アプリケーション開発者目線で語る、明日から始めるDevSecOps

Transcript

1. ΞϓϦέʔγϣϯ ։ൃऀ໨ઢͰޠΔɺ ໌೔͔Β࢝ΊΔ%FW4FD0QT

2. 1 Α͜ͳͰ͢ "ZBOB
   :PLPUB • +'SPHͷσϕϩούʔΞυϘέΠτ • લ৬·Ͱ͸ओʹόοΫΤϯυͷ։ൃ ʢ4*FS 
   ޿ࠂձࣾ 
   ূ݊ελʔτΞοϓʣ

   • ՖՐݟ͍ͨͳ͊ 5XJUUFS !JIDPNFHB

3. %FW4FD0QTͱ͸ %FWͱ0QTʹՃ͑ͯ4FDVSJUZ΋ڠۀ͠ ܧଓతͳιϑτ΢ΣΞσϦόϦʔΛ ࣮ݱ͢Δߟ͑ํɾऔΓ૊Έ 2 2 ։ൃ ӡ༻ ηΩϡ ϦςΟ

4. %FW4FD0QTͱ͸ 3 3

5. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 4 4 ग़య
   https://dzone.com/articles/10-tips-for-integrating-security-into-devops 100: 10 : 1 DEV OPS

   SEC ߈ܸ͕૿Ճ܏޲ʹ͋Δʹ΋͔͔ΘΒͣ

6. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 5 5 ग़య
   https://news.mynavi.jp/techplus/article/20220208-2267778/ ೔ຊاۀͷ ͕ ηΩϡϦςΟਓࡐͷෆ଍Λײ͍ͯ͡Δ ˞ถࠃ
   ɺ߽भ
    90%

7. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 6 6 ग़య
   https://news.mynavi.jp/techplus/article/20220208-2267778/ ॆ଍͍ͯ͠Δͱײ͡Δཧ༝ͷҐ ͍ͣΕ΋શମͷఔ౓ 🇯🇵‍ ηΩϡϦςΟۀ຿͕ඪ४Խ͞Ε͓ͯΓɺ໾ׂ෼୲͕ ໌֬Խ͞Ε͍ͯΔͨΊ 🇺🇸🇦🇺‍‍

   ηΩϡϦςΟۀ຿͕γεςϜ౳ʹΑΓࣗಈԽɾলྗԽ ͞Ε͍ͯΔͨΊ

8. ޮ཰Խɾվળ͢Δ͔͠ͳ͍ʂ 7

9. %FW4FD0QTΛࢧ͑Δப 8 8 ૊৫ ϓϩηε ٕज़ Ψόφϯε ग़య
   https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf %FW0QTͱ ݁ߏࣅͯΔ

10. %FW0QTͱҧ͏ͱ͜Ζ͸ʁ 9

11. πʔϧ 10

12. ͸͡Ί΍͍͢ͱ͜Ζ͔Β • ໢ཏతʹରࡦ͢Δͷ͕ཧ૝͕ͩɺπʔϧ΋ϓϥΫςΟε ΋ଟ͘औΓ૊Έ΍͍͢ͱ͜Ζ͔Β࢝ΊΔ • ੩తΞϓϦέʔγϣϯηΩϡϦςΟςετ 4"45 • ಈతΞϓϦέʔγϣϯηΩϡϦςΟςετ %"45

    • ιϑτ΢ΣΞίϯϙδγϣϯղੳ 4$" ͳͲ 11

13. 12 12 ίʔυ Ϗϧυ ςετ ϦϦʔε σϓϩΠ औΓ૊ΈͷϙΠϯτ ˞ਤ͸ҰྫͰ͢ 4$"

    4"45 %"45 4$" গͳ͍ਓखͰ΋ͳΔ΂͘΍͍ͬͯ͘ʂ • ࣗಈԽ͠ɺ$*$%ύΠϓϥΠϯʹ૊ΈࠐΉ • 4-%$ͷૣ͍ஈ֊Ͱؾ෇͚ΔΑ͏ʹ͢ΔʮγϑτϨϑτʯ • ϦϦʔεલʹ·ͱΊ࣮ͯࢪɺҰఆظؒ͝ͱͷ࣮ࢪͷΈͱ͍ͬͨ Ξϓϩʔν͸໰୊͕େ͖͘ͳΓ͗ͯ͢ରॲ͕େมʹͳΔڪΕ

14. ૊৫ɾΧϧνϟʔ • ૊৫͕%FW4FD0QTʹཧղΛࣔ͠ɺશମͰऔΓ૊Ή • ίϛϡχέʔγϣϯɾίϥϘϨʔγϣϯΛ׆ൃʹ͢Δ • ੒ޭ΋ࣦഊ΋ݟ௚͠ɺϑΟʔυόοΫΛड͚ͳ͕Βվળ Λ܁Γฦ͢ 13

15. ͦ͏͸ݴͬͯ΋ɾɾɾ 14

16. ͍͑ɺ·ͣ͸ ࣗ෼ࣗ਎Λݟ௚ͯ͠Έ·ͤΜ͔ʁ 15

17. ͔ͭͯͷࢲ͕͍ؕͬͯͨצҧ͍ ʮྑ͍΋ͷΛ࡞Γ͍ͨʂʯ ؔ৺ͷ΄ͱΜͲ͕Ϗδωεɺ࢓༷ɺ࣮૷ʹ޲͍͍ͯͨ • ΞϓϦέʔγϣϯͷ࡞Γ͜Έ͕ͦ͜େࣄͩͱࢥ͍ͬͯͨ • ηΩϡϦςΟ΍ηΩϡϦςΟνʔϜ΁ͷؔ৺͕ബ͔ͬͨ • ηΩϡϦςΟ͕ͱʹ͔͘ාͯۤ͘खͩͬͨ •

    ηΩϡϦςΟΛ։ൃͷϥΠϑαΠΫϧʹ૊ΈࠐΉͱ͍͏ ҙ͕ࣝͳ͔ͬͨ 16

18. 17 Ϣʔβʔʹಧ͘·Ͱ͕ʮྑ͍΋ͷΛ࡞Δʯ ηΩϡϦςΟνʔϜ΋Ұॹʹ΋ͷͮ͘ΓΛ͢Δ஥ؒ ʮηΩϡϦςΟʯ͸ൣғ͕޿͗͢Δʂ·ͣ͸෼ղ͔Β ηΩϡϦςΟνΣοΫ͸౰ͨΓલʹ܁Γฦ͠ߦ͏ ͜͏ߟ͑Α͏

19. ͓ޓ͍ͷྖҬ΁ͷ ৺ߏ͑΍औΓ૊Έɺ վળϙΠϯτ͸͋Γ·ͤΜ͔ʁ 18

20. ൓ରʹ ΠϚΠνڠྗ͕ಘΒΕͳ͍ͳͱ ײ͡Δ৔߹ɺ Կ͔צҧ͍΍ڪΕ͕ ͋Δͷ͔΋͠Ε·ͤΜ 19

21. ૊৫ɾΧϧνϟʔͷҰา໨ • ·ͣ͸͓ޓ͍͕าΈدΓɺཧղ͠Α͏ͱ͢Δ • ڥքͷ޲͜͏ଆʹؙ౤͛͠ͳ͍ • શһ͕શ෦Λཧղ͢Δඞཁ͸ͳ͘ɺগͣͭ͠୲౰ྖҬΛ ޿͍͚͛ͯ͹ྑ͍ 20

22. 21 5IBOL
    ZPV

23. ࢀߟ • ʮJFrog Xray Security and Compliance of the Open

    Source Software Dependencies You Rely onʯ https://jfrog.com/whitepaper/jfrog-xray-universal-component-analysis/ • ʮDevSecOpsͱ͸ʁʯhttps://jfrog.com/ja/devops-tools/what-is-devsecops/ • DZone 2017-04-24ʮ10 Tips for Integrating Security Into DevOpsʯhttps://dzone.com/articles/10- tips-for-integrating-security-into-devops • TECH+ 2022-02-08 ʮ೔ຊاۀͷ9ׂ͕ʰηΩϡϦςΟਓࡐෆ଍ʹ՝୊ʱ-ถ߽͸1ׂఔ౓ʯ https://news.mynavi.jp/techplus/article/20220208-2267778/ • Department of Defense (DoD) Chief Information OfficerʮDoD Enterprise DevSecOps Reference Designʯ https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference %20Design%20v1.0_Public%20Release.pdf 22