Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NetskopeにみるWebサービスの信頼性評価 / Reliability evaluation of Web service by Netskope

石川 博
December 14, 2018

NetskopeにみるWebサービスの信頼性評価 / Reliability evaluation of Web service by Netskope

OWASP Evening Okinawa #10
https://owasp-okinawa.doorkeeper.jp/events/83993

LTさせていただきました。
「NetskopeにみるWebサービスの信頼性評価」

石川 博

December 14, 2018
Tweet

More Decks by 石川 博

Other Decks in Technology

Transcript

  1. /FUTLPQFʹΈΔ
    8FCαʔϏεͷ৴པੑධՁ

    OWASP Evening Okinawa #10
    ੴ઒ത

    View Slide

  2. ࣗݾ঺հ
    גࣜձࣾαΠμε
    ٕज़ຊ෦
    ϓϩμΫςΟϏςΟɾϢχοτ
    ੴ઒തʢ͍͔͠ΘͻΖ͠ʣ

    View Slide

  3. ࣗݾ঺հ
    w ೥ʙɿϝʔΧܥ4*SF
    w ۚ༥ػؔͷ0"γεςϜؔ࿈ۀ຿ͷࢧԉ
    w ೥ʙɿ๭஍ํۜߦ
    w ࣾ಺0"γεςϜ
    w ೥݄ʙɿαΠμε
    w ࣾ಺৘γε

    View Slide

  4. ࣗݾ঺հ
    w ೥ʙɿϝʔΧܥ4*SF
    w ۚ༥ػؔͷ0"γεςϜؔ࿈ۀ຿ͷࢧԉ
    w ೥ʙɿ๭஍ํۜߦ
    w ࣾ಺0"γεςϜ
    w ೥݄ʙɿαΠμε
    w ࣾ಺৘γε
    w υϥ͑΋ΜԽ

    View Slide

  5. αΠμεͬͯʁʁ
    w λϨϯτϚωδϝϯτγεςϜͷ4BB4ϕϯμ
    w ࣾһͷεΩϧ΍ࢿ֨ͳͲΛҰݩ؅ཧͯ͠ɺ
    w ΩϟϦΞϓϥϯɺҟಈɾ഑ஔܭըɺ໨ඪ؅ཧɺ
    ҭ੒ܭըΛߦ͏ͨΊͷγεςϜ

    View Slide

  6. ࠓ೔͓࿩͢͠Δ͜ͱ
    w ̎ͭͷ؍఺͔Β8FCαʔϏεͷ৴པੑΛ

    ධՁ͢ΔϙΠϯτΛ୳ͬͯΈͨͱ͍͏͓࿩ɻ
    w ৘γεΤϯυϢʔβଆͷࢹ఺

    w 4BB4ఏڙϕϯμଆͷࢹ఺

    View Slide

  7. ৘γεͷཱ৔Ͱߟ͑Δ
    w ͜ͷ8FCαʔϏεΛ࢖ͬͯʢ৴པͯ͠ʣେৎ෉ʁ
    w ͓ܾ·Γͷ৘ใηΩϡϦςΟͷݪଇɿ$*"
    w $POpEFOUJBMJUZɿػີੑ
    w *OUFHSJUZɿ׬શੑ
    w "WBJMBCJMMJUZɿՄ༻ੑ
    ৘ใ࿙Ӯ͸ා͍͠ɺ৘ใΛվ͟Μ͞ΕͨΒࠔΔ͠ɺ͕ͬͭΓ࢖ͬͯͯ
    αʔϏεऴྃ͞ΕΔͷݏͩ͠ɺ͋Ε΋ؾʹͳΔɺ͜Ε΋ؾʹͳΔɺɺɺ
    ԿΛͲ͏΍ͬͯ֬ೝ͢Ε͹Α͍ͷʁ

    View Slide

  8. /FUTLPQF͞Μʹڭ͑ͯ΋Β͓͏
    w $"4# $MPVE"DDFTT4FDVSJUZ#SPLFSʣαʔϏε
    w 8FCαʔϏεͷར༻࣮ଶͷՄࢹԽ΍

    σʔλɾϓϩςΫγϣϯɺΨόφϯεΛ࣮ݱ
    w $$*ʢ$MPVE$POpEFOU*OEFYʣػೳ
    w /FUTLPQFͷಠࣗධՁͰΫϥ΢υαʔϏεͷ

    ৴པੑΛ఺਺Խ
    w 4BB4࠾༻࣌ͷࢀߟ৘ใ
    w /FUTLPQFͷධՁ߲໨ˠར༻࣌ʹؾʹ͢΂͖ࢦඪ

    View Slide

  9. ը໘͸͜Μͳײ͡

    View Slide

  10. ը໘͸͜Μͳײ͡

    View Slide

  11. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻

    View Slide

  12. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    • ίϯϓϥΠΞϯεೝূ
    • HIPAA
    • PCIDSS
    • SP800-53/FedRAMP
    • GAPP
    • COBIT
    • TRUSTe
    • Privacy Shield
    • PrivacyMark (Japan)
    • σʔληϯλʔͷ४ڌঢ়گ
    • SOC-1
    • SOC-2
    • SOC-3
    • SAS70/SSAE 16/SSAE 18
    • ISO27001
    • ISO/IEC 27018
    • Cyber Essentials/ Cyber
    Essentials Plus (UK)
    • C5 (Germany)

    View Slide

  13. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    • อ؅σʔλͷ҉߸Խ
    • RSA
    • DES
    • BitLocker
    • Blowfish
    • AES
    • ௨৴ͷ҉߸Խ
    • ҉߸ԽʹශऑͳΞϧΰϦζϜ࢖ͬͯͳ͍ʁ
    • SHA1 with RSA/1024 Bits
    • SHA1 with RSA/2048 Bits
    • SHA1 with RSA/4096 Bits
    • HTTPηΩϡϦςΟϔομʔ࢖ͬͯΔʁ
    • Content Security Policy
    • XSS-Protection
    • HTTP Strict Transport Security
    • X-Content-Type-Options
    • X-Frame-Options

    View Slide

  14. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    • role-based authorizationΛ࠾༻ͯ͠
    ͍Δʁ
    • Ϣʔβૢ࡞ʹରͯ͠ɺೝՄϙϦγʔ
    Λద༻͍ͯ͠Δʁ
    • ઀ଓݩIPΞυϨε੍ݶͰ͖Δʁ
    • ύεϫʔυϙϦγʔΛద༻Ͱ͖Δʁ
    • SSO/AD hooks
    • SAML
    • OAuth
    • OpenID
    • Facebook
    • Twitter
    • AD/LDAP
    • Google Sign-in
    • Linkedin

    View Slide

  15. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    •Does the app provide admin
    audit logs?
    •Does the app provide user
    audit logs?
    •Does the app provide data
    access audit logs?

    View Slide

  16. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    • ΠϯϑϥͷεςʔλεϨϙʔτΛఏ
    ڙ͍ͯ͠Δʁ
    • ΞϓϦͷόʔδϣϯΞοϓܭըΛ௨
    ஌ͯ͠Δʁ
    • ԕִ஍ʹσʔλΛόοΫΞοϓͯ͠
    Δʁ
    • σʔληϯλ͸஍ཧతʹ෼ࢄͤͯ͞
    ͍Δʁ
    • Ͳ͜ͷج൫Λ࢖ͬͯΔʁʢlaaS౳ʣ

    View Slide

  17. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    • γεςϜʹొ࿥ͨ͠σʔλ͸୭ͷ΋
    ͷʁ
    • Customer owns the data
    • Vendor owns the data
    • ܖ໿ऴྃ࣌ʹ͸σʔλΛฦͯ͠΋Β͑
    Δʁ
    • Available immediately
    • Not Supported by Vendor
    • ܖ໿ऴྃ࣌ʹ͸ͪΌΜͱσʔλΛফڈ
    ͯ͘͠ΕΔʁͲΕ͙Β͍ͷεϐʔυ
    ײʁʁ
    • Within a week
    • Within a month
    • Later than a month
    • Not Supported by Vendor
    • Ͳ͜ͷࠃ͔ΒαʔϏεఏڙ͍ͯ͠Δʁʁ

    View Slide

  18. /FUTLPQFͷධՁ߲໨
    w ̓ͭͷΧςΰϦ
    w ୈࡾऀೝূ
    w σʔλอޢ
    w ΞΫηείϯτϩʔϧ
    w ؂ࠪੑ
    w ࡂରϏδωεܧଓੑ
    w σʔλॴ༗ݖݸਓ৘ใอޢ
    w ੬ऑੑѱ༻
    •ط஌ͷ੬ऑੑ͸ͳ͍ʁ
    • Heartbleed
    • OpenSSL CCS Injection
    • POODLE SSL v3 fallback
    • FREAK
    • Logjam
    • DROWN
    • Cloudbleed
    •࠷ۙɺ߈ܸ͞Εͨ͜ͱ͋Δʁ

    View Slide

  19. /FUTLPQFͷධՁ߲໨
    ఺਺ʹ͸൓ө͞Εͳ͍ʢʁʣ͚ΕͲɺେࣄͳ߲໨
    w ϏδωεϦεΫʢࡒ຿ϦεΫʣ
    w ౗࢈ͨ͠ΒαʔϏεఀࢭ
    w (%13΁ͷରԠঢ়گ
    w &6Ͱͷݸਓ৘ใอޢ
    w ର৅ͷݸਓ৘ใ

    ʜ໊લɺҐஔ৘ใɺ*1ΞυϨεɺ$PPLJFɺ౳
    w ੍ࡋۚ͸ສϢʔϩʢ໿ԯԁʣʙ

    View Slide

  20. 4BB4ϕϯμͷࢹ఺
    w ࣗࣾαʔϏεͷධՁ఺਺Λ͍͋͛ͨʂʂ
    w ഑఺ͷ܏޲Λ஌Γͨͯ͘

    ఺਺ͷ௿͍ʙߴ͍4BB4Ͱൺֱͯ͠Έͨɻ

    View Slide

  21. )3ΧςΰϦͩͱ͜Μͳײ͡
    "ࣾ #ࣾ $ࣾ %ࣾ
    ୈࡾऀೝূ ʷ ʷ ˓ ˕
    σʔλอޢ ʷ ʷ ˓ ˕
    ΞΫηε
    ίϯτϩʔϧ
    ʷ ʷ ˓ ˓
    ؂ࠪੑ ˓ ʷ ˓ ˓
    ࡂର
    Ϗδωεܧଓੑ
    ʷ ˓ ʷ ˕
    σʔλॴ༗ݖ
    ݸਓ৘ใอޢ
    ˓ ˓ ˓ ˓
    ੬ऑੑѱ༻ ˓ ˓
    ఺਺ ఺ ఺ ఺ ఺

    View Slide

  22. )3ΧςΰϦͩͱ͜Μͳײ͡
    "ࣾ #ࣾ $ࣾ %ࣾ
    ୈࡾऀೝূ ʷ ʷ ˓ ˕
    σʔλอޢ ʷ ʷ ˓ ˕
    ΞΫηε
    ίϯτϩʔϧ
    ʷ ʷ ˕ ˕
    ؂ࠪੑ ˓ ʷ ˓ ˓
    ࡂର
    Ϗδωεܧଓੑ
    ʷ ˓ ʷ ˕
    σʔλॴ༗ݖ
    ݸਓ৘ใอޢ
    ˓ ˓ ˓ ˓
    ੬ऑੑѱ༻ ˓ ˓
    ఺਺ ఺ ఺ ఺ ఺
    ͬ͘͞ͱ఺਺61
    ߴಘ఺ͷཁૉ

    View Slide

  23. ߴಘ఺ͷ%ࣾ
    w ୈࡾऀೝূ

    View Slide

  24. /FUTLPQF͞ΜʹධՁ͞ΕΔʹ͸ʜ
    w ୈࡾऀͷೝূऔಘʢΨόφϯεʣ
    w ૊৫ϓϩηεʢ࢓૊ΈʣΛධՁ
    w ॾʑͷ৴པੑΛੜΈग़͢ϕʔε
    w ΞΫηείϯτϩʔϧɿػີੑ
    w σʔλอޢɿ׬શੑ
    w ࡂରɿՄ༻ੑ
    ഑఺ʢਪଌʣ
    ˠ೉қ౓

    View Slide

  25. /FUTLPQF͞ΜʹධՁ͞ΕΔʹ͸ʜ
    w ࣗࣾଞࣾαʔϏεͷௐࠪ݁Ռ

    ˠࣄ࣮ͱҟͳΔ৘ใ͕݁ߏଟ͍
    w ௨৴҉߸Խͷঢ়گʢ)5514Խʣ
    w ࢖༻͍ͯ͠ΔΠϯϑϥج൫

    αʔϏεͦͷ΋ͷͰ͸ͳ͘ϗʔϜϖʔδͰɹɹɹɹɹɹ
    ൑அ͍ͯ͠ΔͬΆ͍ʢϨδετϥͱ͔ʣ
    w $$*ʹొ࿥͞Ε͍ͯΔΫϥ΢υαʔϏε
    ɹɹˠ໿ ݸʢશ෦ௐ΂ΒΕΔΘ͚ͳ͍ɺɺʣ

    View Slide

  26. /FUTLPQF͞ΜʹධՁ͞ΕΔʹ͸ʜ
    w ࣗࣾଞऀαʔϏεͷௐࠪ݁Ռ

    ˠࣄ࣮ͱҟͳΔ৘ใ͕݁ߏଟ͍
    w ௨৴σʔλͷ҉߸Խʢ)5514Խʣͷঢ়گ
    w ࢖༻͍ͯ͠ΔΠϯϑϥج൫

    ˠαʔϏεͦͷ΋ͷͰ͸ͳ͘ɺϗʔϜϖʔδ
    Ͱ൑அ͍ͯ͠ΔͬΆ͍
    w $$*ʹొ࿥͞Ε͍ͯΔΫϥ΢υαʔϏε
    ɹɹˠ໿ ݸʢશ෦ௐ΂ΒΕΔΘ͚ͳ͍ɺɺʣ
    ৘ใެ։͕େࣄʂʂ
    w ϗϫΠτϖʔύʔʢγεςϜߏ੒ʣ
    w ηΩϡϦςΟϙϦγʔɺ౳ʑ
    ಁ໌ੑ͕৴པʹͭͳ͕Δʂʂ

    View Slide

  27. ·ͱΊ
    /FUTLPQFʹΈΔ8FCαʔϏεͷ৴པੑධՁ
    w ͭͷΧςΰϦ
    w ୈࡾऀೝূσʔλอޢΞΫηείϯτϩʔϧ

    ؂ࠪੑࡂରɾϏδωεܧଓੑσʔλॴ༗ݖɾݸਓ৘ใอޢ
    ੬ऑੑɾѱ༻
    w ఏڙϕϯμͷΨόφϯεঢ়گΛॏࢹ
    w ಁ໌ੑʢ৘ใެ։ʣɺେࣄɻ
    w ૊৫ͷ࢟੎͕৴པʹͭͳ͕Δ

    View Slide

  28. ࠂ஌ɿ8FBSF)JSJOH
    αΠμεͰҰॹʹಇ͖·ͤΜ͔ʂʂ
    w ϓϩμΫτϚωʔδϟʔ
    w 6*69σβΠφʔ
    w ϑϩϯτΤϯδχΞ
    w αʔόαΠυΤϯδχΞ
    w εΫϥϜϚελʔ
    w ϓϩμΫςΟϏςΟΤϯδχΞ
    w ηʔϧεΤϯδχΞ
    ˞ࢲ෰ۈ຿Ͱ͢

    View Slide

  29. ࠂ஌ɿΘͨ͠ݸਓ͔Βͷ͓ئ͍
    w ৘ใަ׵ʢ޿͘ਂ͘৘ใڞ༗͍ͨ͠΄͍͠ʣ
    w ΈΜͳͰٞ࿦ʢ΅͘ͷ͔Μ͕͑ΔʙγϦʔζ
    w Ξ΢τϓοτΛࣗࣾʹ࣋ͪؼΔ
    w ԭೄͷձ͕ࣾˢˢɺࢲͨͪͷ଴۰΋ˢˢ
    w ʜΈ͍ͨͳΠϕϯτ͍ͨ͠ͷͰ͝ࢀՃΛʂʂ
    ͻͱΓ৘γεͻͱΓ৘γεͻͱΓ৘γεζ

    View Slide