Slide 1

Slide 1 text

ηΩϡϦςΟษڧձ ~ Ͳ͏΍ͬͯڴҖʹ 
 ཱͪ޲͔͍͚ͬͯ͹͍͍ͷ͔ฤ ~ 2021/04/12 ͖ͨ͏Β

Slide 2

Slide 2 text

ຊ೔ͷΰʔϧ 2 ηΩϡϦςΟରࡦɺ ࠓޙͲ͏΍ͬͯऔΓ૊ΜͰ͍͜͏ ↓ ʢΘ͔͔ͬͨΒʣ࣮ࡍʹऔΓ૊ΜͰΈΑ͏!

Slide 3

Slide 3 text

΋͎͘͡ 3 1.ηΩϡϦςΟ͓͍͍ͬͯ͠ͷʁ - ߈ܸ͕੒ޭͨ͠ΒͲΜͳඃ֐Λड͚Δ͔ - ҰݴͰઆ໌͍ͯ͘͠10େڴҖ 2.ηΩϡϦςΟͱͷ޲͖߹͍ํ ■૊৫ͱͯ͠ - Ͳ͏͢Ε͹҆৺ͱݴ͍੾ΕΔͷ͔ - ͔͚Δඅ༻ͱ޻਺͸Ͳͷఔ౓͕ద੾ͳͷ͔ ■ΤϯδχΞͱͯ͠ - ୭͕ԿΛҙࣝ͢Ε͹͍͍ͷ͔ - Ͳ͏΍ͬͯษڧͨ͠Β͍͍ͷ͔

Slide 4

Slide 4 text

4 1.ηΩϡϦςΟ͓͍͍ͬͯ͠ͷʁ

Slide 5

Slide 5 text

߈ܸΛड͚ͨΒͲΜͳඃ֐Λड͚Δ͔ 5 - ۚમͷଛࣦ 
 ଛ֐ഛঈͷࢧ෷͍ 
 ෮چରԠ։ൃඅ༻΍༷ʑͳରԠඅ༻ - ސ٬ͷଛࣦ 
 ࣾձతධՁ௿ԼʹΑΔސ٬ྲྀग़ 
 औҾઌ͔Βͷड஫ఀࢭ - ࣄۀܧଓͷ્֐ 
 ਓࡐྲྀग़ - ৽ػೳ։ൃͷ஗Ԇ 
 ճ෮ରԠ༏ઌʹΑΔ޻਺ͷݮଛ

Slide 6

Slide 6 text

ҰݴͰઆ໌͢Δ10େڴҖ 6 - ΠϯδΣΫγϣϯ - ೝূͷෆඋ - ػີ৘ใͷ࿐ग़ - XML֎෦ΤϯςΟςΟࢀরʢXXEʣ - ΞΫηε੍ޚͷෆඋ - ෆద੾ͳηΩϡϦςΟઃఆ - ΫϩεαΠτεΫϦϓςΟϯά - ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ - ط஌ͷ੬ऑੑΛ࣋ͭίϯϙʔωϯτͷ࢖༻ - ෆे෼ͳϩΪϯάͱ؂ࢹ https://wiki.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf

Slide 7

Slide 7 text

ΠϯδΣΫγϣϯ 7 ■಺༰ ੬ऑੑͷ͋ΔγεςϜʹରͯ͠ɺ։ൃऀͷ૝ఆ ֎ʹΑΔจࣈྻೖྗΛߦ͏͜ͱʹΑΓɺγες ϜΛ৐ͬऔͬͨΓվ᜵͢ΔڴҖ

Slide 8

Slide 8 text

ೝূͷෆඋ 8 ■಺༰ ʮਖ਼͍͠ΞΫηεݖΛ࣋ͭਓ͕ਖ਼͘͠ΞΫηε ݖΛ࣋ͭʯͱ͍͏͋Δ΂͖ঢ়ଶ͕ෆඋʹΑͬ ͯ৵֐͞Εͯ͠·͏ڴҖ

Slide 9

Slide 9 text

ػີ৘ใͷ࿐ग़ 9 ■಺༰ ҙਤͤͣॏཁσʔλ͕҉߸Խ͞Ε͍ͯͳ͍/ެ ։͞Εͯ͠·͍ͬͯΔ౳Ͱୈࡾऀ͕ӾཡͰ͖ ͯ͠·͏ڴҖ

Slide 10

Slide 10 text

XML֎෦ΤϯςΟςΟࢀরʢXXEʣ 10 ■಺༰ XMLϓϩηοαͷ࢓༷Λٯखʹͱͬͯɺ ༷ʑͳ߈ܸΛՄೳͱͯ͠͠·͏ڴҖ

Slide 11

Slide 11 text

ΞΫηε੍ޚͷෆඋ 11 ■಺༰ ຊདྷඞཁͱ͞ΕΔΞΫηεݖݶҎ্ͷػೳΛ ࣮ߦͰ͖ͯ͠·͏͜ͱʹΑΓɺΞΫηεݖݶ ؅ཧશମ͕੬ऑͱͳ͍ͬͯΔ༷ͷڴҖ

Slide 12

Slide 12 text

ෆద੾ͳηΩϡϦςΟઃఆ 12 ■಺༰ ਓతϛε΍ෆద੾ͳઃఆʹΑͬͯɺ༷ʑͳ੬ ऑੑΛҾ͖ى͍ͯ͜͠Δ༷ͷڴҖ

Slide 13

Slide 13 text

ΫϩεαΠτεΫϦϓςΟϯά 13 ■߈ܸ಺༰ ੬ऑੑͷ͋ΔඪతαΠτͷυϝΠϯݖݶʹΑͬͯѱ ҙͷ͋ΔεΫϦϓτΛ࣮ߦͤ͞Δ͜ͱ͕Ͱ͖ΔڴҖ 


Slide 14

Slide 14 text

҆શͰͳ͍σγϦΞϥΠθʔγϣϯ 14 ■߈ܸ಺༰ ੬ऑੑͷ͋Δσʔλม׵Λߦ͏ॲཧʹ͓͍ͯɺ ѱҙͷ͋ΔϓϩάϥϜΛ࣮ߦͤͯ͞͠·͏ͱ͍͏ڴҖ 


Slide 15

Slide 15 text

ط஌ͷ੬ऑੑΛ࣋ͭίϯϙʔωϯτͷ࢖༻ 15 ■߈ܸ಺༰ ೝ஌͞Εͨ੬ऑੑΛରࡦ͠ͳ͍··ར༻͢Δ͜ͱ ʹΑΓɺ༷ʑͳ߈ܸΛڐ༰ͱͯ͠͠·͏ڴҖ

Slide 16

Slide 16 text

ෆे෼ͳϩΪϯάͱϞχλϦϯά 16 ■߈ܸ಺༰ ߈ܸͷૣظൃݟ΍߈ܸऀʹରͯ͠ૌুΛߦ͏ͨΊ ͷূڌ͕ඞཁͱͳΔ͕ɺෆे෼Ͱ͋Δ͕ނʹͦͷ ճ෮ߦಈ͕ߦ͑ͳ͍ڴҖ

Slide 17

Slide 17 text

17 2.ηΩϡϦςΟͱͷ޲͖߹͍ํ

Slide 18

Slide 18 text

18 ~૊৫ͱͯ͠ฤ~ Ͳ͏͢Ε͹҆৺ͱ͍͍͖ΕΔͷ͔

Slide 19

Slide 19 text

Ͳ͏͢Ε͹҆৺ͱ͍͍͖ΕΔͷ͔ 19 - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ͜͜·Ͱ΍Ε͹όονϦɾɾɾ

Slide 20

Slide 20 text

Ͳ͏͢Ε͹҆৺ͱ͍͍͖ΕΔͷ͔ 20 ɾɾɾͱ͸ͳΒͳ͍ͷ͸ͳΜͰͩΖ͏͔

Slide 21

Slide 21 text

21 ʲ࣮͸2೥લʹߟ͑ͨೝ஌ྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ʲൃੜͯ͠΋͓͔͘͠ͳ͍ڴҖʳ - 1೥લʹೝ஌͞Εͨ৽ͨͳڴҖ - ೝ஌ྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹ௠෗Խͨ͜͠ͱʹΑΔڴҖ

Slide 22

Slide 22 text

22 ʲ࣮͸2೥લʹߟ͑ͨೝ஌ྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ʲൃੜͯ͠΋͓͔͘͠ͳ͍ڴҖʳ - 1೥લʹೝ஌͞Εͨ৽ͨͳڴҖ - ೝ஌ྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹ௠෗Խͨ͜͠ͱʹΑΔڴҖ ͳʹ͕͍͚ͳ͔ͬͨɾɾɾʁ

Slide 23

Slide 23 text

ܧଓత౤ࢿͷେࣄ͞ 23 - ηΩϡϦςΟͷ໰୊͕ى͖ͨͱ͖ʹ 
 ៦Δ΂͖ϓϩηε͕ଘࡏ͠ͳ͍͜ͱ͕ 
 Ұ൪ͷෆ҆ཁૉ - Ծʹܧଓతͳ׆ಈΛ্ͨ͠Ͱ໰୊͕ൃੜͨ͠৔߹͸ɺ 
 ͦͷ׆ಈࣗମͷϓϩηεΛݟ௚͢͠Ε͹Α͘ɺ 
 ͦ͏΍ͬͯ૊৫͸ڧ͘ͳ͍ͬͯ͘΋ͷͩͱݸਓతʹ͸ 
 ࢥ͍·͢ɻ

Slide 24

Slide 24 text

24 ~૊৫ͱͯ͠ฤ~ ͔͚Δඅ༻ͱ޻਺ͬͯͲͷఔ౓͕ద੾ͳͷ

Slide 25

Slide 25 text

͔͚Δඅ༻ͱ޻਺ͬͯͲͷఔ౓͕ద੾ͳͷ 25 ݱࡏͷྫ ӡ༻ 40% ৽ػೳ։ൃ 60%

Slide 26

Slide 26 text

͔͚Δඅ༻ͱ޻਺ͬͯͲͷఔ౓͕ద੾ͳͷ 26 ྫ1 ηΩϡϦςΟ 40% ӡ༻ 40% ৽ػೳ։ൃ 20% ηΩϡϦςΟ͸ਖ਼ٛͰ͢!! ྫ2 ηΩϡϦςΟ 5% ӡ༻ 40% ৽ػೳ։ൃ 55% ސ٬֫ಘ͕ୈҰ༏ઌͰ͢!!

Slide 27

Slide 27 text

໰୊͕ൃੜͨ͠ͱ͖ͷ޻਺͸Ͳ͏ͳΔͷ͔ 27 ໰୊ൃੜ࣌ͷྫ ো֐ରԠ 60% ӡ༻ 40% - ηΩϡϦςΟʹΑΔ໰୊͕ൃੜ ͨ͠৔߹ɺ৽ػೳ։ൃͷதࢭΛ ༨ّͳ͘͞ΕΔέʔε͕ଟʑ - ৽ػೳ։ൃΛࢭΊͳ͍ͨΊͱ͍ ͏ҙຯͰηΩϡϦςΟ׆ಈ͸౤ ࢿͰ͋Δͱ͍͏ߟ͑ํ΋༗ޮ

Slide 28

Slide 28 text

౤ࢿ͸ద੾ʹܭը͠ɺಘΒΕΔརӹ͸࠷େԽ͢Δ 28 - ·ͣ͸ݱঢ়ௐࠪͷλεΫ͔Β਱ߦ͢Δ - ௐࠪ݁Ռ͔ΒҰ൪౤ࢿରޮՌ͕ߴͦ͏ͳࢪࡦΛܭը͠ɺ࣮ߦ͢ΔɻͦͷͨΊ ͷ޻਺Λ֬อ͢Δͱ͍͏αΠΫϧΛճ͢͜ͱͰ࠷దԽ͍ͯ͘͠(มಈ͢Δ͜ͱ Λલఏͱ͢Δ) - ௐࠪλεΫ͸ܧଓతʹߦ͍ɺௐࠪ಺༰ɾํ๏΋๨ΕͣʹΞοϓσʔτΛ͔͚ͯ ͍͘ - ࢪࡦ಺༰ʹ͓͍ͯɺ͍҆ɺ͏·͍ɺૣ͍͸ਖ਼ٛ

Slide 29

Slide 29 text

29 ~ΤϯδχΞͱͯ͠ฤ~ ୭͕ԿΛҙࣝ͢Ε͹Α͍ͷ͔

Slide 30

Slide 30 text

୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ 30 ଟ૚๷ޚͱ͸ ηΩϡϦςΟରࡦΛ૊Έ߹Θͤͯ֊૚Λங͘͜ͱͰɺ Ұͭͷରࡦ͕ഁΒΕͯ΋࣍ͷʢͦͷ·ͨ࣍ͷʣରࡦ͕ 
 ߈ܸΛ཈ࢭ͠ɺ߈ܸͷݕ஌ٴͼରԠͰ͖ΔΑ͏ʹ͢Δ 
 ૯߹తͳηΩϡϦςΟΞϓϩʔνΛࢦ͢ɻ

Slide 31

Slide 31 text

୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ 31 ͭ·Γɺ ϑϩϯτΤϯυ όοΫΤϯυ Πϯϑϥ ֊૚Λ্هʹݟཱͯͨ৔߹ɺͦΕͧΕ͕ηΩϡϦςΟରࡦΛ 
 ࢪ͢͜ͱʹΑͬͯɺΑΓڧݻͳηΩϡϦςΟΛங͘͜ͱ͕Ͱ͖Δ ΑΓޮՌతͳରࡦΛݕ౼͢Δʹ͸ɺΈΜͳͷྗ͕ෆՄܽ

Slide 32

Slide 32 text

୭͕ҙࣝ͢Δඞཁ͕͋Δͷ͔ -> શһ 32

Slide 33

Slide 33 text

33 ~ΤϯδχΞͱͯ͠ฤ~ Ͳ͏΍ͬͯษڧͨ͠Β͍͍ͷ͔

Slide 34

Slide 34 text

ηΩϡϦςΟͷษڧํ๏ʢश׳ฤʣ 34 - Qiita 
 https://qiita.com/ - Zenn 
 https://zenn.dev/ - Developer io 
 https://dev.classmethod.jp/

Slide 35

Slide 35 text

ηΩϡϦςΟͷษڧํ๏ʢಡॻฤʣ 35

Slide 36

Slide 36 text

ηΩϡϦςΟͷษڧํ๏ʢWebฤʣ 36 - OWASP Top 10 ~2017~ 
 ڴҖͷτϨϯυ͕஌ΕΔ - OWASP Top 10 Proactive Controls ~2018~ 
 શ։ൃνʔϜʹ޲͚ͯޮՌతͱ͞ΕΔରࡦͷ঺հ - Google ChromeͷηΩϡϦςΟΞοϓσʔτ 
 ΞοϓσʔτΛ͢ΔʹࢸͬͨܦҢ΍എܠΛ 
 ղઆͯ͘͠ΕͯΔέʔε͕͋Δ - ҆શͳ΢ΣϒαΠτͷ࡞ΓํʢIPAʣ 
 ۩ମతͳ߈ܸ಺༰ͷৄࡉͱͦͷରࡦͳͲ͕໢ཏతʹهࡌ͞ΕͯΔ 


Slide 37

Slide 37 text

վΊͯຊ೔ͷΰʔϧ 37 ηΩϡϦςΟରࡦɺ ࠓޙͲ͏΍ͬͯऔΓ૊ΜͰ͍͜͏ ↓ ʢΘ͔͔ͬͨΒʣ࣮ࡍʹऔΓ૊ΜͰΈΑ͏!

Slide 38

Slide 38 text

վΊͯຊ೔ͷΰʔϧ 38 ͳʹ͔ҰͭͰ΋࣋ͪؼͬͯ ࣮ફʹͭͳ͛ͯ΋Β͑ͨΒ خ͍͠Ͱ͢

Slide 39

Slide 39 text

39 ͝੩ௌ͋Γ͕ͱ͏ޚ࠲͍·ͨ͠