投稿時間:2022-01-01 22:19:26 RSSフィード2022-01-01 22:00 分まとめ(20件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
js	JavaScriptタグが付けられた新着投稿 - Qiita	「@e99h2121 アドベントカレンダーではありますまいか Advent Calendar 2020」の改訂版ではありますまいか Advent Calendar 2022 １日目　Most Breakthrough Generator	https://qiita.com/kaizen_nagoya/items/49ebebee3a0377f3b59b	歳から始めたのですぞ油絵は、デッサンができないことから美術家受験は諦めているでありますまいか。	2022-01-01 21:00:25
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	SwiftでiBeacon検知をする際の位置情報の通知の取得方法	https://teratail.com/questions/376278?rss=all	SwiftでiBeacon検知をする際の位置情報の通知の取得方法前提・実現したいことSwiftでiBeacon検知をしています。	2022-01-01 21:54:43
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	javascript　inputした画像が表示されない	https://teratail.com/questions/376277?rss=all		2022-01-01 21:52:42
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	C言語　Simpson法　積分	https://teratail.com/questions/376276?rss=all	C言語Simpson法積分プログラムについての質問です。	2022-01-01 21:47:04
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	C++で条件に応じた「ラムダ式」を返す関数が作れるのか	https://teratail.com/questions/376275?rss=all		2022-01-01 21:39:55
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	MySQLを.ibd .frmファイルから復元したい	https://teratail.com/questions/376274?rss=all	MySQLをibdfrmファイルから復元したい問題ibdnbspfrmファイルが手元にあります。	2022-01-01 21:22:00
Program	[全てのタグ]の新着質問一覧｜teratail（テラテイル）	Wordpressで投稿の公開日が今日のものをトップページに表示させたいです	https://teratail.com/questions/376273?rss=all	Wordpressで投稿の公開日が今日のものをトップページに表示させたいです前提・実現したいこと投稿で未来の日付指定し、表示可能にしたイベントページを作成しています。	2022-01-01 21:03:47
Ruby	Rubyタグが付けられた新着投稿 - Qiita	Railsプロジェクトの始め方	https://qiita.com/wezz/items/2b31e5456185bb3e5c1e		2022-01-01 21:29:19
Linux	CentOSタグが付けられた新着投稿 - Qiita	外部共有ストレージへのマルチパス構成	https://qiita.com/infra_buld/items/31d19759a409305ca9de	外部共有ストレージへのマルチパス構成ストレージへのマルチパス構成マルチパス構成を行うことで、サーバ側に、サーバストレージ間の複数の経路を一本の経路として認識させることができます。	2022-01-01 21:06:38
Ruby	Railsタグが付けられた新着投稿 - Qiita	Railsプロジェクトの始め方	https://qiita.com/wezz/items/2b31e5456185bb3e5c1e		2022-01-01 21:29:19
技術ブログ	Developers.IO	Amazon AppStream 2.0 で Active Directoryを利用することに対する私見	https://dev.classmethod.jp/articles/personal-opinion-for-using-appstream2-active-directory-join/	activedirectory	2022-01-01 12:38:08
海外TECH	DEV Community	Critical Security Areas That Software Engineers Have To Know To Secure Their Solutions	https://dev.to/vulcanus/critical-security-areas-that-software-engineers-have-to-know-to-secure-their-solutions-3pkc	Critical Security Areas That Software Engineers Have To Know To Secure Their SolutionsSocieties in industrialized countries depend more and more on software The rising impact of cyber physical systems on the real world as well as the amount of personally identifiable information collected and processed shows that systems must be secure This is not easy to achieve due to rising complexity of those systems Organizations have information security departments that support securing business functions and train employees in a variety of security topics to show how to react on certain events and how to handle classified information While there are trainings for administrators to show them how to secure a system often little to none effort is put into teaching software engineers and developers on how to develop a secure software solution This is quite a big issue I d like to address and raise awareness about The Open Web Application Security Project OWASP created the OWASP TOP Proactive Controls project OPC to encourage developers starting with application security This blog entry summarizes the content of it and adds hints and information to it too Please keep in mind that this should only raise awareness and is a starting point to help get deeper into this topic Define Security RequirementsSecurity falls under the category non functional requirements It should define the needed security functionality the software has to satisfy To save up time and not re invent the wheel on each new project you can select security requirements from a catalog There is a general one called Application Security Verification Standard ASVS and one for the mobile named Mobile Application Verification Standard MASVS They contain a collection of requirements which are best practices for each listed category Fortunately they have mapped those requirements with CWE common weakness enumeration which is basically a list of software and hardware weaknesses Depending on the used tools those CWEs can be automatically scanned in your code Leverage Security Frameworks and LibrariesNormally third party libraries frameworks are included into the project to re use already written code You should only use those from trusted sources which are actively maintained and used by many applications Keep them up to date and encapsulate the library so you only expose the required need into your software There are quite some dependency checkers out there to help you select dependencies and keep them up to date Secure Database AccessThis has some subitems but we ll go through them quite quickly Secure your queries We all know those funny SQL injection jokes but you can solve this problem quite easily with query parameterization You can find a cheat sheet from OWASP here and another one from Bobby Tables here Database management systems are not always secure by default configured There are guidelines and benchmarks available out there which you should check out like here Access to the database should be properly authenticated This should take place over a secure channel and your credentials should be properly secured Besides authenticating with credentials you should also check out if it s possible to access it instead with your managed identity The last point is secure communication Encrypting your data in transit by having a end to end communication security when sensitive data is transmitted over any network This can be done via TLS There are guides there helping you choose the minimum allowed TLS version and choosing a cipher suite Encode And Escape DataAnd here we reach injection attacks again By encoding characters we ensure that special characters are not processed for malicious intends This means that the content will be displayed but not executed For example instead of sending lt script gt we encode special characters inputted by the user and send amp lt script amp gt which will be displayed on the browser like lt script gt but will not be executed This output encoding should be applied before the content is passed to the target interpreter to defend against XSS There are some examples for C Java and PHP There are also other types of encoding and injection defenses like shell escaping for os command input Forms of escaping are not limited to those examples listed here Look for guidelines and best practices when using user input for certain operations Validate All InputsYou might have already noticed that you can t trust input from clients which means that the data has to be validated before usage Data should be checked that its syntax and semantic is valid Syntax validity ensures that data are in a expected form and should not allow any deviations If three digits are expected it should be checked that the input consists only of digits and has three digits in length Semantic validity accepts input only in an acceptable range specified by the applications functionality and its context For example a start date has to be before an end date Those validations can be performed both on the client and server side but security related validations always have to be done on the server side since the validation on client side can be bypassed There are in general two approaches for syntax validation blacklisting and whitelisting While blacklisting blocks exact texts e g lt script gt to prevent injections is whitelisting checking for data set matches In general it is recommended to use whitelisting on a minimal approach instead of blacklisting since it is prone to bypasses In other words whitelisting limits attack surface while blacklisting detects and stops obvious attacks Bear in mind that those validations have limits Since complexity allows more variations and posibilities valid data cann still be dangerous Another way to check whether data matches a specific pattern is the usage of regular expressions This should be used with caution since expressions can get quite complex as well as hard to maintain It also enables a regular expression denial of service attack ReDOS which produces a denial of service due to the exploitation of the exponential time worst case scenario There are plenty validation libraries that can be leveraged to validate data PHP has filter functions and Java has the Hibernate Validator and C the FluentValidation You can also sanitize your data to erase not needed data in your input Please keep in mind that input validation should not be your primary method to prevent injections and other attacks Another problem you might encounter is the validation of serialized data Avoid deserializing data from untrusted sources If this is not possible you might want to implement integrity checks or encryption to prevent tampering Enforce strict type constraints and possibly run code in a low privilege environment like in a temporary container to deserialize data Log exceptions and failures such as the not expecting incoming type or failure in deserialization Apart from serialized data there is also the problem with autobinding Some frameworks support automatic binding of HTTP request parameters to server side objects consumed by the application Those bindings enable an attack vector to exploit a vulnerability called Mass assignment For example the user can set a parameter like isAdmin to true to elevate privileges There are two ways to handle this by either avoid autobinding and use Data Transfer Objects TDOs which are basically POCOs or setup whitelist rules to define which fields are allowed to be auto bound There is a cheat sheet by OWASP you might to check out here to get more information on how to resolve this issue Enforce Access ControlsAccess Controls manages the access to systems as well as resources and ensures that only authorized users systems have access It should be forced that all requests go through the access control to ensure that every request is checked and authorized to pass You may already come across of the terms privilege right and permission Those are not interchangeable terms For more information read Wentz Wus article This topic should be thoroughly designed up front and taken early into account in the designing phase There are different types of access controls that should be considered but not limited to Discretionary Access Control DAC lets people manage content by their own Mandatory Access Control MAC restricts access based on sensitivity by a label of the information and the authorization of the user to access such sensitivity Role Based Access Control RBAC controls access to resources based on defined rules Performed actions are identified with roles rather than with individual subject identities Attribute Based Access Control ABAC manages the request based on policies which combines attributes of the user and object There are two principles that you should embed when using access controls The first is deny by default This means that if a request is not specifically allowed it must be denied The second is the principle of least privilege Ensure that only the least and only necessary access is possible Often when time passes it can happen that privilege creep occurs This means that an identity accumulated access rights and has higher privileges than necessary so keep that in mind and check regularly if certain permissions and rights are needed Linked to a granular access control is the programmed check of permissions Many applications use access controls that are role based This limits the developers and adds dangers to it if user hasRole SuperUser user hasRole Admin doAction Instead your should implement rights and check for them if user hasRight RightX doAction With this you don t need to re deploy everything if new roles are added that should have the privilege to perform actions and it is easier to maintain It also enables for a more granular access control which helps administrators to configure the system more securely Furthermore you should ensure that all access control failures should be logged to ensure non repudiation Data ProtectionData can contain sensitive information which requires more protection since it may fall under laws and regulations It is important to classify data in your system to determine sensitivity Depending on those classifications it may also add security requirements to the system infrastructure that collects processes or stores this data Data can be in three states At rest in transit or in use Depending on the classification you have to secure the data in each state to avoid information disclosure Application secrets should never be stored in code configs or other files Keep them in a secret vault like Azure KeyVault or Amazon KMS Besides security this also gives more flexibility on configuring your solution I would like to add here to also think about data retention as well as backup strategies For data retention you have to keep laws and regulations in mind Consult with a specialist or lawyer to know what the requirements are Backup strategies should not only be planned and executed but also the results tested There is a saying that you do not have a backup when you did not test it In the end you do not want to be on several tech blogs because of some deletion incident and backup failure like GitLab Implement Security Logging and MonitoringThe concept of Security logging is to log security information during runtime It can be used for forensic analysis and investigations as well as satisfying regulatory compliance requests Monitoring is the live review of logs using various forms of automation Logging solutions must be designed build and managed in a secure way Encode and validate dangerous characters before logging to prevent injections or forging attacks Ensure log integrity to protect against tampering When logging remove any sensitive information to avoid information disclosure There should also be a common logging format to be consistent Keep also an eye on time syncing across systems to have consistent timestamps in your logs Furthermore you should forward logs to a central secure logging service to allow centralized monitoring and securing log data To identify potentially malicious activties following activies can be logged as high severity Submitted data that is outside of an expected rangeSubmitted data that contains changes that should not be modifiableRequests violating access control rulesFor a more comprehensive list check out OWASPs AppSensor Detection points tab here When encountering those activties the application should respond to possible attacks and shut them down There is also a small cheat sheet related to application security logging here Handle all Errors and ExceptionsExceptions can happen in various ways and should be handled accordingly This handling occurs in all areas of the application including business logic and security features It is also important for intrusion detection Certain attacks against the application may trigger errors which can help detect attacks in progress Manage exceptions in a centralized manner to avoid duplicated try catch blocks and ensure all unexpected behavior is correctly handled When displaying the error message to the user be sure that you do not leak any critical information but still provide enough information to respond properly When logging error messages provide enough information so that the support forensics and incident response teams understand the problem To help discover possible failures early you can also use Netflix s Chaos Monkey It randomly terminates VMs and containers to show how resilient your services are Some more Information Code ReviewBesides the mentioned areas you should also have a look at OWASP s Code Review Guide It is quite comprehensive but also raises awareness on different topics containing code examples and figures to illustrate in an easy way to show what has to be considered when reviewing code besides clean code practices and business logic Do not write your own encryptionSome developers are tempted to rollout their own encryption Schneir s Law statesAnyone from the most clueless amateur to the best cryptographer can create an algorithm that he himself can t break Since those persons believe that they can not break their cipher they use it as evidence that it is unbreakable This is a good example of the Dunning Kruger effect There is a discussion on why it is discouraged to write your own encryption on Stack Exchange Therefore use existing solutions that are recognized by the industry and follow their best practices	2022-01-01 12:44:16
海外TECH	DEV Community	08 Advantages Of Using Illustrations In UI Design	https://dev.to/imanbhuiyan96/08-advantages-of-using-illustrations-in-ui-design-f87	Advantages Of Using Illustrations In UI DesignLet s talk about how illustrations can help designers increase the usability of their visual designs and encourage users to keep on reading or interacting with your interfaces	2022-01-01 12:24:56
海外TECH	DEV Community	Add some effects to text using JavaScript	https://dev.to/mohamedfrindi/add-some-effects-to-text-using-javascript-1nk5	Add some effects to text using JavaScriptYou can add some simple effects to texts through this simple library using JavaScriptdemo	2022-01-01 12:22:37
Apple	AppleInsider - Frontpage News	Apple's December 2021 in Review: Cartoon 'Ted Lasso,' and worms in Foxconn workers' meals	https://appleinsider.com/articles/22/01/01/apples-december-2021-in-review-cartoon-ted-lasso-and-worms-in-foxconn-workers-meals?utm_medium=rss	Apple x s December in Review Cartoon x Ted Lasso x and worms in Foxconn workers x mealsYou ve been around Apple for a long time so you know to expect bugs but probably not worms It s fair to say that Apple s December contained some ups and downs Apple s December was certainly animatedAs November faded away December brought Foxconn working conditions under a sharp and unpleasant light Read more	2022-01-01 12:47:07
ニュース	BBC News - Home	Covid: More restrictions a last resort, Sajid Javid says	https://www.bbc.co.uk/news/uk-59844761?at_medium=RSS&at_campaign=KARANGA	health	2022-01-01 12:56:13
ニュース	BBC News - Home	Newcastle make bid for Atletico defender Trippier	https://www.bbc.co.uk/sport/football/59847166?at_medium=RSS&at_campaign=KARANGA	madrid	2022-01-01 12:11:55
ニュース	BBC News - Home	The NFL Show: Jason Bell & Osi Umenyiora on whether Aaron Rodgers will win MVP	https://www.bbc.co.uk/sport/av/american-football/59847261?at_medium=RSS&at_campaign=KARANGA	The NFL Show Jason Bell amp Osi Umenyiora on whether Aaron Rodgers will win MVPThe NFL Show s Jason Bell and Osi Umenyiora discuss why Green Bay Packers quarterback Aaron Rodger could win this season Most Valuable Player award	2022-01-01 12:18:05
北海道	北海道新聞	インド北部の聖地で１２人死亡　新年祝う人々が殺到	https://www.hokkaido-np.co.jp/article/629460/	聖地	2022-01-01 21:05:00
海外TECH	reddit	ビジネスホテルでほろよい練乳いちご飲みながらVODのエロビデオ見つつ昆虫を食べている2022年元日の俺。	https://www.reddit.com/r/newsokunomoral/comments/rti4lr/ビジネスホテルでほろよい練乳いちご飲みながらvodのエロビデオ見つつ昆虫を食べている2022年元日の/	ewsokunomorallinkcomments	2022-01-01 12:02:21