投稿時間:2021-12-25 08:35:02 RSSフィード2021-12-25 08:00 分まとめ(35件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
TECH	Engadget Japanese	Web記事がラジオ感覚で聴ける！ショートカット「テキストをオーディオに変換」が便利：iPhone Tips	https://japanese.engadget.com/shortcut-text-221056451.html	iphonetips	2021-12-24 22:10:56
TECH	Techable（テッカブル）	ARでアイメイク体験！ 資生堂「バーチャルメイク」はグラデーション方法まで選べる	https://techable.jp/archives/169717	virtualmakeup	2021-12-24 22:00:47
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	htaccessで特定のディレクトリ内を除外したいです	https://teratail.com/questions/375476?rss=all	サイト構成第階層publichtml第階層wpadminwpcontentwpincludes・・・その他wpのファイルtestフォームが動かなくなったLPhtaccess先日、WPのバージョンの更新なのか、サーバのphpのバージョンの更新があったのかが不明なのですが、testnbspのcgiフォームが動かなくなりました。	2021-12-25 07:48:43
AWS	AWSタグが付けられた新着投稿 - Qiita	AWS Well-Architected Frameworkの信頼性の柱にある『バルクヘッドアーキテクチャを使用する』がなんかレビューで使いにくいのでオレオレ解釈をしてみた	https://qiita.com/ohtk79/items/fdc453ac5eb825334110	特定の役割を持ったワークロードサービス、システム、コンポーネントなどで置き換えたほうがしっくりきますねをひとつの単位とするワークロードが障害に陥った際、他のワークロードに影響を及ぼすことがあるか他のワークロードが障害になった際、影響を受けることがあるか結局のところ『ワークロードの独立性を担保して、耐障害性を高めよう』ってことなんですが、レビューの際には『自分が不幸になっても他者を巻き込まないようにするとか、他者の不幸に巻き込まれないようにするって考え方と同じですねニッコリ』みたいに身近なもので説明するといい感じで説明が捗ります。	2021-12-25 07:19:55
Azure	Azureタグが付けられた新着投稿 - Qiita	Azure のいろいろなサービスでリバース プロキシを作るぞ	https://qiita.com/tetsuya-ooooo/items/22de382ec28dcfa68347	HTTP設定を作成するバックエンドプールの外部WebサイトにHTTPSでアクセスする必要がある場合は、「EndtoEndTLS暗号化」を使用します。	2021-12-25 07:16:13
技術ブログ	Developers.IO	テクニカルサポートの知見をブログに書くこと、会社アドベントカレンダーの記録	https://dev.classmethod.jp/articles/technical-support-advent-calendar-2021/	adventcalendarqiita	2021-12-24 22:00:55
技術ブログ	Developers.IO	【まとめ】絶対にチェックしてほしい激熱なデータ系SaaSのBEST5	https://dev.classmethod.jp/articles/dive-deep-into-modern-data-saas-advent-calendar-final/	製品	2021-12-24 22:00:36
海外TECH	DEV Community	Happy Holidays: From a developer with code!	https://dev.to/noriller/happy-holidays-from-a-developer-with-code-5n7	Happy Holidays From a developer with code This is a present for you I wrapped it in a way you have to “open it to learn what s inside Unless can you can guess what this does before running it The present Happy Holidays Cover Photo by Kira auf der Heide on Unsplash	2021-12-24 22:45:28
海外TECH	DEV Community	DevSecOps: Implement security on CICD Pipeline	https://dev.to/_anshuman/devsecops-implement-security-on-cicd-pipeline-4kc5	DevSecOps Implement security on CICD PipelineLet Start What is Dev Sec Ops DevSecOps stands for development security and operations It s an approach to culture automation and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle It is a endless field Here we only focus about Infra and DevOps level security We will discuss on both OSS and Paid tools which we can implement on CICD pipeline to make secure What is CIS The Centre for Internet Security CIS provides a standardized set of security benchmarks to identify and refine effective security measures for specific set of tools and technologies It provides security benchmark and the National Checklist Program NCP defined by the NIST They offer guidance on the security configurations of the operating system clouds database virtualization framework and application In addition to the benchmark documents the CIS also provides downloadable tools for secure configuration scanningcisecurity org cis benchmarks Best practice is to implement multiple scanning tool instead of trust on one How DevSecOps pipeline looks like We will cover how to implement these DesignDevelopBuildTestDeployMonitor DesignSecurity and monitoring is always a second step st step is to harden your infrastructure More than attacks happens because of misconfigurationIn AWS you can check how much percentage your server follow the CIS benchmark But also keep in mind CIS Enough You should not rely only on CIS and always follow best security practices When you create a server in AWS with just port open You notice that there will be multiple attempt start happening It will reach to within week Check the vulnerability vectors you have in your system environment where attacker can push their code or extract data Attack SurfaceThe attack surface of a system is the collection of points attack vectors where unauthorized user attacker may enter to inject data to or extract data from an environment Keeping the attack surface as small as possible is a basic security measure Ex Use bastion server and put all the servers in private subnetIAM Identity and Access Management IAM is the process of granting or restricting access to computing resources for individual users groups or systems IAM Authentication Authorization User Management and Credentials Repository Best practice is to Fine Grained IAM Roles for Service Accounts and UsersNetwork SecurityImplement private subnets Deploy your VMs with only private IPs Provide secure outbound internet connections with Cloud NATTurn on real time monitoring logging and alertingBest practice is to only implement public faced LB Also enable services like web application firewall WAF and DDoS mitigation service like cloud armor Fine grained networking policy on servers resources and VPCs Only open required IP range and ports Server Hardening It is a practice of enhancing each server s security Even though we use the containers for deployment we have to make sure the underlying infrastructure is also secure Team can consult benchmark from CIS and application such as OpenSCAP to review possible server vulnerabilities and determine what steps to take to mitigate risks A server must be hardened before the applications and tooling hosted on the server like Kubernetes worker server can be secured Implement App Armor Profile and Sec Comp ProfileYou can use Ansible playbook devsec hardening to harden linux OS mysql nginx and ssh here is the link dev sec ansible collection hardeningKubernetes I assume that you are using service based Kubernetes cluster and only managing worker server If you are managing master node then use kube bench It is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark Only use harden image for worker server All cloud provider provide CIS benchmark harden image Secrets Use them but make sure they re encrypted and have RBAC applied Security Context Much of the Runtime practices mentioned can be enforced via SC Network Policy Start with zero trust block every thing by default and add allow rules only as necessary Best practice to use Service Mesh like Linkerd or Istio which provide a lot of feature If you don t want to implement service mesh then at least use calico overlay network instead of flannel because it support strong network policy management and access control list ACLs By default pods accept traffic from any source The network policy resource in ks provides a means of configuring whether connections are accepted or refused You can configure inbound and outbound rules by port direction protocol and other attributes Enforcement Use OPA Gatekeeper Kyverno etc to apply policies like each namespace should have tag of service mesh DevelopUse IDE like VSCode where you can implement plugins Use SonarLint s free and Open Source VS Code IDE extension Perform static analysis on JavaScript Java and Python code Don t hardcode credentials and sensitive information in code instead use environment variable Also when you use env variable give space at first to not record in history Ex export CRE abcdUse branching and PR request methods BuildSensitive Information ScanningDetecting and preventing hardcoded secrets like passwords api keys and tokens in git repos Attackers keep scanning git repo for keys secrets If you by mistake upload keys in repo then automatic hacker tool start building VMs on cloud platform and use for mining Now even cloud providers are smart enough and they also run tools to grep these sensitive information If they find then immediately send you mail with all information OSS Gitleaks and truffleHogdocker pull zricethezav gitleaks latestdocker run v path to host folder to scan path zricethezav gitleaks latest COMMAND source path OPTIONS SCA scanningSCA stands for the Source Composition Analysis Scanning the dependency eg library used in the application for security vulnerabilities In any application code is just and rest is Open Source Code which has ton of lines of codes which you have not writtenOSS for python is pyraiderpip install pyraiderpyraider check f Users raider project requirements txt e json result json e html result htmlpyraider check f Users raider project Pipfile lockSAST ScanningSAST stands for Static Application Security Testing It is the methodology for finding the security flaws in the application from the source code It is White box Security testing methodology There are tons of tools available You can refer this OWASP Try to implement tool which follow CIS benchmark OSS for python is banditpip install banditbandit r path to your codeStatic Code AnalysisIt is Code Quality and Code Security scan It empowers all developers to write cleaner and safer code The only tools I know till now for this purpose is SonarQube that is an open source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs code smells and security vulnerabilities on programming languages Best practice is to enable gating with code coverage docker run rm e SONAR HOST URL http SONARQUBE URL e SONAR LOGIN myAuthenticationToken v YOUR REPO usr src sonarsource sonar scanner cliSBOMModern software is assembled using third party and open source components They are glued together in complex and unique ways and integrated with original code to achieve the desired functionality An accurate inventory of all components enables organizations to identify risk allows for greater transparency and enables rapid impact analysis OSS for SBOM is CycloneDX It is a lightweight software bill of materials SBOM standard designed for use in application security contexts and supply chain component analysis pip install cyclonedx bompip freeze gt requirements txtcyclonedx bom r i PATH TO requirements txt o sbom xml TestDASTDAST stands for dynamic application security testing It is the methodology for finding the security flaws in the application when running It is Black box Security testing methodology For DAST we need to implement test environment and after test complete destroy the environment to reduce cost Best way to provision infrastructure for test environment is by using terraform OSS for DAST testing is ZAPzap sh daemon host some host port some port config api addrs addr regex true config api disablekey truePerformance TestIt is a practice of evaluating how a system performs in terms of responsiveness and stability under a particular workload Performance tests are typically executed to examine speed robustness reliability and application size The process incorporates “performance indicators such as It gathers all the tests that verify an application s speed robustness reliability and correct sizing It examines several indicators such as a browser page and network response times server query processing time number of acceptable concurrent users architected CPU memory consumption and number type of errors which may be encountered when using an application OSS tool is JMeter It is one of popular open source tool in the performance space to help measure load time jmeter n t test jmx l testresult jtlPenetration TestPenetration tests pentests are a form of DAST blackbox that use external program to interrogate applications through their exposed API and HTTP endpoints Penetration tests simulate automated cyber attacks on production infrastructure It detect common vulnerabilities such as injection cross site scripting and flaws in authentication and identity and access management IAM OSS for Pentest is Arachni It is a feature full modular high performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications arachni URL report save path BUILD TAG afr arachni reporter BUILD TAG afr reporter html outfile BUILD TAG zip unzip BUILD TAG zip rm f BUILD TAG zip publish html report DeployIaC ScanningScan cloud infrastructure configurations to find misconfigurations before they re deployed It also scan security vulnerability in cloud infrastructure like IAM user has admin role There are multiple of OSS available Few of them are terrascan tfsec and Checkovterraform initterraform plan out tf planterraform show json tf plan gt tf json checkov f tf jsonKS Manifest ScanningMost of the scanner which scans IaC code are capable to scan kubernetes manifest files It scan misconfigurations and security vulnerability in Kubernetes JSON YAML Helm v and Kustomize It scan manifest files for runAsNonRootCheck privilegeEscalationCheck readOnlyFileSystem imageVersionnotusinglatest securityContextUsed and many more OSS are Terrascan KubeLinter and Checkovcheckov f deployment yml f service ymlImage ScanningScan for vulnerabilities in container images file systems and Git repositories as well as for configuration issues Historically developers have owned the security posture of their own code and the libraries used Containers add security concerns at the operating system level such as base image selection package installation user and file permission and more Don t run as root Yor probably don t need it Privileged Containers You almost definitely don t need it Drop capabilities Most apps don t need even Linux capabilities dropping all and allow only what s needed Most of the people consider alpine as a base image Read Only Root Filesystem Immutability makes exploiting your container harder Deploy from known sources Pull from known registries onlyOSS are trivy and Twistlocktrivy image python alpine MonitoringIt has combination monitoring logging and alerting Monitor resources logging application outputs and alerting events like uptime checks There are multiple stacks available one of them is EFK Elasticsearch Fluentd and Kibana They are resource consuming stack One of best stack in this field is Prometheus Grafana and Loki In ISTIO service mesh Jaeger and Kiali are available Few paid services in this field which are known to be best in monitoring Kubernetes pods and services are New Relic Dynatrace Sysdig and Datadoghq Recap OSS tools mentioned kube bench Kubernetes Hardeningansible collection hardening Linux HardeningLinkerd or Istio Service MeshOPA gatekeeper and Kyverno PolicyGitleaks and Trufflehog Sensetive Information pyraider Source Composition Analysisbandit SASTSonarLint and SonarQube Static Code AnalysisCyclonedx SBOMZAP DASTJmeter Performance TestArachni Pentration TestTerrascan Tfsec KubeLinter and Checkov IaC and kSTrivy and Twistlock Image ScanningPrometheus Grafana and Loki MonitoringElasticsearch Fluentd and Kibana MonitoringPaid Tools which need to consider if you and your manager are more concerned about security Snyk OpenSource Code Container and IaC ScanFortify Static Code AnalyzerCodacy Measure code qualityNew RelicDynatraceSysdigDatadoghq Final Notes Almost all the scanning tools mentioned above can be implemented on any CICD pipeline like GitHub Action GilabCI CircleCI Jenkins Tekton or any pipeline which support container based integration in it I have tried to show examples of cli commands through which it scan Almost all OSS scanning tools has docker image also on Dockerhub registry through that you can easily pull and run scan test You need to implement checks after every scan and if it get failed then send reports to the person who trigger the pipeline	2021-12-24 22:05:05
Apple	AppleInsider - Frontpage News	Merry Christmas from all of us at AppleInsider	https://appleinsider.com/articles/21/12/24/merry-christmas-from-all-of-us-at-appleinsider?utm_medium=rss	Merry Christmas from all of us at AppleInsiderWhether you re celebrating or working whether you re with your family or alone all of us at AppleInsider wish you a merry and peaceful Christmas Not just any Christmas tree this was how London s Claridge s department store decorated in with the help of Jony Ive It s a curious thing but at the very moment that Apple itself is at its quietest all year more people are buying and giving and unwrapping Apple devices than they do at any other time Consequently AppleInsider will be right here for you when you want to know how to set up your new MacBook Pro or want the best apps for your iPhone Read more	2021-12-24 22:50:02
金融	金融総合：経済レポート一覧	FX Daily(12月23日)～ドル円、114円台前半で堅調に推移	http://www3.keizaireport.com/report.php/RID/479555/?rss	fxdaily	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	日銀が気候変動オペを開始：木内登英のGlobal Economy ＆ Policy Insight	http://www3.keizaireport.com/report.php/RID/479563/?rss	lobaleconomypolicyinsight	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	コロナ禍での外食企業の資本性資金の調達～成長投資より財務改善への充当が目立つ：金融・証券市場・資金調達	http://www3.keizaireport.com/report.php/RID/479567/?rss	大和総研	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	SFDRのレベル2、「2023.1.1」開始に後ずれ～CFA協会公表のガイドラインとの整合性にも留意が必要か：金融規制（バーゼル規制その他）	http://www3.keizaireport.com/report.php/RID/479568/?rss	大和総研	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	2021年3月期 地方銀行の有価証券利回りに関する要因分析：Research Report	http://www3.keizaireport.com/report.php/RID/479613/?rss	researchreport	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	行動実績をAI分析、少額与信を可能に キャッシュレス決済、顧客の元手資金の獲得がカギ：デジタル社会研究会 議事要旨（第22回）	http://www3.keizaireport.com/report.php/RID/479624/?rss	日本経済研究センター	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	Weekly金融市場 2021年12月24日号（全体版）～来週の注目材料、経済指標。	http://www3.keizaireport.com/report.php/RID/479625/?rss	weekly	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	（中国）1年8ヶ月ぶりのLPR引下げについて：注目点	http://www3.keizaireport.com/report.php/RID/479627/?rss	総合研究所	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	小規模投信パフォーマンス・パズル～９つの仮説と識者の見方	http://www3.keizaireport.com/report.php/RID/479637/?rss	日本証券経済研究所	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	中国におけるコロナ感染症拡大期間の金融政策	http://www3.keizaireport.com/report.php/RID/479638/?rss	日本証券経済研究所	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	気候変動と金融市場	http://www3.keizaireport.com/report.php/RID/479639/?rss	日本証券経済研究所	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	〔講演〕そもそも株主とは何者か—東芝事件の基礎理論	http://www3.keizaireport.com/report.php/RID/479641/?rss	日本証券経済研究所	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	日本銀行広報誌「にちぎん」No.68 2021年冬号～自然環境にポテンシャルを見いだし森とともに先駆的な未来を築く北海道下川町...	http://www3.keizaireport.com/report.php/RID/479643/?rss	北海道下川町	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	週刊！投資環境（2021年12月24日号）～来週の注目点を皆さまにいち早くお届け...	http://www3.keizaireport.com/report.php/RID/479647/?rss	投資信託	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	利上げが視野に入る2022年の米国株式市場の展望：米国経済・株式市場情報	http://www3.keizaireport.com/report.php/RID/479648/?rss	株式市場	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	【石黒英之のMarket Navi】2022年の日本株見通し～業績拡大を背景に上昇続く...	http://www3.keizaireport.com/report.php/RID/479650/?rss	marketnavi	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	削減貢献量に関する分析フレームワーク～シンガポール政府投資公社（GIC）とシュローダーの取り組み：投資新時代	http://www3.keizaireport.com/report.php/RID/479654/?rss	取り組み	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	LIBOR移行対応アップデート―ハイライト（2021年11月1日～11月30日）～タフレガシー契約に対する立法的救済策について米国上院が公聴会を開催...	http://www3.keizaireport.com/report.php/RID/479665/?rss	libor	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	（株）クレスコ～独立系IT企業。上期の営業利益は受注及び生産性改善等から大幅増益：アナリストレポート	http://www3.keizaireport.com/report.php/RID/479671/?rss	営業利益	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	よりサステナブルな保険業界の構築～気候変動リスク、ダイバーシティ＆インクルージョン、ガバナンスの変革に取り組むため、CSOの権限はどう強化できるか	http://www3.keizaireport.com/report.php/RID/479673/?rss	気候変動	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	【注目検索キーワード】スタートアップ・エコシステム	http://search.keizaireport.com/search.php/-/keyword=スタートアップ・エコシステム/?rss	検索キーワード	2021-12-25 00:00:00
金融	金融総合：経済レポート一覧	【お薦め書籍】仕事2.0 人生100年時代の変身力	https://www.amazon.co.jp/exec/obidos/ASIN/4344033337/keizaireport-22/	週末	2021-12-25 00:00:00
金融	ニュース - 保険市場TIMES	メットライフ生命、広島銀行とともに社会福祉法人に寄付金を贈呈	https://www.hokende.com/news/blog/entry/2021/12/25/080000	メットライフ生命、広島銀行とともに社会福祉法人に寄付金を贈呈共同社会貢献プログラム第期寄付金を贈呈メットライフ生命保険株式会社以下、メットライフ生命は、株式会社広島銀行と共同で取り組んでいる「社会貢献プログラム」について、第期の寄付金を贈呈したと年月日月に発表した。	2021-12-25 08:00:00
ビジネス	ダイヤモンド・オンライン - 新着記事	川崎近海汽船(9179)、｢増配｣を発表し、配当利回りが 4.28％にアップ！ 年間配当は1年間で1.5倍に急増、 2022年3月期は前期比50円増の｢1株あたり150円｣に - 配当【増配・減配】最新ニュース！	https://diamond.jp/articles/-/291990	川崎近海汽船、「増配」を発表し、配当利回りがにアップ年間配当は年間で倍に急増、年月期は前期比円増の「株あたり円」に配当【増配・減配】最新ニュース川崎近海汽船が、年月期の配当予想の修正増配を発表し、配当利回りがに川崎近海汽船は、年月期の年間配当を前回予想比で「円」の増配、前期比でも「円」の増配となる「株あたり円」に修正すると発表した。	2021-12-25 07:35:00
ビジネス	東洋経済オンライン	｢監視資本主義｣が教えるグーグルの｢隠蔽戦略｣ ｢フォードとグーグルの革命｣の決定的な違い | 企業経営･会計･制度 | 東洋経済オンライン	https://toyokeizai.net/articles/-/477338?utm_source=rss&utm_medium=http&utm_campaign=link_back	東洋経済オンライン	2021-12-25 07:30:00