Developer-First Security という考え方 / Introduction to Developer-First Security

%FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ -0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ :0/&6$)* 5BLBTIJ IUUQTTIJGUKTJOGP

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ XIPBNJ ৄࡉ͸IUUQTTIJGUKTJOGPʹ͋Γ·͢ ‣ ถ಺وࢤ :0/&6$)* 5BLBTIJ
‣ גࣜձࣾ'MBUU4FDVSJUZࣥߦ໾һ$50 ‣ ʮ։ൃऀͷͨΊͷɺ։ൃऀʹدΓఴͬͨηΩϡ ϦςΟʯΛୈҰٛͱͯ͠ಇ͍͍ͯ·͢ ‣ ੈͷதͷʢಛʹΠϯϋ΢εͷʣϓϩμΫτνʔ Ϝ͕҆৺ͯ͠ಇ͚ΔੈքΛ࡞Γ͍ͨͰ͢ ‣ ஶॻͳͲ ‣ ʰ8FCϒϥ΢βηΩϡϦςΟʱ ‣ ʰৄղηΩϡϦςΟίϯςετʱ ‣ ๺ւಓ۴࿏ࢢग़਎

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ࢲ͕ॳΊͯࢀՃٕͨ͠ज़ษڧձ͸-%%'BMMʢ۴࿏։࠵ʣͰͨ͠😌 ‣ ͋Ε͔Β೥ޙͷ͍·ɺ·ͨ͜͏͍͏ܗͰؔΘΕ͍ͯΔͷ͕خ͍͠Ͱ͢ɻ ࢲͱ-0$"-%&7&-01&3%": IUUQTMNUTXBMMPXIBUFOBEJBSZPSHFOUSZ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 🤔 ͜Ε͸Կʁ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ %FWFMPQFS'JSTU4FDVSJUZͱ͸ ‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘4FDVSJUZ ‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘4FDVSJUZ ‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘4FDVSJUZ 1
2 3 ࠓ೔࿩͢͜ͱʢͷ಄ग़͠ʣ %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ-0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ αΠόʔηΩϡϦςΟྖҬ͸޿େ 5IF.BQPG$ZCFSTFDVSJUZ%PNBJOTΑΓҾ༻ IUUQTXXXMJOLFEJODPNQVMTFDZCFSTFDVSJUZEPNBJONBQWFSIFOSZKJBOH

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ։ൃऀ ηΩϡϦςΟ ܥͷ؅ཧ෦໳ ίʔϙϨʔτ*5 ෦໳ ӡ༻ऀ ηΩϡϦςΟ
ݚڀऀ ؂ࠪ ΝʔϜ ඪ४Խஂମ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ڭҭऀ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ

ݚڀऀ ؂ࠪ ΝʔϜ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ ڭҭऀ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ IUUQTGMBUUUFDILFOSP ڭҭऀ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ ηΩϡϦςΟ ϕϯμ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ڭҭऀ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ ηΩϡϦςΟ ϕϯμ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ڭҭऀ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ IUUQTCVHTDISPNJVNPSHQDISPNJVNJTTVFTEFUBJM JE IUUQTQPSUTXJHHFSOFUEBJMZTXJHCMJOESFHFYJOKFDUJPOUIFPSFUJDBM FYQMPJUPGGFSTOFXXBZUPGPSDFXFCBQQTUPTQJMMTFDSFUT ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ ηΩϡϦςΟ ϕϯμ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ڭҭऀ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ ηΩϡϦςΟ ϕϯμ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ IUUQTGMBUUUFDIBTTFTTNFOUEFUBJM ڭҭऀ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ ڭҭऀ ඪ४Խஂମ TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

ݚڀऀ ؂ࠪ ΝʔϜ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ ڭҭऀ ඪ४Խஂମ ͜Ε·Ͱࣗ෼͕ ޲͖߹͖ͬͯͨ͜ͱ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ίʔϙϨʔτ*5 ෦໳ ηΩϡϦςΟ ܥͷ؅ཧ෦໳ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ։ൃऀ
ӡ༻ऀ ηΩϡϦςΟ ݚڀऀ ؂ࠪ ΝʔϜ ඪ४Խஂମ ઃܭऀ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ γϑτϨϑτΛਪ͠ਐΊΔͱ ࠨͷ΄͏ʹ͍Δઃܭɾ։ൃऀʹ͍͍ۙͮͯ͘ ηΩϡϦςΟ ϕϯμ ڭҭऀ ܦݧΛܦͯಘͨ খ͞ͳؾ෇͖

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ίʔϙϨʔτ*5 ෦໳ ηΩϡϦςΟ ܥͷ؅ཧ෦໳ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ։ൃऀ
ӡ༻ऀ ηΩϡϦςΟ ݚڀऀ ؂ࠪ ΝʔϜ ඪ४Խஂମ ઃܭऀ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ γϑτϨϑτΛਪ͠ਐΊΔͱ ࠨͷ΄͏ʹ͍Δઃܭɾ։ൃऀʹ͍͍ۙͮͯ͘ ʜ͕ɺ௕Β͘ʮΈΜͳ౰ͨΓલʹ࢖͏΋ͷʯ͸ੜ·Εͯ͜ͳ͔ͬͨ ηΩϡϦςΟ ϕϯμ ڭҭऀ ܦݧΛܦͯಘͨ খ͞ͳؾ෇͖

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ͙͢࢖͑ͳ͍ɾཁٻίετ͕ലେ 1 ηΩϡϦςΟϓϩμΫτʹΑ͋͘Δ՝୊ ‣ 69͕ৗਓ޲͚Ͱ͸ͳ͍ 2
‣ ։ൃऀͷ؀ڥʹͳ͡·ͳ͍ 3

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ελʔτΞοϓͷ༂ਐ IUUQTSDEFWCMPHSDTFSJFTCGVOEJOH IUUQTTOZLJPOFXTTOZLBEWBODFTEFWFMPQFSGJSTUTFDVSJUZXJUITFSJFTFJOWFTUNFOU ͦΜͳதɺۙ೥͸։ൃऀ޲͚ͷηΩϡϦςΟϓϩμΫτͰ େ͖ͳ੒௕Λ਱͛ΔελʔτΞοϓ΋ݱΕΔΑ͏ʹ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ελʔτΞοϓͷ༂ਐ IUUQTSDEFWCMPHSDTFSJFTCGVOEJOH IUUQTTOZLJPOFXTTOZLBEWBODFTEFWFMPQFSGJSTUTFDVSJUZXJUITFSJFTFJOWFTUNFOU ͦΜͳதɺۙ೥͸։ൃऀ޲͚ͷηΩϡϦςΟϓϩμΫτͰ େ͖ͳ੒௕Λ਱͛ΔελʔτΞοϓ΋ݱΕΔΑ͏ʹ 🤔 ҧ͍͸Կʁ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘ ‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘ ‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘ ༂ਐΛ਱͛Δ൴Βʹڞ௨͢Δͷ͸
ҎԼͷΑ͏ͳ%FWFMPQFS'JSTUͳߟ͑ํ 1 2 3 ϙΠϯτ

։ൃऀͷ׆ಈݍʹͱ͚͜Ή ηΩϡϦςΟϓϩμΫτ $IBQUFS

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘ ༂ਐΛ਱͛Δ൴Βʹڞ௨͢Δͷ͸ ҎԼͷΑ͏ͳ%FWFMPQFS'JSTUͳߟ͑ํ ϙΠϯτ ‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘
‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘ 1 2 3

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ։ൃऀͷීஈͷϫʔΫϑϩʔ͔Β֎ΕΔͱɺश׳తͳར༻ʹ͸ͭͳ͕Βͳ͍ ‣ ։ൃऀͷηΩϡϦςΟ΁ͷؔ৺΍ߦಈΛҾ͖ग़͢ʹ͸ɺ։ൃऀͷ׆ಈݍͷதʹ͏ ·͘૊ΈࠐΊΔ͜ͱ͕લఏͰ͋Δͱࢥͬͯ΋Α͍ ։ൃऀͷ׆ಈݍͷத΁ ։ൃऀ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 4OZL ։ൃऀͷ׆ಈݍ΁ͷੵۃతͳࢀೖ ίʔυϗεςΟϯάαʔϏεͱ͏·͘࿈ܞͯ͠ վળͷΞΫγϣϯ·ͰΛαϙʔτ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ (JU)VC ։ൃऀͷ׆ಈݍ΁ͷੵۃతͳࢀೖ ։ൃऀͷ׆ಈݍͷத৺Ͱ ਺ଟ͘ͷηΩϡϦςΟػೳΛల։

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ (JU)VC ։ൃऀͷ׆ಈݍ΁ͷੵۃతͳࢀೖ मਖ਼ͷ1VMM3FRVFTUԽ·Ͱαϙʔτ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 4UBDL)BXL ։ൃऀͷ׆ಈݍ΁ͷੵۃతͳࢀೖ $*ͷதʹͰ͖Δ͚ͩ׈Β͔ʹ%"45Λར༻Ͱ͖ΔΑ͏ͳ࢓૊Έ

։ൃऀͷٕज़ελοΫʹͱ͚͜Ή ηΩϡϦςΟϓϩμΫτ $IBQUFS

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ Ϋϥ΢υωΠςΟϒٕज़पล͸ۙ೥੝Γ্͕ΓΛݟ͍ͤͯΔ ‣ ͜ͷΑ͏ͳٕज़ಛ༗ͷ՝୊ͷղܾ΍ɺ͜ͷΑ͏ͳٕज़ελοΫͷ্͔ͩΒͦ͜Մ ೳͱͳΔηΩϡϦςΟϓϥΫςΟεͷ࣮ݱͷͨΊʹɺଟ͘ͷϓϨΠϠʔ͕ࢀೖத Ϋϥ΢υωΠςΟϒٕज़ͱͷ༥࿨ IUUQTXXXQBMPBMUPOFUXPSLTDPN
QSJTNBDMPVE IUUQTXXX[TDBMFSDPNQSPEVDUT [TDBMFSDMPVEQSPUFDUJPO IUUQTPSDBTFDVSJUZ IUUQTXXXBRVBTFDDPN ;TDBMFS $MPVE1SPUFDUJPO 1SJTNB$MPVE "RVB4FDVSJUZ 0SDB4FDVSJUZ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ։ൃऀʹدΓఴͬͨମݧ ଟ͘ͷπʔϧΛ044ͱͯ͠ల։͠ɺ ίϛϡχςΟʹڧ͘ߩݙ͍ͯ͠Δ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ೝূॲཧͷαʔϏεԽ IUUQTXXXBVUIMFUFDPN IUUQTBVUIDPN IUUQTB[VSFNJDSPTPGUDPNFOVTTFSWJDFTBDUJWF EJSFDUPSZFYUFSOBMJEFOUJUJFTCD ೝূʹؔ͢Δཁ݅͸Α͘ෳࡶʹͳΔ࣮૷͕໰୊ͷԹচʹͳΔ ͜͜Λ͏·͘ࢧ͑ΔϓϥοτϑΥʔϜ͕༻ྫΛ૿΍͍ͯ͠Δ
"[VSF"%#$ "VUI "VUIMFUF

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ։ൃऀʹدΓఴͬͨମݧ ແྉ൛͸౰વͷΑ͏ʹɾ௚ͪʹ࢖͑Δ ࣮Ϣʔεέʔεผʹίʔυྫ΋ఏڙ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ೝՄॲཧͷαʔϏεԽ IUUQTTBOENBOIFSPLVBQQDPN IUUQTBVUI[FEDPN IUUQTCVJMETFDVSJUZ ॊೈͳೝՄΛ؆ܿʹ࣮૷͢ΔͨΊͷίϯϙʔωϯτΛ ఏڙ͢Δ໺৺తͳاۀ΋ݱΕ͍ͯΔ CVJMETFDVSJUZ
BVUI[FE 1SPKFDU4BOEDBTUMF "VUI

։ൃऀͷखݩʹͱ͚͜Ή ηΩϡϦςΟϓϩμΫτ $IBQUFS

ݚڀऀ ؂ࠪ ΝʔϜ ඪ४Խஂମ ઃܭऀ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ %FW0QT͸͜ͷΞΫλʔؒͷ ༥࿨ͷͨΊͷϓϥΫςΟε ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ ڭҭऀ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ %FW0QTͷՃ଎͸0QTʢӡ༻νʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞత ʹऔΓѻ͑ΔΑ͏ʹͳͬͨ͜ͱɺͱΓΘ͚ίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͜͠ ͱʹେ͖͘ࢧ͑ΒΕ͍ͯΔͱ͍ͬͯ΋աݴͰ͸ͳ͍ɻ %FW0QTͷਐԽΛࢧٕ͑ͨज़ resource "google_container_cluster"
"challenge_cluster" { name = "challenges" location = "asia-northeast1" initial_node_count = 1 cluster_autoscaling { enabled = true resource_limits { resource_type = "cpu" minimum = 3 maximum = 32 } resource_limits { resource_type = "memory" minimum = 3 maximum = 32 } } ...

ݚڀऀ ؂ࠪ ΝʔϜ $*40΍ ͦͷଞܦӦ૚ ߈ܸऀ ൜ࡑ૊৫ ࠃՈ ৘ใηΩϡϦςΟʹ͸ ༷ʑͳΞΫλʔ͕ଘࡏ ηΩϡϦςΟ ϕϯμ ڭҭऀ %FW4FD0QT͸ ͜ͷลͷ༥࿨ͷͨΊͷϓϥΫςΟε ඪ४Խஂମ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ %FW0QTͷՃ଎0QTʢӡ༻νʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞతʹ औΓѻ͑ΔΑ͏ʹͳͬͨ͜ͱɺͱΓΘ͚ίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͜͠ͱ ʹେ͖͘ࢧ͑ΒΕ͍ͯΔͱ͍ͬͯ΋աݴͰ͸ͳ͍ɻ %FW0QTͷਐԽΛࢧٕ͑ͨज़ resource "google_container_cluster"
"challenge_cluster" { name = "challenges" location = "asia-northeast1" initial_node_count = 1 cluster_autoscaling { enabled = true resource_limits { resource_type = "cpu" minimum = 3 maximum = 32 } resource_limits { resource_type = "memory" minimum = 3 maximum = 32 } } ...

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ 4FDʢηΩϡϦςΟνʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞతʹऔΓѻ͑ ΔΑ͏ʹͳΔͱ͖ɺ͜ͱίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͠ͱ͖ʹ͸ɺΑΓ %FW΍0QTͱ4FDͱͷ༥࿨͕ਐΈ΍͘͢ͳΔͱ͍͏ྨਪ͕Ͱ͖Δ ‣ ։ൃνʔϜͱηΩϡϦςΟνʔϜͱͷڠಇͷͨΊͷഔମͱͯ͠ίʔυΛհ͢Δ 1PMJDZBT$PEFͱΑ΂ΔΞϓϩʔνΛਪਐ͢ΔϓϩμΫτ΋૿͑ͭͭ͋Δ
%FW4FD0QTΛࢧ͑ͭͭ͋Δٕज़ IUUQTBQPMJDZJP IUUQTDZSBMDPN "QPMJDZ $ZSBM

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 1PMJDZBT$PEF ϙϦγʔͷΠϝʔδ ٕज़తର৅ʹؔ͢ΔϙϦγʔΛίʔυͱͯ͠දݱ͢Δख๏ version: '1' rules: -
id: 'unencrypted-ebs-volume' language: hcl message: | There was unencrypted EBS module. pattern: | resource "aws_ebs_volume" :[NAME] { :[...X] } constraints: - target: X should: not-match pattern: | encrypted = true rewrite: | resource "aws_ebs_volume" :[NAME] { :[X] encrypted = true }

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 0QFO1PMJDZ"HFOU IUUQTXXXPQFOQPMJDZBHFOUPSHEPDTWΑΓҾ༻ ‣ ൚༻ੑͷߴ͍ϙϦγʔΤϯδϯ ‣ 3FHPͱ͍͏%4-ΑΓʹهड़͞ΕͨϙϦ γʔΛݩʹɺ͋Δ৘ใʢ2VFSZʣ͕ϙϦγʔʹ
ରͯ͠Ϛον͢Δ͔ͷ൑அʢ%FDJTJPOʣΛߦ͏ ͜ͱ͕Ͱ͖Δ ‣ ൑அͷͨΊͷϩδοΫͱ൑அ݁Ռʹґଘ͢Δ ϩδοΫ͕෼཭͞ΕΔʢ1PMJDZ%FDPVQMJOHʣ ‣ ར༻ྫ ‣ (BUFLFFQFS,VCFSOFUFTϫʔΫϩʔυͷอޢ ͷͨΊͷ࢓૊Έ ‣ $POGUFTU,VCFSOFUFTϚχϑΣετͷςετ ͷͨΊͷπʔϧ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ (BUFLFFQFS 0QFO1PMJDZ"HFOUΛݩʹͨ͠γεςϜ package deny_host_network violation[{"msg": msg, "details":
{}}]{ input.review.object.spec.hostNetwork msg := sprintf("hostNetwork is prohibited", []) } apiVersion: v1 kind: Pod metadata: name: example labels: app: example spec: hostNetwork: true containers: - name: nginx image: nginx ports: - containerPort: 9001 hostPort: 9001 3FHPͰهड़͞ΕͨϙϦγʔ ϙϦγʔʹै͏΂͖,VCFSOFUFT.BOJGFTU $ kubectl apply ...͸ࣦഊ͢Δɻ ະવʹϙϦγʔʹԊΘͳ͍Ϧιʔεͷ ࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌

{}}]{ input.review.object.spec.hostNetwork msg := sprintf("hostNetwork is prohibited", []) } apiVersion: v1 kind: Pod metadata: name: example labels: app: example spec: hostNetwork: true containers: - name: nginx image: nginx ports: - containerPort: 9001 hostPort: 9001 3FHPͰهड़͞ΕͨϙϦγʔ ϙϦγʔʹै͏΂͖,VCFSOFUFT.BOJGFTU $ kubectl apply ...͸ࣦഊ͢Δɻ ະવʹϙϦγʔʹԊΘͳ͍Ϧιʔεͷ ࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌 ϙϦγʔʹҧ൓ͨ͠هड़͕͋Δ

{}}]{ input.review.object.spec.hostNetwork msg := sprintf("hostNetwork is prohibited", []) } apiVersion: v1 kind: Pod metadata: name: example labels: app: example spec: hostNetwork: true containers: - name: nginx image: nginx ports: - containerPort: 9001 hostPort: 9001 3FHPͰهड़͞ΕͨϙϦγʔ ϙϦγʔʹै͏΂͖,VCFSOFUFT.BOJGFTU $ kubectl apply ...͸ࣦഊ͢Δɻ ະવʹϙϦγʔʹԊΘͳ͍Ϧιʔεͷ ࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ *O4QFD IUUQTHJUIVCDPNJOTQFDJOTQFD Πϯϑϥʹର͢ΔςετΛίʔυͱͯ͠هड़͢ΔͨΊͷπʔϧ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 4FNHSFQ IUUQTTFNHSFQEFW ίʔυʹର͢ΔϙϦγʔΛ:".-Ͱهड़ɾݕূͰ͖Δπʔϧ ίϛϡχςΟͰϙϦγʔΛڞ༗͢ΔͨΊͷ࢓૊ΈͳͲ΋ఏڙ IUUQTTFNHSFQEFWS

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 4IJTIP ίʔυʹର͢ΔϙϦγʔهड़ɾ௒ߴ଎ͳݕূΛՄೳʹ͢Δπʔϧ ͦΕʹجͮ͘αʔϏεʢΛ࡞͍ͬͯ·͢ʣ IUUQTEPDTTIJTIPEFW IUUQTTIJTIPEFW

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ 4IJTIP Α͘ͳ͍ίʔυϓϥΫςΟεΛஔ׵͢Δϧʔϧ ஔ׵ର৅ͷίʔυ 4IJTIPʹΑΔ໰୊ݕग़ͷ༷ࢠ ฏͨ͘ݴ͑͹-JOUFSͷϧʔϧΛ௒؆୯ʹࣗ࡞Ͱ͖Δ΍ͭͰɺ ίʔσΟϯάʹؔ͢ΔόουϓϥΫςΟεΛίʔυԽͰ͖·͢

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ )BTIJ$PSQ4FOUJOFM͸1PMJDZBT$PEFͷར఺ΛҎԼͷΑ͏ʹ੔ཧ͍ͯ͠Δ IUUQTEPDTIBTIJDPSQDPNTFOUJOFMDPODFQUTQPMJDZBTDPEF ‣ 4BOECPYJOH؀ڥͷΨʔυϨʔϧͱͯ͠ϙϦγʔ͕ར༻Ͱ͖ΔΑ͏ʹͳΔ ‣
$PEJpDBUJPOίʔυԽ͞ΕΔ͜ͱͰϙϦγʔ͕໌֬ʹͳΔ ‣ 7FSTJPO$POUSPMόʔδϣϯ؅ཧͷର৅ʹͳΔ ‣ 5FTUJOHϙϦγʔʹهड़͞Ε͍ͯΔ͜ͱ΋ςετՄೳͳର৅ʹͳΔ ‣ "VUPNBUJPOࣗಈԽπʔϧͰऔΓѻ͑Δର৅ʹͳΔ ‣ 1PMJDZBT$PEF͸ʮηΩϡϦςΟνʔϜͷ஌ݟ΍࢓ࣄΛදݱ͢ΔͨΊͷํ๏ʯ Ͱ͋ΓɺʮηΩϡϦςΟͱ͍͏࢓ࣄͷର৅ԽʯͰ͋Δ 1PMJDZBT$PEF͕΋ͨΒ͢΋ͷ

ηΩϡϦςΟΛΤϯδχΞϦϯά͢Δ $IBQUFS

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘ ‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘ ‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘ ༂ਐΛ਱͛Δ൴Βʹڞ௨͢Δͷ͸
ҎԼͷΑ͏ͳ%FWFMPQFS'JSTUͳߟ͑ํ 1 2 3 ৼΓฦΓ

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ %FW4FD0QT΍γϑτϨϑτΛਪਐ͢Δจ຺ͷதʹ͓͍ͯɺηΩϡϦςΟઐ໳Ո ʹٻΊΒΕΔߦಈ͸ɺগͣͭ͠ม༰͖ͯͨ͠ͷͩͱࢥ͏ ‣ ͜ΕΒͷߦಈ͸ࠓͰ΋୭΋͕౰ͨΓલʹ࣮ફͰ͖͍ͯΔΘ͚Ͱ͸ͳ͍ ‣ ͜Ε͸%FW0QT͕͔ͭͯ౰ͨΓલͰͳ͔ͬͨͷͱಉ͜͡ͱ
‣ ઌड़ͷΑ͏ʹ4FD%FW0QTΛ༥࿨͢ΔͨΊͷςΫϊϩδͷෆ଍ͳͲ͕ҰҼ ηΩϡϦςΟઐ໳Ոz΁ͷظ଴ͷมԽ ઐ໳Ոͱͯ͠܅ྟ͢Δ ։ൃऀͷԕ͘Ͱಇ͘ ஌ࣝΛϓϩμΫτͷܗͰຽओԽ͢Δ ։ൃऀͱڠಇ͢Δ ։ൃऀͱҧ͏࢓ࣄΛ͢Δ ։ൃऀͱಉ͡ର৅Λѻ͏ ηΩϡϦςΟͷਓ ηΩϡϦςΟΛ ΤϯδχΞϦϯά͢Δਓ

‣ ๺ւಓ۴࿏ࢢग़਎ ‣ גࣜձࣾ'MBUU4FDVSJUZࣥߦ໾һ$50 ‣ ʮ։ൃऀͷͨΊͷɺ։ൃऀʹدΓఴͬͨηΩϡ ϦςΟʯΛୈҰٛͱͯ͠ಇ͍͍ͯ·͢ ‣ ੈͷதͷʢಛʹΠϯϋ΢εͷʣϓϩμΫτνʔ Ϝ͕҆৺ͯ͠ಇ͚ΔੈքΛ࡞Γ͍ͨͰ͢ ‣ ஶॻͳͲ ‣ ʰ8FCϒϥ΢βηΩϡϦςΟʱ ‣ ʰৄղηΩϡϦςΟίϯςετʱ

‣ ๺ւಓ۴࿏ࢢग़਎ ‣ גࣜձࣾ'MBUU4FDVSJUZࣥߦ໾һ$50 ‣ ʮ։ൃऀͷͨΊͷɺ։ൃऀʹدΓఴͬͨηΩϡ ϦςΟʯΛୈҰٛͱͯ͠ಇ͍͍ͯ·͢ ‣ ੈͷதͷʢಛʹΠϯϋ΢εͷʣϓϩμΫτνʔ Ϝ͕҆৺ͯ͠ಇ͚ΔੈքΛ࡞Γ͍ͨͰ͢ ‣ ஶॻͳͲ ‣ ʰ8FCϒϥ΢βηΩϡϦςΟʱ ‣ ʰৄղηΩϡϦςΟίϯςετʱ ηΩϡϦςΟͷྗͰ৴པΛͭͳ͛ɺ ΫϦΤΠςΟϒͳࣾձΛ࣮ݱ͢Δɻ CYBER SECURITY PROVIDING ALL SOCIETY TRUST and UNLIMITED CREATIVITY 8FSF)JSJOH

TIJGUKTJOGP %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ ‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘4FDVSJUZ ‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘4FDVSJUZ ‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘4FDVSJUZ 1 2
3 ,FZ5BLFBXBZ %FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ-0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ %FWFMPQFS'JSTU4FDVSJUZͱ͸

Developer-First Security という考え方 / Introduction to Developer-First Security

Developer-First Security という考え方 / Introduction to Developer-First Security

More Decks by Takashi Yoneuchi

Other Decks in Technology

Featured

Transcript