Upgrade to Pro — share decks privately, control downloads, hide ads and more …

なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki
September 30, 2022
0
330

 なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki

September 30, 2022
Tweet

More Decks by Kengo Suzuki

See All by Kengo Suzuki
Pwned Labsのすゝめ
ken5scal
2
680
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
3
930
Eventual Detection Engineering
ken5scal
0
2.2k
脆弱性対応をこの先生きのこるには
ken5scal
0
1.2k
LayerXとMDMのリスク評価と年次対応の実例(公開版)
ken5scal
2
1.3k
AWSだ! Google Cloudだ! Azureだ! 認証連携だ!
ken5scal
9
2.2k
適応し続けるプロダクトとセキュリティ
ken5scal
5
2.1k
同志諸君よ、ゼロトラストを撃て_CloudNativeDays2022
ken5scal
2
3.3k
暇だしDevSecOpsやってみた - CodePipeline Now and Then
ken5scal
3
5.8k

Featured

See All Featured
Thoughts on Productivity
jonyablonski
69
4.6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
47
2.4k
Side Projects
sachag
452
42k
The Cult of Friendly URLs
andyhume
78
6.3k
Building Adaptive Systems
keathley
41
2.5k
What's in a price? How to price your products and services
michaelherold
245
12k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
660
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
34
2.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
Facilitating Awesome Meetings
lara
54
6.3k
4 Signs Your Business is Dying
shpigford
183
22k

Transcript

  1. @ken5scal, 2022/09/30 ͳͥLayerXͷηΩϡϦςΟͰ Softwareࢦ޲͕ॏࢹ͞Ε͍ͯΔ͔ LayerX CTOࣨ, Fintechࣄۀຊ෦

  2. ࣗݾ঺հ • @ken5scal • LayerX: 2020/02 ~ • CTOࣨ /

    Fintechࣄۀ෦ • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։ ൃɾӡ༻ • Fintechࣄۀ෦: ෆಈ࢈ূ݊ͷখޱԽ • ݸਓ׆ಈʮSecureཱྀஂʯ • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ • PodCastʮSecure Liaisonʯ

  3. ࠓ೔ͷ͓࿩ • ͜ΕͷηΩϡϦςΟαΠυ https://tech.layerx.co.jp/entry/2022/07/27/090609 https://tech.layerx.co.jp/entry/2022/07/27/090609

  4. None
  5. None

  6. 45min/ਓ * Nਓ -> 10min

  7. ஥ؒΛ૿΍͢ ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒ ࠓ೔ͷΰʔϧ

  8. CTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲

  9. CTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

  10. CTOࣨͷ࣮੷ • ্ྲྀʁܥ • վఆݸਓ৘ใอޢͳͲͷํରԠ • ֤छγεςϜؔ࿈ͷنఔ࡞੒ɾӡ༻ • ֤छݚम •

    γεςϜӡ༻ • ΦϯϘʔσΟϯάؔ܎࡞ۀͷࣗಈԽ • ΦϑϘʔσΟϯάͷࣗಈԽ • ॏཁΠϯϑϥͷશମߏ੒ɾ؂ࢹج൫ • ࣾ಺޲͚γεςϜͷೝূήʔτ΢ΣΠ • ࢖͏ݴޠ • ݴޠ: Golang, TypeScript • Iac: Terraform, CDK • IaaS: جຊAWS, ͨ·ʹGCP

  11. Why?

  12. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

  13. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ࡢࠓͷϓϩμΫτ։ൃ͔Βɺ Ͳ͏ͯ͠ιϑτ΢ΣΞԽΛਐΊͯΔ͔

  14. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର ࡦΛҠಈͤ͞Δ͜ͱʯ

    by PaloAlto https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

  15. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର ࡦΛҠಈͤ͞Δ͜ͱʯ

    by PaloAlto https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left

  16. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞ Δ͜ͱʯ

    by PaloAlto • DevOpsతͳγϑτϨϑτ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by aquasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

  17. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ<- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

  18. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗ ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ •

    ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto • DevOpsతͳγϑτϨϑτ <- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎ • ”he e ff orts of a DevOps team to guarantee application security at the earliest stages in the development lifecycle, as part of an organizational pattern known as DevSecOps” by auasec https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͭ·Γࠓ೔Ͱ͸ɺ ϓϩμΫτͷ Ϗδωεͱ࢓༷ͱ։ൃͱӡ༻શମͰ ʮγϑτϨϑτʯ͕ ཁٻ͞Ε͍ͯΔ

  19. ϓϩμΫτͷαΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

    ܁Γฦ͠

  20. ηΩϡϦςΟͷαΠΫϧ ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

  21. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

    ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠

  22. αΠΫϧ Ϧαʔν + Ծઆ ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ௒ߴස౓

    ܁Γฦ͠ ϙϦγʔ ֬ೝɾ࡞੒ ϦεΫ ෼ੳ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ ܁Γฦ͠ ϞμϯͳCICDͳͲʹΑΓ ϓϩμΫτ։ൃ͸γεςϜԽ͞Ε ࠶ݱੑ͕ڧԽ -> ΑΓߴස౓ͳ มߋ͕Մೳʹͳͬͨɻ

  23. ηΩϡϦςΟϚϯͷ൵ئ: ϓϩμΫτͷϦεΫʹ ϦΞϧλΠϜରԠ

  24. (࠶ܝʣηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ • ࠶ݱੑ͕ڧ·Δ • ΤϏσϯεͷऔಘ͕༰қʹͳΔ • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ •

    ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ • ͳͲͳͲ https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja https://www.nri-secure.co.jp/glossary/shift-left https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/ ͜ΕΒ͕ɺϓϩμΫτଆͰՄೳͰ͋ΔҎ্ɺ ηΩϡϦςΟଆ΋ಉ͡౔ඨʹ͕͋Βͳ͚Ε͹ Ӭଓతʹޙ௥͍ʹͳΔ

  25. ʢ࠶ܝʣCTOࣨͷ໾ׂͱืूཁ߲ • ໾ׂ • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

  26. ʢGoogleͷʣશηΩϡϦςΟΤϯδχΞ͸ίʔυԽΛ ஌͍ͬͯͳ͚Ε͹ͳΒͳ͍ɺྫ֎͸ͳ͍ɻ

  27. ஥ؒΛ૿΍͢ ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒ ͜͏͍ͬͨྖҬͷΠϕϯτɺษڧձɺΧϯϑΝϨϯε΁֤ ࣾ΋ͬͱηΩϡϦςΟਓࡐ࠾༻͠ʹ͍͖·ͤΜ͔ʁ

  28. None

  29. ੋඇɺMeetyͰ ଓ͖Λ https://meety.net/matches/ SunJOdvBKMrT