投稿時間:2022-05-21 21:17:20 RSSフィード2022-05-21 21:00 分まとめ(18件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
python	Pythonタグが付けられた新着投稿 - Qiita	Pythonで地名/住所から緯度/経度を取得し地図にプロットする方法	https://qiita.com/daifuku10/items/0cd4a409417d3a7b7297	visualst	2022-05-21 20:24:02
Ruby	Rubyタグが付けられた新着投稿 - Qiita	超かんたん！エラー箇所の特定	https://qiita.com/aono1234/items/e57f8afe188d0fb388c1	簡単	2022-05-21 20:32:44
AWS	AWSタグが付けられた新着投稿 - Qiita	QuickSight 分析者権限の料金体系	https://qiita.com/terra_yucco/items/40fa1bdf4835db75a135	quicksight	2022-05-21 20:35:01
GCP	gcpタグが付けられた新着投稿 - Qiita	vscodeからグローバルIPのないインスタンスにgcloud compute sshする方法	https://qiita.com/daredeshow/items/1c939f03f6c05086e382	chromebook	2022-05-21 20:38:22
Ruby	Railsタグが付けられた新着投稿 - Qiita	超かんたん！エラー箇所の特定	https://qiita.com/aono1234/items/e57f8afe188d0fb388c1	簡単	2022-05-21 20:32:44
海外TECH	MakeUseOf	Why Is Bitcoin Going Down? What Causes Crypto to Fall in Value?	https://www.makeuseof.com/why-is-crypto-going-down-what-causes-bitcoin-crash/	chart	2022-05-21 11:30:13
海外TECH	MakeUseOf	How to Remove Any Items From Your Mac’s Menu Bar	https://www.makeuseof.com/how-to-remove-menu-bar-items-mac/	barthe	2022-05-21 11:01:13
海外TECH	DEV Community	Serverless Application is not as secure as you might think!	https://dev.to/smartscanner/serverless-application-is-not-as-secure-as-you-might-think-4dpb	Serverless Application is not as secure as you might think What is a Serverless Application For running a traditional web application you need to set up an OS configure a web server install a CMS and prepare a database You should take care of infrastructure capacity and maintenance of servers as long as your application is running What if you could only focus on developing your application and don t think about the infrastructure This is exactly what you can do in a Serverless architecture You write your code and publish it on cloud servers like AWS Lambda Cloudflare workers or Google Cloud Functions Your code will run on cloud servers and your cloud provider manages and handles the infrastructure and maintenance Cloud companies that provide Serverless services offer different form of it Take FaaS as an example In this development model cloud providers allow you to write your application in small separate functions That s why this service is called Function as a service FaaS This approach supports trending architectures like the JAMstack JavaScript API amp Markup The JAMStack consists of static pages the Markup that integrate with the backend through the use of APIs in Serverless applications PaaS is also another Serverless cloud service where you control the entire application This is in contrast with FaaS that has an event driven architecture In FaaS your application function gets executed in certain events like incoming requests Serverless SecurityThe Serverless development model has many benefits like cost efficiency elasticity and productivity But Serverless applications are not more secure compared to traditional applications Cloud providers like Amazon AWS take care of OS and platform vulnerabilities but you don t have access to the servers and you can t use classic security solutions like IDS IPS that require installation on endpoints Further in a Serverless architecture the entire application consists of more small components that means more entry points resulting in an increased attack surface Developing and running a Serverless application depends on the cloud provider s standards This means the same code can not be used in another cloud provider without change Privacy is another concern in Serverless applications because of using shared resources and access by external employees in public Serverless cloud infrastructure Vulnerabilities in Serverless ApplicationsSecurity vulnerabilities affect different layers of any application like OS web server database and the application itself In Serverless architectures the cloud provider takes care of all infrastructure security So you won t worry about security misconfigurations and issues like Outdated server vulnerability But the application security is still your responsibility in the Serverless development model And unfortunately many vulnerabilities relate to the application layer Vulnerabilities like SQL InjectionCross Site Scripting XSS File Inclusion VulnerabilitiesCross site Request Forgery CSRF Using eval and Command ExecutionUnvalidated Redirects and ForwardsThese are generic vulnerabilities that are in OWASP s Top list We have covered some of them in articles like common web vulnerabilities and securing your NodeJs express application In the followings we will review vulnerabilities that are less known but more specific to Serverless applications Missing Function Level Access ControlSensitive functionalities should be protected with an authentication mechanism It doesn t matter whether these functionalities are served as web pages or an API If anyone can access such functionalities this is a broken access control flaw All administration use cases are prone to this issue You might have several Serverless APIs for tasks like managing accounts posts or changing service status You should make sure that only allowed users can access and use such functionalities Sensitive Data ExposureLet s say you have a Serverless application for a voting system One function of this platform is to show the vote counts for any candidate Consider a Serverless function for displaying vote counts which accepts candidate ID and returns a list of every user who has voted for that candidate So you can easily show the count of users as vote counts for the candidate But something s fishy here We need a function to display vote counts not to return name of voters You might say that the list of users is not displayed anywhere and only the count of users is represented That s right but as long as the Serverless function is returning all those information and it s publicly accessible an attacker can abuse it Sensitive Data Exposure is a very common flaw To avoid it you should return the minimum required data in your Serverless functions Insecure Direct Object Reference IDOR Imagine an HR application that has a profile API that accepts an employee ID and returns the employee information Let s say the employee IDs are an integer number and the Serverless function queries it on the database to find the employee What could go wrong in this scenario An attacker can build a collection of employee IDs by starting from and incrementing to any number Then this collection can be used to query your function to enumerate all employee information This can happen if the API does not implement the proper access control we discussed earlier Here employee ID passed to the Serverless API is a reference to the employee record in the database And this reference is directly controlled by the user If such references are easy to guess you risk your data being enumerated Avoid using guessable patterns for IDs using hash can help Make sure your functions have access control to mitigate IDOR flaws Template Language InjectionA common way of rendering HTML pages using a template is to evaluate an expression like and display the results in output Template language injection or Expression language injection occurs when a user can change the expression used in the template Components with Known VulnerabilitiesServerless applications are usually in JavaScript or TypeScript or Python languages Developers in Python or JavaScript usually use numerous third party packages for completing different tasks These packages might have vulnerabilities and using them can make your Serverless application vulnerable To mitigate component vulnerabilities make sure you re using the updated version of any library and run security tests to find vulnerable packages In NodeJs you can use npm audit to find vulnerabilities in npm packages Read Securing Your NodeJs JavaScript Project for details ConclusionServerless applications have many benefits and use cases like file transformation providing dynamic contents logging and others There s a misunderstanding that Serverless applications are more secure This is true to some extent when it comes to OS vulnerabilities but you need to take application layer security in your hand We reviewed some of the common vulnerabilities in Serverless applications but you should know that these vulnerabilities are not complete and these are not even limited to Serverless applications So security testing of your web applications is a crucial job for securing them Security of Serverless applications needs a DevSecOps solution where developers operation team and Security guys collaborate closely	2022-05-21 11:08:54
Apple	AppleInsider - Frontpage News	AirTag helps police track and arrest robbery suspect	https://appleinsider.com/articles/22/05/21/airtag-aids-police-in-tracking-robbery-suspect?utm_medium=rss	AirTag helps police track and arrest robbery suspectPolice in Portland were given a technological assist by Apple s AirTag after an armed robber unknowingly picked up the tracking device during a second theft An armed robbery in the Block of Northwest Broadway in Portland Oregon on Thursday involved the robbery of a store The man identified by police as Justin Johnston used a gun to demand money from a staff member at the store and took the victim s cellphone and wallet The police were able to use the phone to the area of Southwest rd Avenue and Southwest Pine Street reports KATU seeing via surveillance video that he entered and left the Embassy Suites Hotel Later in the day hotel security contacted the police to say the suspect had returned to the hotel Read more	2022-05-21 11:53:21
海外科学	NYT > Science	Since You’re Already Getting a Flu Shot, Why Not One for Covid, Too?	https://www.nytimes.com/2022/05/18/health/covid-vaccine-flu-omicron.html	vaccinations	2022-05-21 11:42:19
海外ニュース	Japan Times latest articles	Yoon and Biden stress trilateral cooperation with Japan to deter North Korea	https://www.japantimes.co.jp/news/2022/05/21/asia-pacific/politics-diplomacy-asia-pacific/us-south-korea-joe-biden-yoon-suk-yeol/	Yoon and Biden stress trilateral cooperation with Japan to deter North KoreaThe two leaders also shared concerns about the rapid spread of COVID within the reclusive country and vowed to provide assistance by working with the	2022-05-21 20:27:09
ニュース	BBC News - Home	Moldova should be equipped to Nato standard, says UK's Truss	https://www.bbc.co.uk/news/uk-61532625?at_medium=RSS&at_campaign=KARANGA	aggression	2022-05-21 11:42:41
北海道	北海道新聞	７０代女性が１６０万円だまし取られる　札幌・北区	https://www.hokkaido-np.co.jp/article/683754/	札幌市北区	2022-05-21 20:19:00
北海道	北海道新聞	土方歳三コンテスト３年ぶり開催　優勝は東京の佐々木さん	https://www.hokkaido-np.co.jp/article/683753/	土方歳三	2022-05-21 20:17:00
北海道	北海道新聞	追突の男性は病死　七飯町	https://www.hokkaido-np.co.jp/article/683751/	七飯町東大沼	2022-05-21 20:13:00
北海道	北海道新聞	香りテーマの観光　滝上でシバザクラ楽しむ　視覚障害者が団体旅行	https://www.hokkaido-np.co.jp/article/683750/	団体旅行	2022-05-21 20:11:00
北海道	北海道新聞	韓国、ＩＰＥＦ参加を表明　尹氏「規範基づく秩序」	https://www.hokkaido-np.co.jp/article/683748/	米韓首脳会談	2022-05-21 20:08:00
北海道	北海道新聞	六大学野球、明大―立大は分ける　第７週、法大は東大を下す	https://www.hokkaido-np.co.jp/article/683747/	六大学野球	2022-05-21 20:04:00