投稿時間:2022-03-21 17:18:51 RSSフィード2022-03-21 17:00 分まとめ(23件)

カテゴリー等 サイト名等 記事タイトル・トレンドワード等 リンクURL 頻出ワード・要約等/検索ボリューム 登録日
TECH Engadget Japanese 米議会、イーロン・マスクの中国でのビジネスに懸念。サプライヤー経由の情報流出を心配 https://japanese.engadget.com/us-congress-concerned-about-elon-musks-business-ties-to-china-072044318.html 情報流出 2022-03-21 07:20:44
AWS AWSタグが付けられた新着投稿 - Qiita NLBとALBを使って固定IPアドレスでのパスベースルーティングを実現する https://qiita.com/moreyhat/items/281ca101a9930eb880b8 これを利用することで閉域環境でもNLBでIPアドレスを固定しつつ、ALBでパスベースのルーティングを実現することができるようになったため、動作検証を行いました。 2022-03-21 16:33:25
AWS AWSタグが付けられた新着投稿 - Qiita AWS公式資料で挑むSCS認定(19)-こんな時どうする https://qiita.com/mingchun_zhao/items/62c7d4a69dafb3f46e66 分野インシデント対応分野ログと監視分野インフラストラクチャのセキュリティ分野アイデンティティ及びアクセス管理分野データ保護「分野インシデント対応」基本知識のおさらいインシデントとは認証情報漏洩キーの紛失データ整合性侵害機密情報改竄アクセス制限欠損機密情報窃取インシデントの検知方法ログとモニタリングこれが基本かAWS請求の記録設定金額を超えアラートが送られたら脅威インテリジェンス攻撃手段のナレッジを取得し、脅威分析を自動化、ML化AWSサポートからの通知あなたのアカウントに不審なログイン試行がありましたパブリックレスポンスユーザからの報告インシデント対応に使用されるサービスとツールTrustedAdvisorCloudFormationServiceCatalogVPCフローログConfigAPIGatewayCloudTrailCloudWatch「分野インシデント対応」の「こんな時どうする」IAMアクセスキーが誤って公開された公開されたIAMアクセスキーを無効にするIAMアクセスキーがどのユーザに関連付けされたか確認IAM拒否ポリシーをユーザにアタッチ残っているセッションをすべて取り消すアクセスキーに関連付けされたポリシーの範囲を確認CloudTrailConfigでリソースや設定が変更されていないか確認他のIAMアクセスキーや認証情報に問題ないか確認ECインスタンスアクセス用のSSHキーが盗まれたSSHキーが使用されていないか確認SSHキーを使用しているECインスタンスへのポートをブロックSSHキーを使用しているECインスタンスのauthorizedkeysファイルを変更ECインスタンスから不審なトラフィックが検知されたので分離しインシデント調査したいECインスタンスをAutoScalingグループから分離フォレンジック用にセキュリティグループSGを作成EBSスナップショットを用いてSGへボリュームコピーフォレンジックSGにて問題ECインスタンスを調査複数パブリックサブネットに含まれる特定ECインスタンスを簡単に自動分離させたいセキュリティグループを変更するLambda関数を作成、インバウンドトラフィックをブロックECインスタンスから既知のCampCサーバーへ不審なリクエストがないか確認したいGuardDutyの結果タイプFindingから確認CampCサーバーのIPをクエリしている場合「BackdoorECCampCActivityB」が通知CampCサーバーのドメイン名をクエリしている場合「BackdoorECCampCActivityBDNS」が通知※CampCサーバーとは、ボットネットのメンバーに悪意あるコマンドを発行させるコンピュータCloudFrontディストリビューションへ不審なリクエスト発生、その送信元IPアドレス、元のリクエスト、リファラー、プロトコルを特定したいCloudFrontのアクセスログに記録されたユーザーリクエスト情報から特定前提条件ログ保存するSバケットのACLに対し変更が必要awslogsdeliveryアカウントを追加し、FULLCONTROLのアクセス許可を付与awslogsdeliveryアカウントにより、アクセスログがバケットに書き込まれる※Sバケットのアクセスログからは、送信元IPアドレスを確認できないリファラーは確認できる※CloudTrailからは、元のリクエストを確認できないAPIコールは確認できるおわりに試験対策として「こんな時どうする」をまとめ始めました。 2022-03-21 16:18:36
AWS AWSタグが付けられた新着投稿 - Qiita Amazon ECS の Blue/Green デプロイメントの動作は何が起こっているか解説したい https://qiita.com/sugimount-a/items/b7bce32531947e80abe3 新たにデプロイしたい場合は、手動でTerminateボタンを押す必要がある重みづけをした場合は、TargetGroupの重みづけが入るCodeDeployDefaultECSLinearPercentEveryMinutes→→と徐々に切り替わっていくBlueGreenDeploymentの場合、ALBのHealthCheckにあるIntervalや、Healthythresholdなど設定値は、影響しない。 2022-03-21 16:06:58
Docker dockerタグが付けられた新着投稿 - Qiita GORMを使ったDockerのPostgreSQLへの接続方法 https://qiita.com/xAyumux/items/33f8046efcc3070b6fc3 GORMを使ったDockerのPostgreSQLへの接続方法最近GORMを使った開発をしていてDockerのPostgreSQLへの接続に躓いたので、接続方法をまとめました。 2022-03-21 16:55:09
Docker dockerタグが付けられた新着投稿 - Qiita WSL2上でPytorch3DのDockerコンテナを使う https://qiita.com/kuroyagi/items/1769401a8c0e0a4791ed ハマリポイントDockerDesktopが邪魔することがあるインストール順序などにもよるかもしれませんが、手順で切り替えようとしたところetcdockerdaemonjsonを変更しているのにデフォルトランタイムがruncデフォルトから変わらない、という状況になりました。 2022-03-21 16:35:21
golang Goタグが付けられた新着投稿 - Qiita GORMを使ったDockerのPostgreSQLへの接続方法 https://qiita.com/xAyumux/items/33f8046efcc3070b6fc3 GORMを使ったDockerのPostgreSQLへの接続方法最近GORMを使った開発をしていてDockerのPostgreSQLへの接続に躓いたので、接続方法をまとめました。 2022-03-21 16:55:09
海外TECH DEV Community Why Safe Programming Matters and Why a Language Like Rust Matters https://dev.to/oktadev/why-safe-programming-matters-and-why-a-language-like-rust-matters-3m45 Why Safe Programming Matters and Why a Language Like Rust MattersAs programmers how many of you have a good understanding of programming safety or secure programming It s not the same as application security or cyber security I have to confess I didn t know a lot about these in the early years of my career especially since I didn t come from a computer science background But looking back I think programming security is something every programmer should be aware of and should be taught at a junior level What is safe programming or to be more precise what does being safe mean for a programming language Or rather what does unsafe mean Let s set the context first If you would rather follow along by watching a video check out the video of the talk I made on the same topic at FOSDEM below from the OktaDev YouTube channel Programming safetyProgramming safety Memory safety Type safety Thread safetyWhen we talk about safety in programming we mean some combination of three distinct things memory safety type safety and thread safety There are four if you count null safety as distinct from memory safety but we ll group those two together today Memory safetyIn a memory safe language when you access a variable or an item in an array you can be sure that you are indeed accessing what you meant to or are allowed to access In other words you will not be reading or writing into the memory of another variable or pointer by mistake regardless of what you do in your program So why is this a big deal Don t all major programming languages ensure this Yes to varying extents But some languages are unsafe by defaultーfor example C and C In C or C you can access the memory of another variable by mistake or you can free a pointer twice that s called double free error Sometimes a program continues to use a pointer after it has been freed and that s called a use after free UAF error or a dangling pointer error Such behaviors are categorized as undefined they are unpredictable and cause security vulnerabilities rather than just crashing the program In these scenarios a crashing program is a good thing as it won t cause a security vulnerability I call it my billion dollar mistake It was the invention of the null reference in Tony HoareThen there is also null safety which is kind of related to memory safety I come from a Java JavaScript background and we are used to the concept of null Null is infamous for being the worst invention in programming Garbage collected languages need a concept of nothing so that a pointer can be freed when unused But the concept also leads to issues and pain like the null pointer exceptions Technically this relates to memory safety but most memory safe languages still let you use null as a value leading to null pointer errors Type safetyIn a type safe language when you access a variable you access it as the correct type of data according to how it is stored This gives us the confidence to work on data without manually checking for the data type during runtime Memory safety is required for a language to be type safe Thread safetyIn a thread safe language you can access or modify the same memory from multiple threads simultaneously without worrying about data races This is generally achieved using message passing techniques mutual exclusion locks mutexes and thread synchronization Thread safety is required for optimal memory and type safety so generally memory and type safe languages tend to be thread safe as well Why does it matter Ok Why does this matter and why should we care Let s take a look at some stats to get an idea first Memory safety issuesMemory safety issues are the cause of most security CVEs Common Vulnerabilities and Exposures we encounter Undefined behavior can be abused by a hacker to take control of the program or to leak privileged information If you try to access an out of bounds array element in a memory safe language you will just crash the program with panic or error which is predictable behavior This is why memory related bugs in C C systems often result in CVEs and emergency patches There are other memory unsafe behaviors in C C like accessing pointers from stack frames that have been popped a memory that has been de allocated iterator invalidation and so on Memory safe languages even ones that are not the safest still protect against such security issues If we take a look at stats we can see that About of all CVEs at Microsoft are memory safety issues Two thirds of Linux kernel vulnerabilities come from memory safety issues An Apple study found that of vulnerabilities in iOS and macOS are memory safety vulnerabilities Google estimated that of Android vulnerabilities are memory safety issues of all Chrome security bugs are memory safety issues An analysis of days that were discovered being exploited in the wild found that more than of the exploited vulnerabilities were memory safety issues Some of the most popular security issues of all time are memory safety issues Slammer worm WannaCry Trident exploit HeartBleed Stagefright GhostThat s a huge chunk of CVEs and of course it s no surprise that most of it is from C C systems Deepu K Sasidharan ദീപു தீபு दीपू deepu Another day and another C C memory safety vulnerability CVE ‍ ️‍ ️ areWeMemorySafeYet replaceWithRust dirtyPipe cppbleepingcomputer com news security … AM Mar Imagine a world without memory safety issues Imagine the amount of developer time saved amount of money saved amount of resources saved Sometimes I wonder why we still use C C Why do we trust humans against all available evidence to handle memory manually And this is without considering other non CVE memory issues like memory leaks memory efficiency and so on Thread safety issuesThough not as notorious as memory safety thread safety is also a cause of major headaches for developers and can result in security issues Thread safety issues can cause two types of vulnerabilities Information loss caused by one thread overwriting information from anotherPointer corruption that allows privilege escalation or remote executionIntegrity loss due to information from multiple threads being interlacedThe best known attack of this type is called a TOCTOU time of check to time of use attack which is a race condition between checking a condition like a security credential and using the results Both information loss and integrity loss can be exploited and lead to security issues While thread safety related exploits are harder and less common than memory safety ones they are still possible Type safety issuesWhile not as critical as memory and thread safety lack of type safety can also lead to security issues and type safety is important for ensuring memory safety Low level exploits are possible in languages that are not type safe as an attacker can manipulate the data structure and change the data type to gain access to privileged information Although this type of exploit is pretty rare it s not unheard of Why Rust Now that we understand how important programming safety is let s see why Rust is one of the safest languages and how it avoids most of the security issues we normally encounter with languages like C C For those not familiar Rust is a high level multi paradigm language It s ideal for functional and imperative programming It has very modern and in my opinion the best tooling for a programming language Though it was originally designed as a systems programming language its advantages and flexibility have made it suitable for all sorts of use cases as a general purpose language Rust throws around some buzzwords in its docs but they are not just marketing buzz they actually mean it with full sincerity and they matter a lot Rust s safety guaranteeThe safety guarantee is one of the most important aspects of Rust Rust is memory safe null safe type safe and thread safe by design If the compiler detects unsafe code it will refuse to compile that code by default You would have to go out of your way to break those guarantees using the unsafe keyword So even in cases where you would have to write unsafe code you are making it explicit and hence issues can easily be traced down to specific code blocks Memory safety in RustRust ensures memory safety at compile time using its innovative ownership mechanism and the borrow checker built into the compiler The compiler does not allow memory unsafe code unless it s explicitly marked as unsafe in an unsafe block or function This static compile time analysis eliminates many types of memory bugs and with some additional runtime checks Rust guarantees memory safety There is no concept of null at the language level Instead Rust provides the Option enum which can be used to mark the presence or absence of a value This makes the resulting code null safe and much easier to deal with and you will never encounter null pointer exceptions in Rust The ownership and borrowing mechanisms make Rust one of the most memory efficient languages while avoiding pitfalls with manual memory management and garbage collection It has memory efficiency and speeds comparable to C C and memory safety that s better than garbage collected languages like Java and Go I ve written detailed articles about memory management in different languages in my personal blog so check them out if you are interested in learning more about memory management in Java Rust JavaScript and Go Type safety in RustRust is statically typed and it guarantees type safety by strict compile time type checks and by guaranteeing memory safety This is not special as most modern languages are statically typed Rust also allows some level of dynamic typing with the dyn keyword and Any type when required But the powerful type inference and the compiler ensure type safety even in those cases Thread safety in RustRust guarantees thread safety using similar concepts for memory safety and provides standard library features like channels mutex and ARC Atomically Reference Counted pointers In safe Rust you can have either one mutable reference to a value or unlimited read only references to it at any given time The ownership mechanism makes it impossible to cause accidental data race from a shared state This makes us confident to focus on code and let the compiler worry about shared data between threads Other Rust featuresI wrote about my impressions of Rust in a detailed post on my blog where I explain Rust s excellent features that make it unique Here is a short summary of those features Zero cost abstractions Rust offers true zero cost abstractions which means that you can write code in any style with any number of abstractions without paying any performance penalty Very few languages offer this which is why Rust is so fast Rust compiler will always generate the best byte code regardless of the style of code you write This means you can write functional style code and get the same performance as its imperative counterpart Immutable by default Values in Rust are immutable or read only by default Mutability has to be declared explicitly This along with the ability to pass by value or reference makes it super easy to write functional code without side effects Pattern matching Rust has excellent support for advanced pattern matching Pattern matching is used extensively for error handling and control flows in Rust Advanced generics traits and types Rust has advanced generics and traits with type aliasing and type inference support Though generics could easily become complex when combined with lifetimes it s one of the most powerful features of Rust Macros There is also support for metaprogramming using macros Rust supports both declarative macros and procedural macros Macros can be used like annotations attributes and functions Great tooling and one of the best compilers Rust has one of the best compilers and the best tooling I have seen and experienced compared to JS world JVM languages Go Python Ruby CSharp PHP C C It also has excellent documentation which is shipped with the tooling for offline use How awesome is that Excellent community and ecosystem Rust has one of the most vibrant and friendly communities The ecosystem is quite young but is one of the fastest growing Usually a programming language would offer a choice between safety speed and high level abstractions At the very best you can pick two of those For example with Java C Go you get safety and high level abstractions at the cost of runtime overhead whereas C gives you speed and abstractions at the cost of safety But Rust offers all three and a good developer experience as a bonus I don t think many other mainstream languages can claim that Rust not Firefox is Mozilla s greatest industry contribution TechRepublicThis doesn t mean there are no downsides and Rust is definitely not a silver bullet There are issues like the steep learning curve and complexity of the language But it s the closest thing to a silver bullet in my opinion That doesn t mean you should just start using Rust for everything If a use case requires speed concurrency building system tools or building CLIs then Rust is an ideal choice Personally I would recommend Rust over C C for any use case unless you are building a tool for a legacy platform that Rust does not support Learn more about Rust and securityIf you want to learn more about Rust and security in general check out these additional resources Containerless How to Run WebAssembly Workloads on Kubernetes with RustVisualizing memory management in RustWhat is memory safety and why does it matter A Comparison of Cookies and Tokens for Secure AuthenticationThe Things to Keep in Mind about AuthIf you liked this tutorial chances are you ll enjoy the others we publish Please follow oktadev on Twitter and subscribe to our YouTube channel to get notified when we publish new developer tutorials 2022-03-21 07:30:12
ニュース BBC News - Home Smacking children in Wales becomes illegal https://www.bbc.co.uk/news/uk-wales-60781395?at_medium=RSS&at_campaign=KARANGA wales 2022-03-21 07:16:14
ニュース BBC News - Home Chancellor must do more to help poorest households, charity says https://www.bbc.co.uk/news/business-60816226?at_medium=RSS&at_campaign=KARANGA rishi 2022-03-21 07:12:16
ニュース BBC News - Home Covid trapped me at home for more than seven months https://www.bbc.co.uk/news/health-60621432?at_medium=RSS&at_campaign=KARANGA lester 2022-03-21 07:30:41
北海道 北海道新聞 渡辺のラプターズは40勝到達 NBA、八村のウィザーズ30勝 https://www.hokkaido-np.co.jp/article/659401/ 渡辺 2022-03-21 16:20:11
北海道 北海道新聞 日大三島0―4金光大阪 古川が4安打完封 https://www.hokkaido-np.co.jp/article/659377/ 金光大阪 2022-03-21 16:28:06
北海道 北海道新聞 BSよしもとが開局 「地方創生」掲げ https://www.hokkaido-np.co.jp/article/659410/ 吉本興業グループ 2022-03-21 16:23:00
北海道 北海道新聞 那須の雪崩教訓、登山リスク学ぶ 栃木の山岳部員、事故5年 https://www.hokkaido-np.co.jp/article/659409/ 栃木県那須町 2022-03-21 16:22:00
北海道 北海道新聞 香港、9カ国の旅客機禁止を解除 コロナ対策の制限措置緩和へ https://www.hokkaido-np.co.jp/article/659408/ 香港政府 2022-03-21 16:22:00
北海道 北海道新聞 山梨学院1―2木更津総合 木更津総合がサヨナラ勝ち https://www.hokkaido-np.co.jp/article/659369/ 山梨学院 2022-03-21 16:20:03
北海道 北海道新聞 西4―1ヤ(21日) 新人佐藤が5回無失点 https://www.hokkaido-np.co.jp/article/659406/ 西武 2022-03-21 16:17:00
北海道 北海道新聞 北海道1009人感染 札幌は495人 死亡2人 新型コロナ https://www.hokkaido-np.co.jp/article/659388/ 新型コロナウイルス 2022-03-21 16:16:03
北海道 北海道新聞 <横田教授の「コロナ」チェック>札幌でも感染者数横ばい まん延防止解除後も警戒を https://www.hokkaido-np.co.jp/article/659402/ 新型コロナウイルス 2022-03-21 16:13:00
北海道 北海道新聞 NHL、パンサーズが首位 第23週が終了 https://www.hokkaido-np.co.jp/article/659400/ 首位 2022-03-21 16:10:00
北海道 北海道新聞 森山氏「米軍無人機は10機超」 鹿児島・鹿屋基地への配備計画で https://www.hokkaido-np.co.jp/article/659399/ 海上自衛隊 2022-03-21 16:10:00
北海道 北海道新聞 地域再生大賞の600団体総集 電子書籍を無料公開 https://www.hokkaido-np.co.jp/article/659398/ 共同通信社 2022-03-21 16:03:00

コメント

このブログの人気の投稿

投稿時間:2021-06-17 22:08:45 RSSフィード2021-06-17 22:00 分まとめ(2089件)

投稿時間:2021-06-20 02:06:12 RSSフィード2021-06-20 02:00 分まとめ(3871件)

投稿時間:2021-06-17 05:05:34 RSSフィード2021-06-17 05:00 分まとめ(1274件)