎ෉ʁ w ͓ܾ·Γͷ৘ใηΩϡϦςΟͷݪଇɿ$*" w $POpEFOUJBMJUZɿػີੑ w *OUFHSJUZɿ׬શੑ w

    "WBJMBCJMMJUZɿՄ༻ੑ ৘ใ࿙Ӯ͸ා͍͠ɺ৘ใΛվ͟Μ͞ΕͨΒࠔΔ͠ɺ͕ͬͭΓ࢖ͬͯͯ αʔϏεऴྃ͞ΕΔͷݏͩ͠ɺ͋Ε΋ؾʹͳΔɺ͜Ε΋ؾʹͳΔɺɺɺ ԿΛͲ͏΍ͬͯ֬ೝ͢Ε͹Α͍ͷʁ
  2. /FUTLPQF͞Μʹڭ͑ͯ΋Β͓͏ w $"4# $MPVE"DDFTT4FDVSJUZ#SPLFSʣαʔϏε w 8FCαʔϏεͷར༻࣮ଶͷՄࢹԽ΍
 σʔλɾϓϩςΫγϣϯɺΨόφϯεΛ࣮ݱ w $$*ʢ$MPVE$POpEFOU*OEFYʣػೳ w

    /FUTLPQFͷಠࣗධՁͰΫϥ΢υαʔϏεͷ
 ৴པੑΛ఺਺Խ w 4BB4࠾༻࣌ͷࢀߟ৘ใ w /FUTLPQFͷධՁ߲໨ˠར༻࣌ʹؾʹ͢΂͖ࢦඪ
  3. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻
  4. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ • ίϯϓϥΠΞϯεೝূ • HIPAA • PCIDSS • SP800-53/FedRAMP • GAPP • COBIT • TRUSTe • Privacy Shield • PrivacyMark (Japan) • σʔληϯλʔͷ४ڌঢ়گ • SOC-1 • SOC-2 • SOC-3 • SAS70/SSAE 16/SSAE 18 • ISO27001 • ISO/IEC 27018 • Cyber Essentials/ Cyber Essentials Plus (UK) • C5 (Germany)
  5. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ • อ؅σʔλͷ҉߸Խ • RSA • DES • BitLocker • Blowfish • AES • ௨৴ͷ҉߸Խ • ҉߸ԽʹශऑͳΞϧΰϦζϜ࢖ͬͯͳ͍ʁ • SHA1 with RSA/1024 Bits • SHA1 with RSA/2048 Bits • SHA1 with RSA/4096 Bits • HTTPηΩϡϦςΟϔομʔ࢖ͬͯΔʁ • Content Security Policy • XSS-Protection • HTTP Strict Transport Security • X-Content-Type-Options • X-Frame-Options
  6. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ • role-based authorizationΛ࠾༻ͯ͠ ͍Δʁ • Ϣʔβૢ࡞ʹରͯ͠ɺೝՄϙϦγʔ Λద༻͍ͯ͠Δʁ • ઀ଓݩIPΞυϨε੍ݶͰ͖Δʁ • ύεϫʔυϙϦγʔΛద༻Ͱ͖Δʁ • SSO/AD hooks • SAML • OAuth • OpenID • Facebook • Twitter • AD/LDAP • Google Sign-in • Linkedin
  7. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ •Does the app provide admin audit logs? •Does the app provide user audit logs? •Does the app provide data access audit logs?
  8. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ • ΠϯϑϥͷεςʔλεϨϙʔτΛఏ ڙ͍ͯ͠Δʁ • ΞϓϦͷόʔδϣϯΞοϓܭըΛ௨ ஌ͯ͠Δʁ • ԕִ஍ʹσʔλΛόοΫΞοϓͯ͠ Δʁ • σʔληϯλ͸஍ཧతʹ෼ࢄͤͯ͞ ͍Δʁ • Ͳ͜ͷج൫Λ࢖ͬͯΔʁʢlaaS౳ʣ
  9. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ • γεςϜʹొ࿥ͨ͠σʔλ͸୭ͷ΋ ͷʁ • Customer owns the data • Vendor owns the data • ܖ໿ऴྃ࣌ʹ͸σʔλΛฦͯ͠΋Β͑ Δʁ • Available immediately • Not Supported by Vendor • ܖ໿ऴྃ࣌ʹ͸ͪΌΜͱσʔλΛফڈ ͯ͘͠ΕΔʁͲΕ͙Β͍ͷεϐʔυ ײʁʁ • Within a week • Within a month • Later than a month • Not Supported by Vendor • Ͳ͜ͷࠃ͔ΒαʔϏεఏڙ͍ͯ͠Δʁʁ
  10. /FUTLPQFͷධՁ߲໨ w ̓ͭͷΧςΰϦ w ୈࡾऀೝূ w σʔλอޢ w ΞΫηείϯτϩʔϧ w

    ؂ࠪੑ w ࡂରϏδωεܧଓੑ w σʔλॴ༗ݖݸਓ৘ใอޢ w ੬ऑੑѱ༻ •ط஌ͷ੬ऑੑ͸ͳ͍ʁ • Heartbleed • OpenSSL CCS Injection • POODLE SSL v3 fallback • FREAK • Logjam • DROWN • Cloudbleed •࠷ۙɺ߈ܸ͞Εͨ͜ͱ͋Δʁ
  11. )3ΧςΰϦͩͱ͜Μͳײ͡ "ࣾ #ࣾ $ࣾ %ࣾ ୈࡾऀೝূ ʷ ʷ ˓ ˕

    σʔλอޢ ʷ ʷ ˓ ˕ ΞΫηε ίϯτϩʔϧ ʷ ʷ ˓ ˓ ؂ࠪੑ ˓ ʷ ˓ ˓ ࡂର Ϗδωεܧଓੑ ʷ ˓ ʷ ˕ σʔλॴ༗ݖ ݸਓ৘ใอޢ ˓ ˓ ˓ ˓ ੬ऑੑѱ༻   ˓ ˓ ఺਺ ఺ ఺ ఺ ఺
  12. )3ΧςΰϦͩͱ͜Μͳײ͡ "ࣾ #ࣾ $ࣾ %ࣾ ୈࡾऀೝূ ʷ ʷ ˓ ˕

    σʔλอޢ ʷ ʷ ˓ ˕ ΞΫηε ίϯτϩʔϧ ʷ ʷ ˕ ˕ ؂ࠪੑ ˓ ʷ ˓ ˓ ࡂର Ϗδωεܧଓੑ ʷ ˓ ʷ ˕ σʔλॴ༗ݖ ݸਓ৘ใอޢ ˓ ˓ ˓ ˓ ੬ऑੑѱ༻   ˓ ˓ ఺਺ ఺ ఺ ఺ ఺ ͬ͘͞ͱ఺਺61 ߴಘ఺ͷཁૉ
  13. /FUTLPQF͞ΜʹධՁ͞ΕΔʹ͸ʜ w ࣗࣾଞऀαʔϏεͷௐࠪ݁Ռ
 ˠࣄ࣮ͱҟͳΔ৘ใ͕݁ߏଟ͍ w ௨৴σʔλͷ҉߸Խʢ)5514Խʣͷঢ়گ w ࢖༻͍ͯ͠ΔΠϯϑϥج൫
 ˠαʔϏεͦͷ΋ͷͰ͸ͳ͘ɺϗʔϜϖʔδ Ͱ൑அ͍ͯ͠ΔͬΆ͍

    w $$*ʹొ࿥͞Ε͍ͯΔΫϥ΢υαʔϏε ɹɹˠ໿ ݸʢશ෦ௐ΂ΒΕΔΘ͚ͳ͍ɺɺʣ ৘ใެ։͕େࣄʂʂ w ϗϫΠτϖʔύʔʢγεςϜߏ੒ʣ w ηΩϡϦςΟϙϦγʔɺ౳ʑ ಁ໌ੑ͕৴པʹͭͳ͕Δʂʂ