Upgrade to Pro — share decks privately, control downloads, hide ads and more …

なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki
September 30, 2022
320

 なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki

September 30, 2022
Tweet

Transcript

  1. ࣗݾ঺հ • @ken5scal • LayerX: 2020/02 ~ • CTOࣨ /

    Fintechࣄۀ෦ • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ ൃɾӡ༻ • Fintechࣄۀ෦: ෆಈ࢈ূ݊ͷখޱԽ • ݸਓ׆ಈʮSecureཱྀஂʯ • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ • PodCastʮSecure Liaisonʯ
  2. CTOࣨͷ࣮੷ • ্ྲྀʁܥ • վఆݸਓ৘ใอޢͳͲͷํରԠ • ֤छγεςϜؔ࿈ͷنఔ࡞੒ɾӡ༻ • ֤छݚम •

    γεςϜӡ༻ • ΦϯϘʔσΟϯάؔ܎࡞ۀͷࣗಈԽ • ΦϑϘʔσΟϯάͷࣗಈԽ • ॏཁΠϯϑϥͷશମߏ੒ɾ؂ࢹج൫ • ࣾ಺޲͚γεςϜͷೝূήʔτ΢ΣΠ • ࢖͏ݴޠ • ݴޠ: Golang, TypeScript • Iac: Terraform, CDK • IaaS: جຊAWS, ͨ·ʹGCP
  3. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
  4. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ࡢࠓͷϓϩμΫτ։ൃ͔Βɺ Ͳ͏ͯ͠ιϑτ΢ΣΞԽΛਐΊͯΔ͔
  5. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର ࡦΛҠಈͤ͞Δ͜ͱʯ

    by PaloAlto https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
  6. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞ Δ͜ͱʯ

    by PaloAlto • DevOpsతͳγϑτϨϑτ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by aquasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
  7. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ<- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
  8. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ <- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͭ·Γࠓ೔Ͱ͸ɺ ϓϩμΫτͷ Ϗδωεͱ࢓༷ͱ։ൃͱӡ༻શମͰ ʮγϑτϨϑτʯ͕ ཁٻ͞Ε͍ͯΔ
  9. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

    ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠
  10. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ௒ߴස౓

    ܁Γฦ͠ ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠ ϞμϯͳCICDͳͲʹΑΓ ϓϩμΫτ։ൃ͸γεςϜԽ͞Ε ࠶ݱੑ͕ڧԽ -> ΑΓߴස౓ͳ มߋ͕Մೳʹͳͬͨɻ
  11. (࠶ܝʣηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͜ΕΒ͕ɺϓϩμΫτଆͰՄೳͰ͋ΔҎ্ɺ ηΩϡϦςΟଆ΋ಉ͡౔ඨʹ͕͋Βͳ͚Ε͹ Ӭଓతʹޙ௥͍ʹͳΔ