Upgrade to Pro — share decks privately, control downloads, hide ads and more …

アプリケーション開発者目線で語る、明日から始めるDevSecOps

 アプリケーション開発者目線で語る、明日から始めるDevSecOps

ihcomega56

July 21, 2022
Tweet

More Decks by ihcomega56

Other Decks in Technology

Transcript

  1. ΞϓϦέʔγϣϯ ։ൃऀ໨ઢͰޠΔɺ ໌೔͔Β࢝ΊΔ%FW4FD0QT

  2. 1 Α͜ͳͰ͢ "ZBOB:PLPUB • +'SPHͷσϕϩούʔΞυϘέΠτ • લ৬·Ͱ͸ओʹόοΫΤϯυͷ։ൃ ʢ4*FS ޿ࠂձࣾ ূ݊ελʔτΞοϓʣ

    • ՖՐݟ͍ͨͳ͊ 5XJUUFS !JIDPNFHB
  3. %FW4FD0QTͱ͸ %FWͱ0QTʹՃ͑ͯ4FDVSJUZ΋ڠۀ͠ ܧଓతͳιϑτ΢ΣΞσϦόϦʔΛ ࣮ݱ͢Δߟ͑ํɾऔΓ૊Έ 2 2 ։ൃ ӡ༻ ηΩϡ ϦςΟ

  4. %FW4FD0QTͱ͸ 3 3

  5. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 4 4 ग़యhttps://dzone.com/articles/10-tips-for-integrating-security-into-devops 100: 10 : 1 DEV OPS

    SEC ߈ܸ͕૿Ճ܏޲ʹ͋Δʹ΋͔͔ΘΒͣ
  6. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 5 5 ग़యhttps://news.mynavi.jp/techplus/article/20220208-2267778/ ೔ຊاۀͷ ͕ ηΩϡϦςΟਓࡐͷෆ଍Λײ͍ͯ͡Δ ˞ถࠃɺ߽भ 90%

  7. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝ 6 6 ग़యhttps://news.mynavi.jp/techplus/article/20220208-2267778/ ॆ଍͍ͯ͠Δͱײ͡Δཧ༝ͷҐ ͍ͣΕ΋શମͷఔ౓ 🇯🇵‍ ηΩϡϦςΟۀ຿͕ඪ४Խ͞Ε͓ͯΓɺ໾ׂ෼୲͕ ໌֬Խ͞Ε͍ͯΔͨΊ 🇺🇸🇦🇺‍‍

    ηΩϡϦςΟۀ຿͕γεςϜ౳ʹΑΓࣗಈԽɾলྗԽ ͞Ε͍ͯΔͨΊ
  8. ޮ཰Խɾվળ͢Δ͔͠ͳ͍ʂ 7

  9. %FW4FD0QTΛࢧ͑Δப 8 8 ૊৫ ϓϩηε ٕज़ Ψόφϯε ग़యhttps://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf %FW0QTͱ ݁ߏࣅͯΔ

  10. %FW0QTͱҧ͏ͱ͜Ζ͸ʁ 9

  11. πʔϧ 10

  12. ͸͡Ί΍͍͢ͱ͜Ζ͔Β • ໢ཏతʹରࡦ͢Δͷ͕ཧ૝͕ͩɺπʔϧ΋ϓϥΫςΟε ΋ଟ͘औΓ૊Έ΍͍͢ͱ͜Ζ͔Β࢝ΊΔ • ੩తΞϓϦέʔγϣϯηΩϡϦςΟςετ 4"45 • ಈతΞϓϦέʔγϣϯηΩϡϦςΟςετ %"45

    • ιϑτ΢ΣΞίϯϙδγϣϯղੳ 4$" ͳͲ 11
  13. 12 12 ίʔυ Ϗϧυ ςετ ϦϦʔε σϓϩΠ औΓ૊ΈͷϙΠϯτ ˞ਤ͸ҰྫͰ͢ 4$"

    4"45 %"45 4$" গͳ͍ਓखͰ΋ͳΔ΂͘΍͍ͬͯ͘ʂ • ࣗಈԽ͠ɺ$*$%ύΠϓϥΠϯʹ૊ΈࠐΉ • 4-%$ͷૣ͍ஈ֊Ͱؾ෇͚ΔΑ͏ʹ͢ΔʮγϑτϨϑτʯ • ϦϦʔεલʹ·ͱΊ࣮ͯࢪɺҰఆظؒ͝ͱͷ࣮ࢪͷΈͱ͍ͬͨ Ξϓϩʔν͸໰୊͕େ͖͘ͳΓ͗ͯ͢ରॲ͕େมʹͳΔڪΕ
  14. ૊৫ɾΧϧνϟʔ • ૊৫͕%FW4FD0QTʹཧղΛࣔ͠ɺશମͰऔΓ૊Ή • ίϛϡχέʔγϣϯɾίϥϘϨʔγϣϯΛ׆ൃʹ͢Δ • ੒ޭ΋ࣦഊ΋ݟ௚͠ɺϑΟʔυόοΫΛड͚ͳ͕Βվળ Λ܁Γฦ͢ 13

  15. ͦ͏͸ݴͬͯ΋ɾɾɾ 14

  16. ͍͑ɺ·ͣ͸ ࣗ෼ࣗ਎Λݟ௚ͯ͠Έ·ͤΜ͔ʁ 15

  17. ͔ͭͯͷࢲ͕͍ؕͬͯͨצҧ͍ ʮྑ͍΋ͷΛ࡞Γ͍ͨʂʯ ؔ৺ͷ΄ͱΜͲ͕Ϗδωεɺ࢓༷ɺ࣮૷ʹ޲͍͍ͯͨ • ΞϓϦέʔγϣϯͷ࡞Γ͜Έ͕ͦ͜େࣄͩͱࢥ͍ͬͯͨ • ηΩϡϦςΟ΍ηΩϡϦςΟνʔϜ΁ͷؔ৺͕ബ͔ͬͨ • ηΩϡϦςΟ͕ͱʹ͔͘ාͯۤ͘खͩͬͨ •

    ηΩϡϦςΟΛ։ൃͷϥΠϑαΠΫϧʹ૊ΈࠐΉͱ͍͏ ҙ͕ࣝͳ͔ͬͨ 16
  18. 17 Ϣʔβʔʹಧ͘·Ͱ͕ʮྑ͍΋ͷΛ࡞Δʯ ηΩϡϦςΟνʔϜ΋Ұॹʹ΋ͷͮ͘ΓΛ͢Δ஥ؒ ʮηΩϡϦςΟʯ͸ൣғ͕޿͗͢Δʂ·ͣ͸෼ղ͔Β ηΩϡϦςΟνΣοΫ͸౰ͨΓલʹ܁Γฦ͠ߦ͏ ͜͏ߟ͑Α͏

  19. ͓ޓ͍ͷྖҬ΁ͷ ৺ߏ͑΍औΓ૊Έɺ վળϙΠϯτ͸͋Γ·ͤΜ͔ʁ 18

  20. ൓ରʹ ΠϚΠνڠྗ͕ಘΒΕͳ͍ͳͱ ײ͡Δ৔߹ɺ Կ͔צҧ͍΍ڪΕ͕ ͋Δͷ͔΋͠Ε·ͤΜ 19

  21. ૊৫ɾΧϧνϟʔͷҰา໨ • ·ͣ͸͓ޓ͍͕าΈدΓɺཧղ͠Α͏ͱ͢Δ • ڥքͷ޲͜͏ଆʹؙ౤͛͠ͳ͍ • શһ͕શ෦Λཧղ͢Δඞཁ͸ͳ͘ɺগͣͭ͠୲౰ྖҬΛ ޿͍͚͛ͯ͹ྑ͍ 20

  22. 21 5IBOLZPV

  23. ࢀߟ • ʮJFrog Xray Security and Compliance of the Open

    Source Software Dependencies You Rely onʯ https://jfrog.com/whitepaper/jfrog-xray-universal-component-analysis/ • ʮDevSecOpsͱ͸ʁʯhttps://jfrog.com/ja/devops-tools/what-is-devsecops/ • DZone 2017-04-24ʮ10 Tips for Integrating Security Into DevOpsʯhttps://dzone.com/articles/10- tips-for-integrating-security-into-devops • TECH+ 2022-02-08 ʮ೔ຊاۀͷ9ׂ͕ʰηΩϡϦςΟਓࡐෆ଍ʹ՝୊ʱ-ถ߽͸1ׂఔ౓ʯ https://news.mynavi.jp/techplus/article/20220208-2267778/ • Department of Defense (DoD) Chief Information OfficerʮDoD Enterprise DevSecOps Reference Designʯ https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference %20Design%20v1.0_Public%20Release.pdf 22