Upgrade to Pro — share decks privately, control downloads, hide ads and more …

なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki
September 30, 2022
210

 なぜLayerXのセキュリティでSoftware指向が重視されているか

Kengo Suzuki

September 30, 2022
Tweet

More Decks by Kengo Suzuki

Transcript

  1. @ken5scal, 2022/09/30
    ͳͥLayerXͷηΩϡϦςΟͰ
    Softwareࢦ޲͕ॏࢹ͞Ε͍ͯΔ͔
    LayerX CTOࣨ, Fintechࣄۀຊ෦

    View full-size slide

  2. ࣗݾ঺հ
    • @ken5scal

    • LayerX: 2020/02 ~

    • CTOࣨ / Fintechࣄۀ෦

    • CTOࣨ: CTO഑ԼͰશࣾԣஅతͳηΩϡϦςΟɾγεςϜͷ։
    ൃɾӡ༻

    • Fintechࣄۀ෦: ෆಈ࢈ূ݊ͷখޱԽ

    • ݸਓ׆ಈʮSecureཱྀஂʯ

    • ΄΅िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯ

    • PodCastʮSecure Liaisonʯ

    View full-size slide

  3. ࠓ೔ͷ͓࿩
    • ͜ΕͷηΩϡϦςΟαΠυ
    https://tech.layerx.co.jp/entry/2022/07/27/090609
    https://tech.layerx.co.jp/entry/2022/07/27/090609

    View full-size slide

  4. 45min/ਓ * Nਓ


    -> 10min

    View full-size slide

  5. ஥ؒΛ૿΍͢
    ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒
    ࠓ೔ͷΰʔϧ

    View full-size slide

  6. CTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲

    View full-size slide

  7. CTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

    View full-size slide

  8. CTOࣨͷ࣮੷
    • ্ྲྀʁܥ

    • վఆݸਓ৘ใอޢͳͲͷํରԠ

    • ֤छγεςϜؔ࿈ͷنఔ࡞੒ɾӡ༻

    • ֤छݚम

    • γεςϜӡ༻

    • ΦϯϘʔσΟϯάؔ܎࡞ۀͷࣗಈԽ

    • ΦϑϘʔσΟϯάͷࣗಈԽ

    • ॏཁΠϯϑϥͷશମߏ੒ɾ؂ࢹج൫

    • ࣾ಺޲͚γεςϜͷೝূήʔτ΢ΣΠ
    • ࢖͏ݴޠ

    • ݴޠ: Golang, TypeScript

    • Iac: Terraform, CDK

    • IaaS: جຊAWS, ͨ·ʹGCP

    View full-size slide

  9. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ

    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ

    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View full-size slide

  10. ηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ

    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ

    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ࡢࠓͷϓϩμΫτ։ൃ͔Βɺ


    Ͳ͏ͯ͠ιϑτ΢ΣΞԽΛਐΊͯΔ͔


    View full-size slide

  11. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ
    ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby
    NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର
    ࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View full-size slide

  12. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦ
    ςΟʹؔΘΔ޻ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby
    NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟର
    ࡦΛҠಈͤ͞Δ͜ͱʯ by PaloAlto
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left

    View full-size slide

  13. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ

    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻
    ఔΛલ౗࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞
    Δ͜ͱʯ by PaloAlto

    • DevOpsతͳγϑτϨϑτ
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the
    earliest stages in the development lifecycle, as part of an organizational
    pattern known as DevSecOps” by aquasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View full-size slide

  14. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗
    ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ
    by PaloAlto

    • DevOpsతͳγϑτϨϑτ<- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the earliest
    stages in the development lifecycle, as part of an organizational pattern known
    as DevSecOps” by auasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/

    View full-size slide

  15. ηΩϡΞͳϓϩμΫτͱݴ͑͹γϑτϨϑτ
    • ϏδωεతͳγϑτϨϑτ <- 2015೥ʹ͸͋ͬͨ
    • ʮϦϦʔεͷεέδϡʔϧΛ๦͛ͳ͍Α͏ʹɺηΩϡϦςΟʹؔΘΔ޻ఔΛલ౗
    ࣮ͯ͠͠ࢪ͢Δͱ͍͏֓೦ʯby NRIηΩϡΞ

    • ʮ։ൃϓϩηεͷՄೳͳݶΓૣظͷஈ֊ʹηΩϡϦςΟରࡦΛҠಈͤ͞Δ͜ͱʯ
    by PaloAlto

    • DevOpsతͳγϑτϨϑτ <- ࠷ۙͷSWαϓϥΠνΣʔϯؔ܎
    • ”he e
    ff
    orts of a DevOps team to guarantee application security at the earliest
    stages in the development lifecycle, as part of an organizational pattern known
    as DevSecOps” by auasec
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ͭ·Γࠓ೔Ͱ͸ɺ


    ϓϩμΫτͷ


    Ϗδωεͱ࢓༷ͱ։ൃͱӡ༻શମͰ


    ʮγϑτϨϑτʯ͕


    ཁٻ͞Ε͍ͯΔ

    View full-size slide

  16. ϓϩμΫτͷαΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ܁Γฦ͠

    View full-size slide

  17. ηΩϡϦςΟͷαΠΫϧ
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠

    View full-size slide

  18. αΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠

    View full-size slide

  19. αΠΫϧ
    Ϧαʔν


    +


    Ծઆ
    ༏ઌ౓ ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ௒ߴස౓
    ܁Γฦ͠
    ϙϦγʔ


    ֬ೝɾ࡞੒
    ϦεΫ


    ෼ੳ
    ઃܭ ࣮૷ ϦϦʔε ؍ଌɾܭଌ
    ܁Γฦ͠
    ϞμϯͳCICDͳͲʹΑΓ


    ϓϩμΫτ։ൃ͸γεςϜԽ͞Ε


    ࠶ݱੑ͕ڧԽ -> ΑΓߴස౓ͳ


    มߋ͕Մೳʹͳͬͨɻ


    View full-size slide

  20. ηΩϡϦςΟϚϯͷ൵ئ:


    ϓϩμΫτͷϦεΫʹ


    ϦΞϧλΠϜରԠ


    View full-size slide

  21. (࠶ܝʣηΩϡϦςΟରԠΛSWԽ͢Δཧ༝͸৭ʑ͋Δ
    • SoftwareԽͷఆٛͬͯͳΜͩͱ͍͏ͷ͸ޙ೔ʹɻɻɻ

    • ࠶ݱੑ͕ڧ·Δ
    • ΤϏσϯεͷऔಘ͕༰қʹͳΔ

    • ࡞ۀՄೳͳ࣌ؒͷറΓ͕ͳ͘ͳΔ

    • ࿑ಇࢢ৔ͷڱ͍ݴޠʢ೔ຊޠʣʹґଘ͠ͳͯ͘Α͘ͳΔ

    • ࡉ͔͍৚݅ࣜΛӡ༻͠΍͘͢ͳΔ
    • ͳͲͳͲ
    https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja
    https://www.nri-secure.co.jp/glossary/shift-left
    https://www.aquasec.com/cloud-native-academy/devsecops/shift-left-devops/
    ͜ΕΒ͕ɺϓϩμΫτଆͰՄೳͰ͋ΔҎ্ɺ


    ηΩϡϦςΟଆ΋ಉ͡౔ඨʹ͕͋Βͳ͚Ε͹
    Ӭଓతʹޙ௥͍ʹͳΔ

    View full-size slide

  22. ʢ࠶ܝʣCTOࣨͷ໾ׂͱืूཁ߲
    • ໾ׂ

    • σδλϧܦࡁ׆ಈΛݎ࿚Խ͢Δ

    • શࣾతͳLayerXͷϓϩμΫτͷϙςϯγϟϧΛ࠷େԽ͢Δ

    • ืूཁ߲ɹʢڧ͘ιϑτ΢ΣΞͳϓϩμΫτ։ൃܦݧΛཁٻʣ

    View full-size slide

  23. ʢGoogleͷʣશηΩϡϦςΟΤϯδχΞ͸ίʔυԽΛ


    ஌͍ͬͯͳ͚Ε͹ͳΒͳ͍ɺྫ֎͸ͳ͍ɻ

    View full-size slide

  24. ஥ؒΛ૿΍͢
    ಉ͡ߟ͑ํ΋ͬͯ͘ΕΔ஥͕ؒ૿͑Δͱ͏Ε͍͠ͳ˒
    ͜͏͍ͬͨྖҬͷΠϕϯτɺษڧձɺΧϯϑΝϨϯε΁֤
    ࣾ΋ͬͱηΩϡϦςΟਓࡐ࠾༻͠ʹ͍͖·ͤΜ͔ʁ

    View full-size slide

  25. ੋඇɺMeetyͰ


    ଓ͖Λ


    https://meety.net/matches/
    SunJOdvBKMrT

    View full-size slide