Developer-First Security という考え方 / Introduction to Developer-First Security

%FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ
-0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ
:0/&6$)* 5BLBTIJ
IUUQTTIJGUKTJOGP

View Slide

TIJGUKTJOGP
XIPBNJ
ৄࡉ͸IUUQTTIJGUKTJOGPʹ͋Γ·͢

‣ ถ಺وࢤ :0/&6$)* 5BLBTIJ

‣ גࣜձࣾ'MBUU4FDVSJUZࣥߦ໾һ$50
‣ ʮ։ൃऀͷͨΊͷɺ։ൃऀʹدΓఴͬͨηΩϡ
ϦςΟʯΛୈҰٛͱͯ͠ಇ͍͍ͯ·͢
‣ ੈͷதͷʢಛʹΠϯϋ΢εͷʣϓϩμΫτνʔ
Ϝ͕҆৺ͯ͠ಇ͚ΔੈքΛ࡞Γ͍ͨͰ͢
‣ ஶॻͳͲ
‣ ʰ8FCϒϥ΢βηΩϡϦςΟʱ
‣ ʰৄղηΩϡϦςΟίϯςετʱ
‣ ๺ւಓ۴࿏ࢢग़਎

View Slide

TIJGUKTJOGP
‣ ࢲ͕ॳΊͯࢀՃٕͨ͠ज़ษڧձ͸-%%'BMMʢ۴࿏։࠵ʣͰͨ͠😌
‣ ͋Ε͔Β೥ޙͷ͍·ɺ·ͨ͜͏͍͏ܗͰؔΘΕ͍ͯΔͷ͕خ͍͠Ͱ͢ɻ
ࢲͱ-0$"-%&7&-01&3%":
IUUQTMNUTXBMMPXIBUFOBEJBSZPSHFOUSZ

View Slide

TIJGUKTJOGP

View Slide

TIJGUKTJOGP
🤔
͜Ε͸Կʁ

View Slide

TIJGUKTJOGP
%FWFMPQFS'JSTU4FDVSJUZͱ͸
‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘4FDVSJUZ
‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘4FDVSJUZ
‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘4FDVSJUZ
1
2
3
ࠓ೔࿩͢͜ͱʢͷ಄ग़͠ʣ
%FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ-0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ

View Slide

TIJGUKTJOGP
αΠόʔηΩϡϦςΟྖҬ͸޿େ
5IF.BQPG$ZCFSTFDVSJUZ%PNBJOTΑΓҾ༻
IUUQTXXXMJOLFEJODPNQVMTFDZCFSTFDVSJUZEPNBJONBQWFSIFOSZKJBOH

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ඪ४Խஂମ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ڭҭऀ
৘ใηΩϡϦςΟʹ͸
༷ʑͳΞΫλʔ͕ଘࡏ
ηΩϡϦςΟ
ϕϯμ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ηΩϡϦςΟ
ϕϯμ
IUUQTGMBUUUFDILFOSP
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ηΩϡϦςΟ
ϕϯμ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ηΩϡϦςΟ
ϕϯμ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ڭҭऀ
IUUQTCVHTDISPNJVNPSHQDISPNJVNJTTVFTEFUBJM JE
IUUQTQPSUTXJHHFSOFUEBJMZTXJHCMJOESFHFYJOKFDUJPOUIFPSFUJDBM
FYQMPJUPGGFSTOFXXBZUPGPSDFXFCBQQTUPTQJMMTFDSFUT
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ηΩϡϦςΟ
ϕϯμ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ηΩϡϦςΟ
ϕϯμ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
IUUQTGMBUUUFDIBTTFTTNFOUEFUBJM
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
ඪ४Խஂମ
TIJGUKTJOGP
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
ඪ४Խஂମ
͜Ε·Ͱࣗ෼͕
޲͖߹͖ͬͯͨ͜ͱ

View Slide

TIJGUKTJOGP
ίʔϙϨʔτ*5
෦໳
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳

։ൃऀ
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ඪ४Խஂମ
ઃܭऀ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
γϑτϨϑτΛਪ͠ਐΊΔͱ
ࠨͷ΄͏ʹ͍Δઃܭɾ։ൃऀʹ͍͍ۙͮͯ͘
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
ܦݧΛܦͯಘͨ
খ͞ͳؾ෇͖

View Slide

TIJGUKTJOGP
ίʔϙϨʔτ*5
෦໳
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳

։ൃऀ
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ඪ४Խஂମ
ઃܭऀ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
γϑτϨϑτΛਪ͠ਐΊΔͱ
ࠨͷ΄͏ʹ͍Δઃܭɾ։ൃऀʹ͍͍ۙͮͯ͘
ʜ͕ɺ௕Β͘ʮΈΜͳ౰ͨΓલʹ࢖͏΋ͷʯ͸ੜ·Εͯ͜ͳ͔ͬͨ
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
ܦݧΛܦͯಘͨ
খ͞ͳؾ෇͖

View Slide

TIJGUKTJOGP
‣ ͙͢࢖͑ͳ͍ɾཁٻίετ͕ലେ
1
ηΩϡϦςΟϓϩμΫτʹΑ͋͘Δ՝୊
‣ 69͕ৗਓ޲͚Ͱ͸ͳ͍
2
‣ ։ൃऀͷ؀ڥʹͳ͡·ͳ͍
3

View Slide

TIJGUKTJOGP
ελʔτΞοϓͷ༂ਐ

IUUQTSDEFWCMPHSDTFSJFTCGVOEJOH
IUUQTTOZLJPOFXTTOZLBEWBODFTEFWFMPQFSGJSTUTFDVSJUZXJUITFSJFTFJOWFTUNFOU
ͦΜͳதɺۙ೥͸։ൃऀ޲͚ͷηΩϡϦςΟϓϩμΫτͰ
େ͖ͳ੒௕Λ਱͛ΔελʔτΞοϓ΋ݱΕΔΑ͏ʹ

View Slide

TIJGUKTJOGP
ελʔτΞοϓͷ༂ਐ

IUUQTSDEFWCMPHSDTFSJFTCGVOEJOH
IUUQTTOZLJPOFXTTOZLBEWBODFTEFWFMPQFSGJSTUTFDVSJUZXJUITFSJFTFJOWFTUNFOU
ͦΜͳதɺۙ೥͸։ൃऀ޲͚ͷηΩϡϦςΟϓϩμΫτͰ
େ͖ͳ੒௕Λ਱͛ΔελʔτΞοϓ΋ݱΕΔΑ͏ʹ
🤔
ҧ͍͸Կʁ

View Slide

TIJGUKTJOGP
‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘
‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘
‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘

༂ਐΛ਱͛Δ൴Βʹڞ௨͢Δͷ͸
ҎԼͷΑ͏ͳ%FWFMPQFS'JSTUͳߟ͑ํ
1
2
3
ϙΠϯτ

View Slide

։ൃऀͷ׆ಈݍʹͱ͚͜Ή
ηΩϡϦςΟϓϩμΫτ
$IBQUFS

View Slide

TIJGUKTJOGP

ϙΠϯτ
1
2
3

View Slide

TIJGUKTJOGP
‣ ։ൃऀͷීஈͷϫʔΫϑϩʔ͔Β֎ΕΔͱɺश׳తͳར༻ʹ͸ͭͳ͕Βͳ͍
‣ ։ൃऀͷηΩϡϦςΟ΁ͷؔ৺΍ߦಈΛҾ͖ग़͢ʹ͸ɺ։ൃऀͷ׆ಈݍͷதʹ͏
·͘૊ΈࠐΊΔ͜ͱ͕લఏͰ͋Δͱࢥͬͯ΋Α͍

։ൃऀͷ׆ಈݍͷத΁
։ൃऀ

View Slide

TIJGUKTJOGP
4OZL
։ൃऀͷ׆ಈݍ΁ͷੵۃతͳࢀೖ
ίʔυϗεςΟϯάαʔϏεͱ͏·͘࿈ܞͯ͠
վળͷΞΫγϣϯ·ͰΛαϙʔτ

View Slide

TIJGUKTJOGP
(JU)VC
։ൃऀͷ׆ಈݍͷத৺Ͱ
਺ଟ͘ͷηΩϡϦςΟػೳΛల։

View Slide

TIJGUKTJOGP
(JU)VC
मਖ਼ͷ1VMM3FRVFTUԽ·Ͱαϙʔτ

View Slide

TIJGUKTJOGP
4UBDL)BXL
$*ͷதʹͰ͖Δ͚ͩ׈Β͔ʹ%"45Λར༻Ͱ͖ΔΑ͏ͳ࢓૊Έ

View Slide

։ൃऀͷٕज़ελοΫʹͱ͚͜Ή
$IBQUFS

View Slide

TIJGUKTJOGP

ϙΠϯτ
1
2
3

View Slide

TIJGUKTJOGP
‣ Ϋϥ΢υωΠςΟϒٕज़पล͸ۙ೥੝Γ্͕ΓΛݟ͍ͤͯΔ
‣ ͜ͷΑ͏ͳٕज़ಛ༗ͷ՝୊ͷղܾ΍ɺ͜ͷΑ͏ͳٕज़ελοΫͷ্͔ͩΒͦ͜Մ
ೳͱͳΔηΩϡϦςΟϓϥΫςΟεͷ࣮ݱͷͨΊʹɺଟ͘ͷϓϨΠϠʔ͕ࢀೖத

Ϋϥ΢υωΠςΟϒٕज़ͱͷ༥࿨
IUUQTXXXQBMPBMUPOFUXPSLTDPN
QSJTNBDMPVE
IUUQTXXX[TDBMFSDPNQSPEVDUT
[TDBMFSDMPVEQSPUFDUJPO
IUUQTPSDBTFDVSJUZ
IUUQTXXXBRVBTFDDPN
;TDBMFS
$MPVE1SPUFDUJPO 1SJTNB$MPVE "RVB4FDVSJUZ 0SDB4FDVSJUZ

View Slide

TIJGUKTJOGP
։ൃऀʹدΓఴͬͨମݧ
ଟ͘ͷπʔϧΛ044ͱͯ͠ల։͠ɺ
ίϛϡχςΟʹڧ͘ߩݙ͍ͯ͠Δ

View Slide

TIJGUKTJOGP
ೝূॲཧͷαʔϏεԽ
IUUQTXXXBVUIMFUFDPN
IUUQTBVUIDPN
IUUQTB[VSFNJDSPTPGUDPNFOVTTFSWJDFTBDUJWF
EJSFDUPSZFYUFSOBMJEFOUJUJFTCD
ೝূʹؔ͢Δཁ݅͸Α͘ෳࡶʹͳΔ࣮૷͕໰୊ͷԹচʹͳΔ
͜͜Λ͏·͘ࢧ͑ΔϓϥοτϑΥʔϜ͕༻ྫΛ૿΍͍ͯ͠Δ
"[VSF"%#$ "VUI "VUIMFUF

View Slide

TIJGUKTJOGP
։ൃऀʹدΓఴͬͨମݧ
ແྉ൛͸౰વͷΑ͏ʹɾ௚ͪʹ࢖͑Δ
࣮Ϣʔεέʔεผʹίʔυྫ΋ఏڙ

View Slide

TIJGUKTJOGP
ೝՄॲཧͷαʔϏεԽ
IUUQTTBOENBOIFSPLVBQQDPN
IUUQTBVUI[FEDPN
IUUQTCVJMETFDVSJUZ
ॊೈͳೝՄΛ؆ܿʹ࣮૷͢ΔͨΊͷίϯϙʔωϯτΛ
ఏڙ͢Δ໺৺తͳاۀ΋ݱΕ͍ͯΔ
CVJMETFDVSJUZ BVUI[FE 1SPKFDU4BOEDBTUMF "VUI

View Slide

։ൃऀͷखݩʹͱ͚͜Ή
$IBQUFS

View Slide

TIJGUKTJOGP

ϙΠϯτ
1
2
3

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
ඪ४Խஂମ
ઃܭऀ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
%FW0QT͸͜ͷΞΫλʔؒͷ
༥࿨ͷͨΊͷϓϥΫςΟε
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ

View Slide

TIJGUKTJOGP
‣ %FW0QTͷՃ଎͸0QTʢӡ༻νʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞత
ʹऔΓѻ͑ΔΑ͏ʹͳͬͨ͜ͱɺͱΓΘ͚ίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͜͠
ͱʹେ͖͘ࢧ͑ΒΕ͍ͯΔͱ͍ͬͯ΋աݴͰ͸ͳ͍ɻ

%FW0QTͷਐԽΛࢧٕ͑ͨज़
resource "google_container_cluster"
"challenge_cluster" {
name = "challenges"
location = "asia-northeast1"
initial_node_count = 1
cluster_autoscaling {
enabled = true
resource_limits {
resource_type = "cpu"
minimum = 3
maximum = 32
}
resource_limits {
resource_type = "memory"
minimum = 3
maximum = 32
}
}
...

View Slide

TIJGUKTJOGP
։ൃऀ
ηΩϡϦςΟ
ܥͷ؅ཧ෦໳
ίʔϙϨʔτ*5
෦໳
ӡ༻ऀ
ηΩϡϦςΟ
ݚڀऀ
؂ࠪ
ΝʔϜ
$*40΍
ͦͷଞܦӦ૚
߈ܸऀ
൜ࡑ૊৫
ࠃՈ
ηΩϡϦςΟ
ϕϯμ
ڭҭऀ
%FW4FD0QT͸
͜ͷลͷ༥࿨ͷͨΊͷϓϥΫςΟε
ඪ४Խஂମ

View Slide

TIJGUKTJOGP
‣ %FW0QTͷՃ଎0QTʢӡ༻νʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞతʹ
औΓѻ͑ΔΑ͏ʹͳͬͨ͜ͱɺͱΓΘ͚ίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͜͠ͱ
ʹେ͖͘ࢧ͑ΒΕ͍ͯΔͱ͍ͬͯ΋աݴͰ͸ͳ͍ɻ

%FW0QTͷਐԽΛࢧٕ͑ͨज़
resource "google_container_cluster"
"challenge_cluster" {
name = "challenges"
location = "asia-northeast1"
initial_node_count = 1
cluster_autoscaling {
enabled = true
resource_limits {
resource_type = "cpu"
minimum = 3
maximum = 32
}
resource_limits {
resource_type = "memory"
minimum = 3
maximum = 32
}
}
...

View Slide

TIJGUKTJOGP
‣ 4FDʢηΩϡϦςΟνʔϜʣͷऔΓѻ͍ͬͯͨ΋ͷ͕ιϑτ΢ΣΞతʹऔΓѻ͑
ΔΑ͏ʹͳΔͱ͖ɺ͜ͱίʔυͰදݱՄೳͳ΋ͷʹมԽͨ͠ͱ͖ʹ͸ɺΑΓ
%FW΍0QTͱ4FDͱͷ༥࿨͕ਐΈ΍͘͢ͳΔͱ͍͏ྨਪ͕Ͱ͖Δ
‣ ։ൃνʔϜͱηΩϡϦςΟνʔϜͱͷڠಇͷͨΊͷഔମͱͯ͠ίʔυΛհ͢Δ
1PMJDZBT$PEFͱΑ΂ΔΞϓϩʔνΛਪਐ͢ΔϓϩμΫτ΋૿͑ͭͭ͋Δ
%FW4FD0QTΛࢧ͑ͭͭ͋Δٕज़
IUUQTBQPMJDZJP
IUUQTDZSBMDPN
"QPMJDZ
$ZSBM

View Slide

TIJGUKTJOGP
1PMJDZBT$PEF
ϙϦγʔͷΠϝʔδ
ٕज़తର৅ʹؔ͢ΔϙϦγʔΛίʔυͱͯ͠දݱ͢Δख๏
version: '1'
rules:
- id: 'unencrypted-ebs-volume'
language: hcl
message: |
There was unencrypted EBS module.
pattern: |
resource "aws_ebs_volume" :[NAME] {
:[...X]
}
constraints:
- target: X
should: not-match
pattern: |
encrypted = true
rewrite: |
resource "aws_ebs_volume" :[NAME] {
:[X]
encrypted = true
}

View Slide

TIJGUKTJOGP
0QFO1PMJDZ"HFOU
IUUQTXXXPQFOQPMJDZBHFOUPSHEPDTWΑΓҾ༻
‣ ൚༻ੑͷߴ͍ϙϦγʔΤϯδϯ
‣ 3FHPͱ͍͏%4-ΑΓʹهड़͞ΕͨϙϦ
γʔΛݩʹɺ͋Δ৘ใʢ2VFSZʣ͕ϙϦγʔʹ
ରͯ͠Ϛον͢Δ͔ͷ൑அʢ%FDJTJPOʣΛߦ͏
͜ͱ͕Ͱ͖Δ
‣ ൑அͷͨΊͷϩδοΫͱ൑அ݁Ռʹґଘ͢Δ
ϩδοΫ͕෼཭͞ΕΔʢ1PMJDZ%FDPVQMJOHʣ
‣ ར༻ྫ
‣ (BUFLFFQFS,VCFSOFUFTϫʔΫϩʔυͷอޢ
ͷͨΊͷ࢓૊Έ
‣ $POGUFTU,VCFSOFUFTϚχϑΣετͷςετ
ͷͨΊͷπʔϧ

View Slide

TIJGUKTJOGP
(BUFLFFQFS
0QFO1PMJDZ"HFOUΛݩʹͨ͠γεςϜ
package deny_host_network
violation[{"msg": msg, "details": {}}]{
input.review.object.spec.hostNetwork
msg := sprintf("hostNetwork is prohibited", [])
}
apiVersion: v1
kind: Pod
metadata:
name: example
labels:
app: example
spec:
hostNetwork: true
containers:
- name: nginx
image: nginx
ports:
- containerPort: 9001
hostPort: 9001
3FHPͰهड़͞ΕͨϙϦγʔ
ϙϦγʔʹै͏΂͖,VCFSOFUFT.BOJGFTU
$ kubectl apply ...͸ࣦഊ͢Δɻ
ະવʹϙϦγʔʹԊΘͳ͍Ϧιʔεͷ
࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌

View Slide

TIJGUKTJOGP
(BUFLFFQFS
}
apiVersion: v1
kind: Pod
metadata:
name: example
labels:
app: example
spec:
hostNetwork: true
containers:
- name: nginx
image: nginx
ports:
hostPort: 9001
࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌
ϙϦγʔʹҧ൓ͨ͠هड़͕͋Δ

View Slide

TIJGUKTJOGP
(BUFLFFQFS
}
apiVersion: v1
kind: Pod
metadata:
name: example
labels:
app: example
spec:
hostNetwork: true
containers:
- name: nginx
image: nginx
ports:
hostPort: 9001
࡞੒Λ๷͙͜ͱ͕Ͱ͖Δ😌

View Slide

TIJGUKTJOGP
*O4QFD
IUUQTHJUIVCDPNJOTQFDJOTQFD
Πϯϑϥʹର͢ΔςετΛίʔυͱͯ͠هड़͢ΔͨΊͷπʔϧ

View Slide

TIJGUKTJOGP
4FNHSFQ
IUUQTTFNHSFQEFW
ίʔυʹର͢ΔϙϦγʔΛ:".-Ͱهड़ɾݕূͰ͖Δπʔϧ
ίϛϡχςΟͰϙϦγʔΛڞ༗͢ΔͨΊͷ࢓૊ΈͳͲ΋ఏڙ
IUUQTTFNHSFQEFWS

View Slide

TIJGUKTJOGP
4IJTIP
ίʔυʹର͢ΔϙϦγʔهड़ɾ௒ߴ଎ͳݕূΛՄೳʹ͢Δπʔϧ
ͦΕʹجͮ͘αʔϏεʢΛ࡞͍ͬͯ·͢ʣ
IUUQTEPDTTIJTIPEFW IUUQTTIJTIPEFW

View Slide

TIJGUKTJOGP
4IJTIP
Α͘ͳ͍ίʔυϓϥΫςΟεΛஔ׵͢Δϧʔϧ ஔ׵ର৅ͷίʔυ
4IJTIPʹΑΔ໰୊ݕग़ͷ༷ࢠ
ฏͨ͘ݴ͑͹-JOUFSͷϧʔϧΛ௒؆୯ʹࣗ࡞Ͱ͖Δ΍ͭͰɺ
ίʔσΟϯάʹؔ͢ΔόουϓϥΫςΟεΛίʔυԽͰ͖·͢

View Slide

TIJGUKTJOGP
‣ )BTIJ$PSQ4FOUJOFM͸1PMJDZBT$PEFͷར఺ΛҎԼͷΑ͏ʹ੔ཧ͍ͯ͠Δ
IUUQTEPDTIBTIJDPSQDPNTFOUJOFMDPODFQUTQPMJDZBTDPEF

‣ 4BOECPYJOH؀ڥͷΨʔυϨʔϧͱͯ͠ϙϦγʔ͕ར༻Ͱ͖ΔΑ͏ʹͳΔ
‣ $PEJpDBUJPOίʔυԽ͞ΕΔ͜ͱͰϙϦγʔ͕໌֬ʹͳΔ
‣ 7FSTJPO$POUSPMόʔδϣϯ؅ཧͷର৅ʹͳΔ
‣ 5FTUJOHϙϦγʔʹهड़͞Ε͍ͯΔ͜ͱ΋ςετՄೳͳର৅ʹͳΔ
‣ "VUPNBUJPOࣗಈԽπʔϧͰऔΓѻ͑Δର৅ʹͳΔ
‣ 1PMJDZBT$PEF͸ʮηΩϡϦςΟνʔϜͷ஌ݟ΍࢓ࣄΛදݱ͢ΔͨΊͷํ๏ʯ
Ͱ͋ΓɺʮηΩϡϦςΟͱ͍͏࢓ࣄͷର৅ԽʯͰ͋Δ
1PMJDZBT$PEF͕΋ͨΒ͢΋ͷ

View Slide

ηΩϡϦςΟΛΤϯδχΞϦϯά͢Δ
$IBQUFS

View Slide

TIJGUKTJOGP

1
2
3
ৼΓฦΓ

View Slide

TIJGUKTJOGP
‣ %FW4FD0QT΍γϑτϨϑτΛਪਐ͢Δจ຺ͷதʹ͓͍ͯɺηΩϡϦςΟઐ໳Ո
ʹٻΊΒΕΔߦಈ͸ɺগͣͭ͠ม༰͖ͯͨ͠ͷͩͱࢥ͏
‣ ͜ΕΒͷߦಈ͸ࠓͰ΋୭΋͕౰ͨΓલʹ࣮ફͰ͖͍ͯΔΘ͚Ͱ͸ͳ͍
‣ ͜Ε͸%FW0QT͕͔ͭͯ౰ͨΓલͰͳ͔ͬͨͷͱಉ͜͡ͱ
‣ ઌड़ͷΑ͏ʹ4FD%FW0QTΛ༥࿨͢ΔͨΊͷςΫϊϩδͷෆ଍ͳͲ͕ҰҼ
ηΩϡϦςΟઐ໳Ոz΁ͷظ଴ͷมԽ
ઐ໳Ոͱͯ͠܅ྟ͢Δ
։ൃऀͷԕ͘Ͱಇ͘
஌ࣝΛϓϩμΫτͷܗͰຽओԽ͢Δ
։ൃऀͱڠಇ͢Δ
։ൃऀͱҧ͏࢓ࣄΛ͢Δ ։ൃऀͱಉ͡ର৅Λѻ͏
ηΩϡϦςΟͷਓ
ηΩϡϦςΟΛ
ΤϯδχΞϦϯά͢Δਓ

View Slide

TIJGUKTJOGP
XIPBNJ

‣ ถ಺وࢤ :0/&6$)* 5BLBTIJ

‣ ஶॻͳͲ

View Slide

TIJGUKTJOGP
XIPBNJ

‣ ถ಺وࢤ :0/&6$)* 5BLBTIJ

‣ ஶॻͳͲ
ηΩϡϦςΟͷྗͰ৴པΛͭͳ͛ɺ
ΫϦΤΠςΟϒͳࣾձΛ࣮ݱ͢Δɻ
CYBER SECURITY PROVIDING ALL SOCIETY TRUST and UNLIMITED CREATIVITY
8FSF)JSJOH

View Slide

TIJGUKTJOGP
‣ ։ൃऀͷ׆ಈݍʹͱ͚͜ΜͰ͍͘4FDVSJUZ
‣ ։ൃऀͷٕज़ελοΫʹͱ͚͜ΜͰ͍͘4FDVSJUZ
‣ ։ൃऀͷखݩʹͱ͚͜ΜͰ͍͘4FDVSJUZ
1
2
3
,FZ5BLFBXBZ
%FWFMPQFS'JSTU4FDVSJUZͱ͍͏ߟ͑ํ-0$"-%FWFMPQFS%BZ0OMJOF`4FDVSJUZ

%FWFMPQFS'JSTU4FDVSJUZͱ͸

View Slide

Developer-First Security という考え方 / Introduction to Developer-First Security

Developer-First Security という考え方 / Introduction to Developer-First Security

Takashi Yoneuchi

More Decks by Takashi Yoneuchi

Other Decks in Technology

Featured

Transcript