Upgrade to Pro — share decks privately, control downloads, hide ads and more …

なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki
September 30, 2022
140

 なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki

September 30, 2022
Tweet

More Decks by Kengo Suzuki

Transcript

  1. @ken5scal, 2022/09/30
    ͳͥLayerXͷηΩϡϦςΟͰ
    Softwareࢦ޲͕ॏࢹ͞Ε͍ͯΔ͔
    LayerX CTOࣨ, Fintechࣄۀຊ෦

    View Slide

  2. ࣗݾ঺հ
    • @ken5scal

    • LayerX: 2020/02 ~

    • CTOࣨ / Fintechࣄۀ෦

    • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։
    ൃɾӡ༻

    • Fintechࣄۀ෦: ෆಈ࢈ূ݊ͷখޱԽ

    • ݸਓ׆ಈʮSecureཱྀஂʯ

    • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ

    • PodCastʮSecure Liaisonʯ

    View Slide

  3. ࠓ೔ͷ͓࿩
    • ͜ΕͷηΩϡϦςΟαΠυ
    https://tech.layerx.co.jp/entry/2022/07/27/090609
    https://tech.layerx.co.jp/entry/2022/07/27/090609

    View Slide

  4. View Slide

  5. View Slide

  6. 45min/ਓ * Nਓ


    -> 10min

    View Slide

  7. ஥ؒΛ૿΍͢
    ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒
    ࠓ೔ͷΰʔϧ

    View Slide

  8. CTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲

    View Slide

  9. CTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

    View Slide

  10. CTOࣨͷ࣮੷
    • ্ྲྀʁܥ

    • վఆݸਓ৘ใอޢͳͲͷํରԠ

    • ֤छγεςϜؔ࿈ͷنఔ࡞੒ɾӡ༻

    • ֤छݚम

    • γεςϜӡ༻

    • ΦϯϘʔσΟϯάؔ܎࡞ۀͷࣗಈԽ

    • ΦϑϘʔσΟϯάͷࣗಈԽ

    • ॏཁΠϯϑϥͷશମߏ੒ɾ؂ࢹج൫

    • ࣾ಺޲͚γεςϜͷೝূήʔτ΢ΣΠ
    • ࢖͏ݴޠ

    • ݴޠ: Golang, TypeScript

    • Iac: Terraform, CDK

    • IaaS: جຊAWS, ͨ·ʹGCP

    View Slide

  11. Why?

    View Slide

  12. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ

    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ

    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View Slide

  13. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ

    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ

    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ࡢࠓͷϓϩμΫτ։ൃ͔Βɺ


    Ͳ͏ͯ͠ιϑτ΢ΣΞԽΛਐΊͯΔ͔


    View Slide

  14. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ
    ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby
    NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର
    ࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View Slide

  15. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ
    ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby
    NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର
    ࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left

    View Slide

  16. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ

    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻
    ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞
    Δ͜ͱʯ by PaloAlto

    • DevOpsతͳγϑτϨϑτ
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the
    earliest stages in the development lifecycle, as part of an organizational
    pattern known as DevSecOps” by aquasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View Slide

  17. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗
    ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ
    by PaloAlto

    • DevOpsతͳγϑτϨϑτ<- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the earliest
    stages in the development lifecycle, as part of an organizational pattern known
    as DevSecOps” by auasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View Slide

  18. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗
    ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ
    by PaloAlto

    • DevOpsతͳγϑτϨϑτ <- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the earliest
    stages in the development lifecycle, as part of an organizational pattern known
    as DevSecOps” by auasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ͭ·Γࠓ೔Ͱ͸ɺ


    ϓϩμΫτͷ


    Ϗδωεͱ࢓༷ͱ։ൃͱӡ༻શମͰ


    ʮγϑτϨϑτʯ͕


    ཁٻ͞Ε͍ͯΔ

    View Slide

  19. ϓϩμΫτͷαΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ܁Γฦ͠

    View Slide

  20. ηΩϡϦςΟͷαΠΫϧ
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠

    View Slide

  21. αΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠

    View Slide

  22. αΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ௒ߴස౓
    ܁Γฦ͠
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ϞμϯͳCICDͳͲʹΑΓ


    ϓϩμΫτ։ൃ͸γεςϜԽ͞Ε


    ࠶ݱੑ͕ڧԽ -> ΑΓߴස౓ͳ


    มߋ͕Մೳʹͳͬͨɻ


    View Slide

  23. ηΩϡϦςΟϚϯͷ൵ئ:


    ϓϩμΫτͷϦεΫʹ


    ϦΞϧλΠϜରԠ


    View Slide

  24. (࠶ܝʣηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ
    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ
    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ͜ΕΒ͕ɺϓϩμΫτଆͰՄೳͰ͋ΔҎ্ɺ


    ηΩϡϦςΟଆ΋ಉ͡౔ඨʹ͕͋Βͳ͚Ε͹
    Ӭଓతʹޙ௥͍ʹͳΔ

    View Slide

  25. ʢ࠶ܝʣCTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

    View Slide

  26. ʢGoogleͷʣશηΩϡϦςΟΤϯδχΞ͸ίʔυԽΛ


    ஌͍ͬͯͳ͚Ε͹ͳΒͳ͍ɺྫ֎͸ͳ͍ɻ

    View Slide

  27. ஥ؒΛ૿΍͢
    ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒
    ͜͏͍ͬͨྖҬͷΠϕϯτɺษڧձɺΧϯϑΝϨϯε΁֤
    ࣾ΋ͬͱηΩϡϦςΟਓࡐ࠾༻͠ʹ͍͖·ͤΜ͔ʁ

    View Slide

  28. View Slide

  29. ੋඇɺMeetyͰ


    ଓ͖Λ


    https://meety.net/matches/
    SunJOdvBKMrT

    View Slide