なぜLayerXのセキュリティでSoftware指向が重視されているか

Transcript

1. @ken5scal, 2022/09/30 ͳͥLayerXͷηΩϡϦςΟͰ Softwareࢦ޲͕ॏࢹ͞Ε͍ͯΔ͔ LayerX CTOࣨ, Fintechࣄۀຊ෦

2. ࣗݾ঺հ • @ken5scal • LayerX: 2020/02 ~ • CTOࣨ /

   Fintechࣄۀ෦ • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ ൃɾӡ༻ • Fintechࣄۀ෦: ෆಈ࢈ূ݊ͷখޱԽ • ݸਓ׆ಈʮSecureཱྀஂʯ • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ • PodCastʮSecure Liaisonʯ

3. ࠓ೔ͷ͓࿩ • ͜ΕͷηΩϡϦςΟαΠυ https://tech.layerx.co.jp/entry/2022/07/27/090609 https://tech.layerx.co.jp/entry/2022/07/27/090609

4. None
5. None

6. 45min/ਓ * Nਓ -> 10min

7. ஥ؒΛ૿΍͢ ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒ ࠓ೔ͷΰʔϧ

8. CTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲

9. CTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

10. CTOࣨͷ࣮੷ • ্ྲྀʁܥ • վఆݸਓ৘ใอޢͳͲͷํରԠ • ֤छγεςϜؔ࿈ͷنఔ࡞੒ɾӡ༻ • ֤छݚम •

    γεςϜӡ༻ • ΦϯϘʔσΟϯάؔ܎࡞ۀͷࣗಈԽ • ΦϑϘʔσΟϯάͷࣗಈԽ • ॏཁΠϯϑϥͷશମߏ੒ɾ؂ࢹج൫ • ࣾ಺޲͚γεςϜͷೝূήʔτ΢ΣΠ • ࢖͏ݴޠ • ݴޠ: Golang, TypeScript • Iac: Terraform, CDK • IaaS: جຊAWS, ͨ·ʹGCP

11. Why?

12. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

13. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ࡢࠓͷϓϩμΫτ։ൃ͔Βɺ Ͳ͏ͯ͠ιϑτ΢ΣΞԽΛਐΊͯΔ͔

14. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର ࡦΛҠಈͤ͞Δ͜ͱʯ

    by PaloAlto https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

15. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର ࡦΛҠಈͤ͞Δ͜ͱʯ

    by PaloAlto https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left

16. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞ Δ͜ͱʯ

    by PaloAlto • DevOpsతͳγϑτϨϑτ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by aquasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

17. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ<- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

18. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ <- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͭ·Γࠓ೔Ͱ͸ɺ ϓϩμΫτͷ Ϗδωεͱ࢓༷ͱ։ൃͱӡ༻શମͰ ʮγϑτϨϑτʯ͕ ཁٻ͞Ε͍ͯΔ

19. ϓϩμΫτͷαΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

    ܁Γฦ͠

20. ηΩϡϦςΟͷαΠΫϧ ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

21. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

    ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

22. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ௒ߴස౓

    ܁Γฦ͠ ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠ ϞμϯͳCICDͳͲʹΑΓ ϓϩμΫτ։ൃ͸γεςϜԽ͞Ε ࠶ݱੑ͕ڧԽ -> ΑΓߴස౓ͳ มߋ͕Մೳʹͳͬͨɻ

23. ηΩϡϦςΟϚϯͷ൵ئ: ϓϩμΫτͷϦεΫʹ ϦΞϧλΠϜରԠ

24. (࠶ܝʣηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͜ΕΒ͕ɺϓϩμΫτଆͰՄೳͰ͋ΔҎ্ɺ ηΩϡϦςΟଆ΋ಉ͡౔ඨʹ͕͋Βͳ͚Ε͹ Ӭଓతʹޙ௥͍ʹͳΔ

25. ʢ࠶ܝʣCTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

26. ʢGoogleͷʣશηΩϡϦςΟΤϯδχΞ͸ίʔυԽΛ ஌͍ͬͯͳ͚Ε͹ͳΒͳ͍ɺྫ֎͸ͳ͍ɻ

27. ஥ؒΛ૿΍͢ ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒ ͜͏͍ͬͨྖҬͷΠϕϯτɺษڧձɺΧϯϑΝϨϯε΁֤ ࣾ΋ͬͱηΩϡϦςΟਓࡐ࠾༻͠ʹ͍͖·ͤΜ͔ʁ

28. None

29. ੋඇɺMeetyͰ ଓ͖Λ https://meety.net/matches/ SunJOdvBKMrT