ビルトイン・セキュリティのススメ Dev Days 2015 Tokyo - Riotaro OKADA
-
Upload
riotaro-okada -
Category
Engineering
-
view
1.080 -
download
1
Transcript of ビルトイン・セキュリティのススメ Dev Days 2015 Tokyo - Riotaro OKADA
-
@okdt @owaspjapan
Hello
| Enabling Security for Developers |
2015 Asterisk Research, Inc. 1
-
hHps://commons.wikimedia.org/wiki/File:VerificaOon_in_SE.jpg
-
3hHps://www.reddit.com/r/funny/comments/1m628n/the_new_iphone_5s_provides_unmatched_security/
-
vs
PRIORITY Social Impact
Business decisions
FULL-STACK H/W
Network Application Database
Users
RISK Point of failure Unauthorized
access Disasters
Absence of key person
COMMU-NICATION
Team Stakeholders Government Community
4
-
Screen Shot 2015-08-14 at 19.54.28.png
-
8
1963 / 249420 = 0.0078.
Less than 1%
-
Keynote: Facebook CSO Alex Stamos
-
2015 Asterisk Research, Inc. 11
RMS Titanic deparOng Southampton on April 10, 1912. (Photo: CreaOve Commons)
-
Intel Edison SD Card size PC
Bluetooth/LE
Wi-Fi
24x32x2.1mm
22nm 500MHz
Linux
1GB RAM
4GB storage
Dual Core IA
hHp://www.intel.com/content/www/us/en/do-it-yourself/edison.html
-
: OWASP Japan
-
: OWASP Japan
-
: OWASP ja.stackoverflow.com
-
: OWASP stackoverflow.com
-
1. 2. 3. 4. 5.
-
OWASP Top 10
-
Level0()
Level1
Level2
Level3
OWASP ASVS
-
Level 0: (=)
-
Level 1: OpportunisOc ()
-
Level 2: Standard ()
Detailed VerificaOon Requirements OWASP Top 10
-
Level 3: Advanced ()
-
: L3+
ASVS L3 +
-
V2. AuthenOcaOon VerificaOon Requirements
Level 1
V2.1 V2.2 EchoV2.6
Level 2
V2.12 V2.13 Salt
Level 3V2.5
V. IdenOfy
-
V8. Error Handling and Logging
Level 1
V8.1
Level 2
V8.2
V8.8
Level 3
V8.9
V. IdenOfy
-
OWASP
-
OWASP ProActive Controls
ProacOve Controls!
-
OWASP Internet of Things Top 10
hHps://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project
I1 I2 I3 I4 I5 I6 I7 I8 I9 I10
-
OWASP IoT Top 10
-
OWASP Cheat Sheet Project
No 1 Web
2
3 Web
4
5 PHP
6
7 SQL
8 XSS9
-
201510Cheat Sheet
-
OWASP! ZAP
1IPAhttps://www.ipa.go.jp/about/technicalwatch/20131212.html
-
ZAP
POST /confirm.php HTTP/1.1Cookie: PHPSESSID=xxxxxxname=shonantoka>xss&mail=shonantoka%40example.org&gender=1
shonantoka>[email protected]
ZAP
-
| Enabling Security for Developers |
2015 Asterisk Research, Inc. 35
1. Find risky coding and vulnerabiliOes earlier
2. Fix & Prevent them
3. Improved educa8on and quality throughout SDLC
-
OWASP Kyushu2015.3
OWASP Kansai2014.3
OWASP Japan2012.3
OWASP SendaiNew
4
OWASP
-
31
OWASP
10/19
-
22
OWASP Japan Local Chapter MeeOngs
Reasons for holding OWASP Global AppSec in Japan OWASP Japan Local Chapter 2013.3.1
-
40
-
OWASP Japan
() 2015 IT ()IT (IPA2013)
-
| Enabling Security for Developers |
2015 Asterisk Research, Inc. 42
-
@okdt @owaspjapan
Thank you
| Enabling Security for Developers |
2015 Asterisk Research, Inc. 43