Upgrade to Pro — share decks privately, control downloads, hide ads and more …

アプリケーション開発者目線で語る、明日から始めるDevSecOps

 アプリケーション開発者目線で語る、明日から始めるDevSecOps

ihcomega56

July 21, 2022
Tweet

More Decks by ihcomega56

Other Decks in Technology

Transcript

  1. ΞϓϦέʔγϣϯ
    ։ൃऀ໨ઢͰޠΔɺ
    ໌೔͔Β࢝ΊΔ%FW4FD0QT

    View Slide

  2. 1
    Α͜ͳͰ͢
    "ZBOB:PLPUB
    • +'SPHͷσϕϩούʔΞυϘέΠτ
    • લ৬·Ͱ͸ओʹόοΫΤϯυͷ։ൃ
    ʢ4*FS ޿ࠂձࣾ ূ݊ελʔτΞοϓʣ
    • ՖՐݟ͍ͨͳ͊
    5XJUUFS
    !JIDPNFHB

    View Slide

  3. %FW4FD0QTͱ͸
    %FWͱ0QTʹՃ͑ͯ4FDVSJUZ΋ڠۀ͠
    ܧଓతͳιϑτ΢ΣΞσϦόϦʔΛ
    ࣮ݱ͢Δߟ͑ํɾऔΓ૊Έ
    2
    2
    ։ൃ ӡ༻
    ηΩϡ
    ϦςΟ

    View Slide

  4. %FW4FD0QTͱ͸
    3
    3

    View Slide

  5. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝
    4
    4
    ग़యhttps://dzone.com/articles/10-tips-for-integrating-security-into-devops
    100: 10 : 1
    DEV OPS SEC
    ߈ܸ͕૿Ճ܏޲ʹ͋Δʹ΋͔͔ΘΒͣ

    View Slide

  6. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝
    5
    5
    ग़యhttps://news.mynavi.jp/techplus/article/20220208-2267778/
    ೔ຊاۀͷ ͕
    ηΩϡϦςΟਓࡐͷෆ଍Λײ͍ͯ͡Δ
    ˞ถࠃɺ߽भ
    90%

    View Slide

  7. %FW4FD0QTʹؔ৺͕ߴ·Δཧ༝
    6
    6
    ग़యhttps://news.mynavi.jp/techplus/article/20220208-2267778/
    ॆ଍͍ͯ͠Δͱײ͡Δཧ༝ͷҐ ͍ͣΕ΋શମͷఔ౓

    🇯🇵‍
    ηΩϡϦςΟۀ຿͕ඪ४Խ͞Ε͓ͯΓɺ໾ׂ෼୲͕
    ໌֬Խ͞Ε͍ͯΔͨΊ
    🇺🇸🇦🇺‍‍
    ηΩϡϦςΟۀ຿͕γεςϜ౳ʹΑΓࣗಈԽɾলྗԽ
    ͞Ε͍ͯΔͨΊ

    View Slide

  8. ޮ཰Խɾվળ͢Δ͔͠ͳ͍ʂ
    7

    View Slide

  9. %FW4FD0QTΛࢧ͑Δப
    8
    8
    ૊৫ ϓϩηε ٕज़ Ψόφϯε
    ग़యhttps://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf
    %FW0QTͱ
    ݁ߏࣅͯΔ

    View Slide

  10. %FW0QTͱҧ͏ͱ͜Ζ͸ʁ
    9

    View Slide

  11. πʔϧ
    10

    View Slide

  12. ͸͡Ί΍͍͢ͱ͜Ζ͔Β
    • ໢ཏతʹରࡦ͢Δͷ͕ཧ૝͕ͩɺπʔϧ΋ϓϥΫςΟε
    ΋ଟ͘औΓ૊Έ΍͍͢ͱ͜Ζ͔Β࢝ΊΔ
    • ੩తΞϓϦέʔγϣϯηΩϡϦςΟςετ 4"45

    • ಈతΞϓϦέʔγϣϯηΩϡϦςΟςετ %"45

    • ιϑτ΢ΣΞίϯϙδγϣϯղੳ 4$"
    ͳͲ
    11

    View Slide

  13. 12
    12
    ίʔυ Ϗϧυ ςετ ϦϦʔε σϓϩΠ
    औΓ૊ΈͷϙΠϯτ
    ˞ਤ͸ҰྫͰ͢
    4$"
    4"45 %"45 4$"
    গͳ͍ਓखͰ΋ͳΔ΂͘΍͍ͬͯ͘ʂ
    • ࣗಈԽ͠ɺ$*$%ύΠϓϥΠϯʹ૊ΈࠐΉ
    • 4-%$ͷૣ͍ஈ֊Ͱؾ෇͚ΔΑ͏ʹ͢ΔʮγϑτϨϑτʯ
    • ϦϦʔεલʹ·ͱΊ࣮ͯࢪɺҰఆظؒ͝ͱͷ࣮ࢪͷΈͱ͍ͬͨ
    Ξϓϩʔν͸໰୊͕େ͖͘ͳΓ͗ͯ͢ରॲ͕େมʹͳΔڪΕ

    View Slide

  14. ૊৫ɾΧϧνϟʔ
    • ૊৫͕%FW4FD0QTʹཧղΛࣔ͠ɺશମͰऔΓ૊Ή
    • ίϛϡχέʔγϣϯɾίϥϘϨʔγϣϯΛ׆ൃʹ͢Δ
    • ੒ޭ΋ࣦഊ΋ݟ௚͠ɺϑΟʔυόοΫΛड͚ͳ͕Βվળ
    Λ܁Γฦ͢
    13

    View Slide

  15. ͦ͏͸ݴͬͯ΋ɾɾɾ
    14

    View Slide

  16. ͍͑ɺ·ͣ͸
    ࣗ෼ࣗ਎Λݟ௚ͯ͠Έ·ͤΜ͔ʁ
    15

    View Slide

  17. ͔ͭͯͷࢲ͕͍ؕͬͯͨצҧ͍
    ʮྑ͍΋ͷΛ࡞Γ͍ͨʂʯ
    ؔ৺ͷ΄ͱΜͲ͕Ϗδωεɺ࢓༷ɺ࣮૷ʹ޲͍͍ͯͨ
    • ΞϓϦέʔγϣϯͷ࡞Γ͜Έ͕ͦ͜େࣄͩͱࢥ͍ͬͯͨ
    • ηΩϡϦςΟ΍ηΩϡϦςΟνʔϜ΁ͷؔ৺͕ബ͔ͬͨ
    • ηΩϡϦςΟ͕ͱʹ͔͘ාͯۤ͘खͩͬͨ
    • ηΩϡϦςΟΛ։ൃͷϥΠϑαΠΫϧʹ૊ΈࠐΉͱ͍͏
    ҙ͕ࣝͳ͔ͬͨ
    16

    View Slide

  18. 17
    Ϣʔβʔʹಧ͘·Ͱ͕ʮྑ͍΋ͷΛ࡞Δʯ
    ηΩϡϦςΟνʔϜ΋Ұॹʹ΋ͷͮ͘ΓΛ͢Δ஥ؒ
    ʮηΩϡϦςΟʯ͸ൣғ͕޿͗͢Δʂ·ͣ͸෼ղ͔Β
    ηΩϡϦςΟνΣοΫ͸౰ͨΓલʹ܁Γฦ͠ߦ͏
    ͜͏ߟ͑Α͏

    View Slide

  19. ͓ޓ͍ͷྖҬ΁ͷ
    ৺ߏ͑΍औΓ૊Έɺ
    վળϙΠϯτ͸͋Γ·ͤΜ͔ʁ
    18

    View Slide

  20. ൓ରʹ
    ΠϚΠνڠྗ͕ಘΒΕͳ͍ͳͱ
    ײ͡Δ৔߹ɺ
    Կ͔צҧ͍΍ڪΕ͕
    ͋Δͷ͔΋͠Ε·ͤΜ
    19

    View Slide

  21. ૊৫ɾΧϧνϟʔͷҰา໨
    • ·ͣ͸͓ޓ͍͕าΈدΓɺཧղ͠Α͏ͱ͢Δ
    • ڥքͷ޲͜͏ଆʹؙ౤͛͠ͳ͍
    • શһ͕શ෦Λཧղ͢Δඞཁ͸ͳ͘ɺগͣͭ͠୲౰ྖҬΛ
    ޿͍͚͛ͯ͹ྑ͍
    20

    View Slide

  22. 21
    5IBOLZPV

    View Slide

  23. ࢀߟ
    • ʮJFrog Xray Security and Compliance of the Open Source Software Dependencies You Rely onʯ
    https://jfrog.com/whitepaper/jfrog-xray-universal-component-analysis/
    • ʮDevSecOpsͱ͸ʁʯhttps://jfrog.com/ja/devops-tools/what-is-devsecops/
    • DZone 2017-04-24ʮ10 Tips for Integrating Security Into DevOpsʯhttps://dzone.com/articles/10-
    tips-for-integrating-security-into-devops
    • TECH+ 2022-02-08 ʮ೔ຊاۀͷ9ׂ͕ʰηΩϡϦςΟਓࡐෆ଍ʹ՝୊ʱ-ถ߽͸1ׂఔ౓ʯ
    https://news.mynavi.jp/techplus/article/20220208-2267778/
    • Department of Defense (DoD) Chief Information OfficerʮDoD Enterprise DevSecOps Reference
    Designʯ
    https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference
    %20Design%20v1.0_Public%20Release.pdf
    22

    View Slide