はじめよう DevSecOps

Transcript

1. ͸͡ΊΑ͏DevSecOps CypherTec Inc. yu fujioka CC By Rajiv.Pantderivative Sec

2. whoami yu fujioka: ॴଐɿCypherTec Inc. ɾSoftware Engineer ݉ Security Engineer

   ɾιϑτ΢ΣΞ։ൃ΍ηΩϡϦςΟ਍அۀ຿Λ୲౰ ɾGo ͱ Docker ͱαʔόʔϨεΞʔΩςΫνϟ͕޷͖ ͜ͷ LT ͷ಺༰͸ݸਓͷݟղͰ͋Γɺ ॴଐ͢Δ૊৫ͷݟղͱඞͣ͠΋Ұக͢Δ΋ͷͰ͸͋Γ·ͤΜɻ

3. ɹ·ͣ͸ ɹɹɹ DevOps ɹͷ͜ͱΛ஌͍ͬͯ·͔͢ʁ ɹ

4. Development ։ൃ Operations ӡ༻ ։ൃɺӡ༻౳ͷҟͳΔηΫγϣϯ͕࿈ܞɾڠྗͯ͠ਐΊΔͱ͍͏֓೦ɻ ͜ͷ༻ޠΛଊ͑Δ໌֬ͳఆٛ͸ͳ͘ɺΞδϟΠϧͷྲྀΕͷதͰൃੜͨ͠Ϝʔ ϒϝϯτɺΧϧνϟʔͱଊ͑Δͱ෼͔Γ΍͍͢ɻ ※2007೥ࠒ͔Βͦͷ਽ܗ͕ੜ·Ε࢝ΊΔ͕ɺ2009೥ͷ Flickr ࣾһͷϓϨθϯͰ޿͘ೝ஌͞ΕΔɻ

   ɹසൟʹมߋ͕ൃੜ͢ΔΞδϟΠϧ։ൃͷݱ৔Ͱى͖ͨ։ൃνʔϜͱӡ༻νʔϜͷ᫁᫟Λ ɹऔΓ্͛ɺ։ൃͱӡ༻ΛγʔϜϨεʹ౷߹ͤ͞ΔඞཁੑΛड़΂ͨɻ CC By Rajiv.Pantderivative

5. Ͳ͏΍࣮ͬͯݱ͢Δͷʁ ͬ͘͟Γݴ͏ͱ 1. ૊৫վֵ ɹσϦόϦʔʹؔΘΔ͞·͟·ͳνʔϜͷڠௐΛҭΈɺ૊৫͕ ɹҰؙͱͳͬͯ໰୊ղܾʹ౰ͨΓɺ৽͍͠஌ࣝɺ஌ܙΛੜΈग़͍ͯ͘͠ 2. ࣗಈԽ ɹٕज़΍πʔϧΛ༻͍ͯɺσϦόϦʔʹؔΘΔ͞·͟·ͳϓϩηεΛ౷߹͢Δ ɹex)

   IaaC, Ansible, Chef, Jenkins, Selenium… ఱจֶ͕๬ԕڸͰ͸ͳ͍ͷͱಉ͡Α͏ʹɺ DevOps͸ΦʔτϝʔγϣϯͰ͸ͳ͍ʢChristopher Littleʣ

6. খ͞ͳ૊৫ͷ DevOps ૊৫վֵʹ͍ͭͯ͸֤ࣾͰؤு͍ͬͯͩ͘͞ʂ ౰ࣾͷΑ͏ͳখ͞ͳ૊৫(ࣾһ10໊ఔ౓)Ͱ͸ɺ ։ൃ୲౰ऀͱӡ༻୲౰ऀ͕ಉ͡ͱ͍͏έʔε͕ଟ͍ɻ ɹͦͷͨΊηΫγϣφϦζϜʹىҼ͢Δ᨝͍͸ى͜ΓͮΒ͍ ͔ͦ͠͠ͷ෼ݸʑͷ୲౰ऀͷෛ୲͸େ͖͘ɺ ࣗಈԽʹΑͬͯϓϩηεΛ౷߹͢Δඞཁੑ͸ߴ͍ɻ

7. ɹWhat is DevSecOpsʁ Sec

8. Development ։ൃ Security ηΩϡϦςΟ Operations ӡ༻ 2018೥ࠒ͔ΒDevOps ʹ͓͚ΔηΩϡϦςΟͷॏཁੑΛڧௐ͢ ΔͨΊɺDevSecOps ͱ͍͏ݴ༿͕࢖ΘΕ࢝Ίͨɻ

   ͔͠͠ɺݩʑ DevOps ͸ηΩϡϦςΟ΋ؚΊͨ޿ൣͳ֓೦Ͱ͋ Γɺ࣮͸໨৽͍͠࿩Ͱ͸ͳ͍ɻ ὎ 2016ࠒ͔ΒɺRugged DevOps ΍ DevOpsSec ͱ͍͏ݴ༿ ͸ଘࡏ͍ͯ͠Δɻ ίϯςΩετ͕ҟͳΔ͚ͩͰɺ࣮࣭తʹ DevOps == DevSecOps ͱཧղ͍ͯ͠Δɻ

9. DevOps ʹ͓͚ΔηΩϡϦςΟͷॏཁੑ ैདྷͷΑ͏ʹ։ൃͷ࠷ޙʹηΩϡϦςΟνΣοΫΛߦ͏ͱɺDevOps ͷα ΠΫϧ͸ͦ͜Ͱࢭ·Β͟ΔΛಘͳ͍ɻ ͦͯ͠௨ৗͷςετͱಉ༷ɺ։ൃͷޙ൒ʹͳΕ͹ͳΔ΄Ͳख໭ΓʹΑΔ௧Έ ͸େ͖͘ͳΔɻ ৘ใηΩϡϦςΟʹΑΔ଍ࢭΊ͸ͦͷͳ͔Ͱ΋࠷ѱͳ΋ͷͷ1ͭ (Justin Arbuckle)

   ὎DevOps ͷαΠΫϧશମʹηΩϡϦςΟΛਁಁͤ͞Δඞཁ͕͋Δ

10. ɾηΩϡϦςΟνʔϜΛ։ൃͷॳظஈ֊͔ΒؔΘΒͤɺ ɹ։ൃαΠΫϧͷதͰηΩϡϦςΟͷ৘ใΛਁಁͤ͞Δ ɾయܕతͳIT૊৫Ͱ͸։ൃɺӡ༻ɺηΩϡϦςΟͷΤϯδχΞͷൺ཰͸100:10:1 ɹ։ൃαΠΫϧશମʹηΩϡϦςΟΛਁಁͤ͞Δʹ͸ͦͷҰ෦ΛࣗಈԽ͠ɺ ɹ։ൃͱӡ༻ͷ೔ৗۀ຿ʹηΩϡϦςΟΛ૊ΈࠐΉඞཁ͕͋Δɻ ࣾ಺ʹηΩϡϦςΟνʔϜ͕͍Ε͹ྑ͍͚Ͳɾɾɾ ࣗಈԽ͸πʔϧͰ΋Ͱ͖ͦ͏ɻͰ͖Δ͜ͱ͔Β࢝ΊΑ͏ʂ DevOps ʹηΩϡϦςΟΛਁಁͤ͞ΔϙΠϯτ ~THE

    DevOps HANDBOOK (2017)ΑΓ~

11. Ͱ΋ηΩϡϦςΟͷπʔϧͬͯ ͓ߴ͍ΜͰ͠ΐ͏ʁ

12. ߴػೳͳ੡඼͸҆͘͸ͳ͍Ͱ͢Ͷɾɾɾ ্ه͸ 9 Great DevSecOps Tools for Dev Teams to

    Integrate Throughout the DevOps Pipeline Ͱ঺հ͞Ε͍ͯͨπʔϧΛௐ΂ͨՁ֨ද ઌ݄ͷ Software Design ʹࡌ͍ͬͯͨ WhiteSource ΋ $4,000~ ͱ͓ߴΊ Qiita ʹ຋༁هࣄΛ౤ߘ͍ͯ͠·͢ɻ ɹ὎։ൃνʔϜͷͨΊͷ DevOps ύΠϓϥΠϯΛ౷߹͢Δͭ̕ͷ༏Εͨ DevSecOps πʔϧ Product Price Remarks IriusRisk ASK Ձ֨͸ΞϓϦ਺ຖɻCommunity Edition ͕͋Δ ThreatModeler ASK Evident.io(ESP) $199 per month and scale to support AWS environment Checkmarx ASK? Contrast Security ASK Community Edition ͕͋Δɻ೔ຊͷ୅ཧళ΋͋Δ IMMUNIO Free~$999 Aqua Security GCP Marketplace Ͱ $0.33/hour Dome9 Security ASK WhiteSource $4,000~

13. ͓ۚͳ͍Μ͚ͩͲ OSS ͰͳΜͱ͔Ͱ͖ͳ͍͔ͳɾɾɾʁ

14. ଟ෼Ͱ͖Δʂ ্ه͸ Future Architect ࣾΒͷϝϯόʔͷʮ΅͘ͷߟ͍͖͑ͨ͞ΐ͏ͷDevSecOpsʯΑΓൈਮ ὎ૉ੖Β͍͠ࢿྉɻ΍Γ͍ͨ͜ͱશ෦ॻ͍ͯ͋ͬͨɻ OSS Ͱ͸ଞʹ΋ Nikto ΍

    OWASP Benchmarkɺ͞·͟·ͳπʔϧ͕͋Γ·͢ɻ
 OWASP ͷ Free for Open Source Application Security Tools ʹ΋·ͱ·͍ͬͯ·͢ɻ

15. ͦ΋ͦ΋ DevOps ͢ΒରԠ͍ͯ͠ͳ͍ ͔ΒແཧͩΑͶɾɾɾʁ

16. Ͱ͖Δ͜ͱ͸୔ࢁ͋Δʂ ɾશ෦ΛҰ౓ʹ΍Ζ͏ͱͨ͠ΒΤϯδχΞ͕ࢮ͵ ɹΠϯϑϥɺίʔυɺϥΠϒϥϦɺΞϓϦέʔγϣϯɺ ɹͦΕͧΕʹదͨ͠ηΩϡϦςΟπʔϧΛҰͭͣͭ ɹಋೖ͍͖ͯ͠ɺগͣͭ͠Ͱ΋վળ͍ͯ͘͜͠ͱ͕େࣄɻ ɾnpm audit ίϚϯυΛఆظతʹ࣮ߦ͢Δ͜ͱ΍ɺ ɹGitHub ͷ

    Security Alert ʹͪΌΜͱରԠ͢Δ͜ͱ΋ ɹཱ೿ͳηΩϡϦςΟରࡦͱݴ͑Δɻ ηΩϡΞίʔσΟϯά΋େࣄͩ͠ɺηΩϡΞͳݴޠͷ࠾༻ͳͲ΋ॏཁɻ Go ͸ΤϥʔϋϯυϦϯά΍ςετۦಈ։ൃ͕͠қ͍ݴޠͳͷͰ͓͢͢Ί

17. ͦΜͳ͜ͱΑΓઌʹࣗಈςετॻ͍ͯΑ ϨΨγʔίʔυͷϦϑΝΫλ͕ઌͰ͠ΐ ͦΕΑΓ΋·ͣίϯςφԽ͠Α͏Α ϚΠΫϩαʔϏεԽ͔ͯ͠Βͷํ͕΍Γ΍͍͢Α ਖ਼࿦ͱ͍͏໊ͷվળ΁ͷোน ՆقٳՋͪΌΜͱऔಘͨ͠ʁ

18. ηΩϡϦςΟͷ༏ઌ౓͸ܾͯ͠௿͘ͳ͍ • ੈքʹিܸΛ༩͑ͨύφϚจॻͷྲྀग़͸ WordPress ͷݹ͍ϓϥάΠϯͷ੬ऑੑ͕ར༻͞Εͨɻ ɹ὎ࣗಈνΣοΫ͍͑ͯ͞͠Ε͹࣮֬ʹ๷͛ͨࣄނ • ʮ੬ऑੑରࡦ৘ใͷެ։ʹ൐͏ѱ༻૿Ճʯ͸ɺ ɹ2018೥৘ใηΩϡϦςΟ10େڴҖͷୈ4Ґ •

    ηΩϡϦςΟɾΠϯγσϯτ͕ൃੜͯ͠͠·ͬͨ ɹ࣌ͷ๲େͳଛࣦ͸࠷ۙͷχϡʔεͰ΋ݟ·͢ΑͶɻ ̓Pay ͷχϡʔεΛݟΔͱң͕௧͘ͳΔͷ͸ࢲ͚ͩͰ͠ΐ͏͔ʁ

19. Ҏ্Ͱ͢ɻ ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ DevSecOps ͸ܾͯ͠ෑډ͕ߴ͍΋ͷͰ΋ɺ ͓͕͔͔ۚΔ΋ͷͰ΋͋Γ·ͤΜɻ গͣͭ͠Ͱ΋ྑ͍ͷͰɺண࣮ʹऔΓ૊ΜͰ͍͖·͠ΐ͏ɻ

20. ɾThe DevOps ϋϯυϒοΫ ཧ࿦ɾݪଇɾ࣮ફͷ͢΂ͯ ɾDevOpsͱ͸Կ͔ʁ ͦͷπʔϧͱ૊৫จԽɺΞδϟΠϧͱͷҧ͍ ɾDevOps(Wikipedia) ɾRedHat : DevSecOps

    ͱ͸ ɾ9 Great DevSecOps Tools for Dev Teams to Integrate Throughout the DevOps Pipeline ɾ։ൃνʔϜͷͨΊͷ DevOps ύΠϓϥΠϯΛ౷߹͢Δͭ̕ͷ༏Εͨ DevSecOps πʔϧ ɾ΅͘ͷߟ͍͖͑ͨ͞ΐ͏ͷDevSecOps ɾNikto ɾOWASP Benchmark ɾFree for Open Source Application Security Tools ɾIPA: ৘ใηΩϡϦςΟ10େڴҖ 2018 referenceɹ The Go gopher was designed by Renée French.