Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティ勉強会 / How do we confront the threat

セキュリティ勉強会 / How do we confront the threat

TomoyaKitaura

April 14, 2021
Tweet

More Decks by TomoyaKitaura

Other Decks in Technology

Transcript

  1. ΋͎͘͡ 3 1.ηΩϡϦςΟ͓͍͍ͬͯ͠ͷʁ - ߈ܸ͕੒ޭͨ͠ΒͲΜͳඃ֐Λड͚Δ͔ - ҰݴͰઆ໌͍ͯ͘͠10େڴҖ 2.ηΩϡϦςΟͱͷ޲͖߹͍ํ ▪૊৫ͱͯ͠ -

    Ͳ͏͢Ε͹҆৺ͱݴ͍੾ΕΔͷ͔ - ͔͚Δඅ༻ͱ޻਺͸Ͳͷఔ౓͕ద੾ͳͷ͔ ▪ΤϯδχΞͱͯ͠ - ୭͕ԿΛҙࣝ͢Ε͹͍͍ͷ͔ - Ͳ͏΍ͬͯษڧͨ͠Β͍͍ͷ͔
  2. ߈ܸΛड͚ͨΒͲΜͳඃ֐Λड͚Δ͔ 5 - ۚમͷଛࣦ 
 ଛ֐ഛঈͷࢧ෷͍ 
 ෮چରԠ։ൃඅ༻΍༷ʑͳରԠඅ༻ - ސ٬ͷଛࣦ

    
 ࣾձతධՁ௿ԼʹΑΔސ٬ྲྀग़ 
 औҾઌ͔Βͷड஫ఀࢭ - ࣄۀܧଓͷ્֐ 
 ਓࡐྲྀग़ - ৽ػೳ։ൃͷ஗Ԇ 
 ճ෮ରԠ༏ઌʹΑΔ޻਺ͷݮଛ
  3. ҰݴͰઆ໌͢Δ10େڴҖ 6 - ΠϯδΣΫγϣϯ - ೝূͷෆඋ - ػີ৘ใͷ࿐ग़ - XML֎෦ΤϯςΟςΟࢀরʢXXEʣ

    - ΞΫηε੍ޚͷෆඋ - ෆద੾ͳηΩϡϦςΟઃఆ - ΫϩεαΠτεΫϦϓςΟϯά - ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ - ط஌ͷ੬ऑੑΛ࣋ͭίϯϙʔωϯτͷ࢖༻ - ෆे෼ͳϩΪϯάͱ؂ࢹ https://wiki.owasp.org/images/2/23/OWASP_Top_10-2017%28ja%29.pdf
  4. Ͳ͏͢Ε͹҆৺ͱ͍͍͖ΕΔͷ͔ 19 - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ

    - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ͜͜·Ͱ΍Ε͹όονϦɾɾɾ
  5. 21 ʲ࣮͸2೥લʹߟ͑ͨೝ஌ྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ

    - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ʲൃੜͯ͠΋͓͔͘͠ͳ͍ڴҖʳ - 1೥લʹೝ஌͞Εͨ৽ͨͳڴҖ - ೝ஌ྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹ௠෗Խͨ͜͠ͱʹΑΔڴҖ
  6. 22 ʲ࣮͸2೥લʹߟ͑ͨೝ஌ྖҬͰͷηΩϡϦςΟରࡦʳ - WAFΛద༻ࡁΈ - ΞΫηεݖݶ΋࠷దԽࡁΈ - ଟཁૉೝূ΋ඞਢԽࡁΈ - IDS΋ಋೖࡁΈ

    - σϓϩΠ࣌ͷCI/CDϓϩηεͰϖωτϨΠγϣϯςετ΋࣮ߦࡁΈ - …etc ʲൃੜͯ͠΋͓͔͘͠ͳ͍ڴҖʳ - 1೥લʹೝ஌͞Εͨ৽ͨͳڴҖ - ೝ஌ྖҬ֎ͷڴҖ - ಋೖͨ͠ηΩϡϦςΟରࡦ͕ٕज़తʹ௠෗Խͨ͜͠ͱʹΑΔڴҖ ͳʹ͕͍͚ͳ͔ͬͨɾɾɾʁ
  7. ܧଓత౤ࢿͷେࣄ͞ 23 - ηΩϡϦςΟͷ໰୊͕ى͖ͨͱ͖ʹ 
 ៦Δ΂͖ϓϩηε͕ଘࡏ͠ͳ͍͜ͱ͕ 
 Ұ൪ͷෆ҆ཁૉ - Ծʹܧଓతͳ׆ಈΛ্ͨ͠Ͱ໰୊͕ൃੜͨ͠৔߹͸ɺ

    
 ͦͷ׆ಈࣗମͷϓϩηεΛݟ௚͢͠Ε͹Α͘ɺ 
 ͦ͏΍ͬͯ૊৫͸ڧ͘ͳ͍ͬͯ͘΋ͷͩͱݸਓతʹ͸ 
 ࢥ͍·͢ɻ
  8. ໰୊͕ൃੜͨ͠ͱ͖ͷ޻਺͸Ͳ͏ͳΔͷ͔ 27 ໰୊ൃੜ࣌ͷྫ ো֐ରԠ 60% ӡ༻ 40% - ηΩϡϦςΟʹΑΔ໰୊͕ൃੜ ͨ͠৔߹ɺ৽ػೳ։ൃͷதࢭΛ

    ༨ّͳ͘͞ΕΔέʔε͕ଟʑ - ৽ػೳ։ൃΛࢭΊͳ͍ͨΊͱ͍ ͏ҙຯͰηΩϡϦςΟ׆ಈ͸౤ ࢿͰ͋Δͱ͍͏ߟ͑ํ΋༗ޮ
  9. ηΩϡϦςΟͷษڧํ๏ʢWebฤʣ 36 - OWASP Top 10 ~2017~ 
 ڴҖͷτϨϯυ͕஌ΕΔ -

    OWASP Top 10 Proactive Controls ~2018~ 
 શ։ൃνʔϜʹ޲͚ͯޮՌతͱ͞ΕΔରࡦͷ঺հ - Google ChromeͷηΩϡϦςΟΞοϓσʔτ 
 ΞοϓσʔτΛ͢ΔʹࢸͬͨܦҢ΍എܠΛ 
 ղઆͯ͘͠ΕͯΔέʔε͕͋Δ - ҆શͳ΢ΣϒαΠτͷ࡞ΓํʢIPAʣ 
 ۩ମతͳ߈ܸ಺༰ͷৄࡉͱͦͷରࡦͳͲ͕໢ཏతʹهࡌ͞ΕͯΔ