SREを以てセキュリティエンジニアリングを制す / SRE, Security Engineering, and You

Transcript

1. SREを以てセキュリティエンジニアリングを制す ― class Dev"Sec"Opsの実装に向けて ― 株式会社Flatt Security 米内 貴志 (@lmt_swallow)

2. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 aYVXWTU` feYbdY€YƒwvutyrpYsThTxX` ˜ mnTjjYˆh‘—f`jdY”iYts– ˜ ™’Ye‰™‡†…„

3. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 aYVXWTU` s nl˜vmqzp}}mtkj–ih}™msg”‘u—e„‰ˆ†€…wr s |‡mmftvƒwmmo{u‰‚yqpr•“i’h s gfsmd}}eyxxxdzp}}b}kjdmwc

4. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 WUTV ‰ ‡…€yviƒˆpt†shu„gedqcx‚b ‰ `Y€garwdXf fe–™—d“’˜”•‘d“ kjihg

   l m

5. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 grhfsafhfebdpdcr`XWfebdVYTiUq i s•quep–qejmqkVf™T—gtl˜w” i yr’dndcr`dnd‰ˆdd‡…„†zƒ‚ i d€‘yqvd€xmvdvxu

   i ttt ~||}d

6. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 WVUT t€wydrywyixhThe€vucyixhsbaYh`UUXpg je€vucyixh’€‘€wh”‰yvdiˆc†˜rh€viy‘€–hs‚ {zwuvrysVpontmlnxkt

7. ÉÈÇÇÆÅÄÄÃÂÇÇÁÇÀÈ @(À76Ç)À'À%#!0ÂÇ6Ä"9ÀÇ'À$321

8. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 xwuXqWytphagftesdfcb`vYUriTV

9. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 x€`vsh`pywuitguedqraYbfXWVUTc ˜ˆh™d…”ˆ–“ˆgf‘ ‰‡†„ƒ†‚ˆ—•e’ i ˜ —ˆ”‘Š{…ƒ„}“|}z’† y~‚…Œ–wdu‘{…t†

   u‘py€•‰†h™m‚r ˜ h™ln zekjˆ‚ ¨§†£ƒ–“Šœ¡ ¦¥Ÿ¢l

10. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 tqpgcepsbdh`YWViUarTVfXV ‡“’‰‘ˆ†…„•ƒ‚” €yxw“ˆu‘v – ‰ †„junz“xpˆtrqx w€…ki|‰sy€gƒf‡

    ‰ jed“˜{}r ywy™—y Ž”‘“w€ g’Šg

11. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 yxaVtiadrevfpcwb`YXsWUheTqugc hd˜eƒehd—˜e”“f‚™’ –‡‘‰ˆ†…g„•€ i œ ™˜’Žz‘ŽŒ‡”v‰›Š– ‘”ˆ”‰›…„ƒ”ŽŒ‡t~

    …—}|“|x•wurƒ†š œ qn€“eomlyomke„‚“j” ƒ†› ˆ} ¨¦€”¤¢› Ÿž

12. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 r‚yxwXusv`‚p‚gvectXybuYwhda€‚yuXp‚fvqWVUiT –‰“•‡†…„q’‘ƒˆg™ˆqWVU rlpngk‡hoƒˆg™ˆqWVU }h~z|yxw|y{zu†ts†„‚h†…

13. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 r‚yxwXusv`‚p‚gvectXybuYwhda€‚yuXp‚fvqWVUiT –‰“•‡†…„q’‘ƒˆg™ˆqWVU rlpngk‡hoƒˆg™ˆqWVU }h~z|yxw|y{zu†ts†„‚h†…

14. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 rchdqa`YWpgfVbXUbpeiT ”‡’—–•vy‘pˆh„–•‚ˆxp€wu …p‰ƒ„ThtsT Œw—Š‘v•”’Ždœ‹`…™‚ Œ—Šy‘pu‡r›ƒˆ‚‰on†vo˜‚ Œq—Šy•ƒˆj•ˆx}lškT{ih‚ Œg—ŠX‚f

    ed”’„—“˜yk ¦•¡¥¤•…pžTv

15. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 rchdqa`YWpgfVbXUbpeiT ”‡’—–•vy‘pˆh„–•‚ˆxp€wu …p‰ƒ„ThtsT Œw—Š‘v•”’Ždœ‹`…™‚ Œ—Šy‘pu‡r›ƒˆ‚‰on†vo˜‚ Œq—Šy•ƒˆj•ˆx}lškT{ih‚ Œg—ŠX‚f

    ed”’„—“˜yk ¦•¡¥¤•…pžTv ²‰’°¯f¨oª’­v§ öüÙwvìiœ‹`‰on¿åâpæšfy‘wÚØiUbpŽvÕ ÓÑÏÎÓÑËÞvØie”ódÜÅÃÉõplšÁwu Þß×ø¾ø½èÍÞ¼Ìï×ÞûԻ׺ï¹Þ¸ß¼ûñÞplš’‡„T•ví³úãÐ

16. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 r‚yxwXusv`‚p‚gvectXybuYwhda€‚yuXp‚fvqWVUiT –‰“•‡†…„q’‘ƒˆg™ˆqWVU rlpngk‡hoƒˆg™ˆqWVU }h~z|yxw|y{zu†ts†„‚h†…

17. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 `ecgfdaYhibfXbWUVT rtvsvqpu ‡ ƒ7~}{xuvIi˜tq5p l’n“rmkh#e™–” ‡ sg—x‰ˆ†7…3…d„j

    y#‚w“zx€•yƒ€#xw–‘ ‡v…„ ‡ 4¹¸»º©¯¢²Iµ™“q5p ¦“°p«¸¥©»kh–” ‡ ‰ˆ†7…3¡™–p…d„j y#‚w“•yƒ€7®3‰ˆ¦–‘ ¾À¿vÁ¼ ‡ uvâä#ÚáԂÓØã×Ñuv Ð#ÏÎ×̘p¦#jy‚È ‡ Åß×ėxÕÞ#Âقw çæå ‡ û#÷#üôxjy‚È ‡ Åß×ìëÕÞ#Âقw Infæ ‡ ¡™z固x環境I目指3上で参考7 xプラ»&6²„ツ©ル#提示 `ec定義の例

18. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 r‚yxwXusv`‚p‚gvectXybuYwhda€‚yuXp‚fvqWVUiT –‰“•‡†…„q’‘ƒˆg™ˆqWVU rlpngk‡hoƒˆg™ˆqWVU }h~z|yxw|y{zu†ts†„‚h†…

19. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 cpqeb`XYi`XfbaWVTUhdqWg tvxuxsrw ‰ …7€}zwxIkdvs5r ƒn”p•tomj#ge˜– ‰ ui™z’‘ˆ7‡3ƒ‡f†l

    {#„y•|ƒz‚—…‚#€y˜“ ‰x‡† ‰ 4»º½¼«±¤´I·e•s5r ƒ¨•²r­º§«½mj˜– ‰ ’‘ˆ7‡3ƒ£e˜r‡f†l {#„y•—…‚7°3ƒ‹Š¨˜“ ÀÂÁxþ ‰ wxäæ#ÜãքÕÚåÙÓwx Ò#ÑÐÙÎdr¨#l{„Ê ‰ ÇáÙƙz×à#Äۄy Xèç ‰ ý#ù#þözl{„Ê ‰ ÇáÙîí×à#Äۄy YÁÀè ‰ £e|4z0I&3"% 27 zƒ½&6´†Ç«Æ#Ä wuV„9UsYaxfTdaRc`itCD@WhA‚egQp ePfITXHGaWEBivbHGqURgrV€y7UVTqWg g‰Tˆr…

20. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 cpqeb`XYi`XfbaWVTUhdqWg tvxuxsrw ‰ …7€}zwxIkdvs5r ƒn”p•tomj#ge˜– ‰ ui™z’‘ˆ7‡3ƒ‡f†l

    {#„y•|ƒz‚—…‚#€y˜“ ‰x‡† ‰ 4»º½¼«±¤´I·e•s5r ƒ¨•²r­º§«½mj˜– ‰ ’‘ˆ7‡3ƒ£e˜r‡f†l {#„y•—…‚7°3ƒ‹Š¨˜“ ÀÂÁxþ ‰ wxäæ#ÜãքÕÚåÙÓwx Ò#ÑÐÙÎdr¨#l{„Ê ‰ ÇáÙƙz×à#Äۄy Xèç ‰ ý#ù#þözl{„Ê ‰ ÇáÙîí×à#Äۄy YÁÀè ‰ £e|4z0I&3"% 27 zƒ½&6´†Ç«Æ#Ä €ThRxYprvfWd`xwWVyUUbtqTWgQ PiIWHsUXVFDECAq98aBpux765G ‡v…T„P

21. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 cpqeb`XYi`XfbaWVTUhdqWg tvxuxsrw ‰ …7€}zwxIkdvs5r ƒn”p•tomj#ge˜– ‰ ui™z’‘ˆ7‡3ƒ‡f†l

    {#„y•|ƒz‚—…‚#€y˜“ ‰x‡† ‰ 4»º½¼«±¤´I·e•s5r ƒ¨•²r­º§«½mj˜– ‰ ’‘ˆ7‡3ƒ£e˜r‡f†l {#„y•—…‚7°3ƒ‹Š¨˜“ ÀÂÁxþ ‰ wxäæ#ÜãքÕÚåÙÓwx Ò#ÑÐÙÎdr¨#l{„Ê ‰ ÇáÙƙz×à#Äۄy Xèç ‰ ý#ù#þözl{„Ê ‰ ÇáÙîí×à#Äۄy YÁÀè ‰ £e|4z0I&3"% 27 zƒ½&6´†Ç«Æ#Ä A@9T865 ˆdƒ@€weWgƒq†v‚Ug€`faƒu`cep rbb…btxWV6„SURqI6HXFEDhgUPGCe

22. ÉÈÇÇÆÅÄÄÃÂÇÇÁÇÀÈ $8534)60(' %#$"! 72"&1

23. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 uhsxwvW`rtigewvciYbtaXV ftpdeqgUTq yd„w~™‚z{ƒ‰xir†on y}„w`rt˜h•ˆpucv’‘s™’…bon y”„w`vpu‡viYj‰‡ˆqh†…on y„„w|oƒ ‚qx€y`ˆl

    “vŽ’‘vft‹qW

24. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 uhsxwvW`rtigewvciYbtaXV ftpdeqgUTq yd„w~™‚z{ƒ‰xir†on y}„w`rt˜h•ˆpucv’‘s™’…bon y”„w`vpu‡viYj‰‡ˆqh†…on y„„w|oƒ ‚qx€y`ˆl

    “vŽ’‘vft‹qW

25. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 –uk”etih—f˜jp•€‰m†… –dk”„xvsrpo‡’h“gftgl‘†… –ik”„e‡’beq‚dncwya`†… –Yk”™†X WVhfˆUgT„cƒ zeuyxesvrwt ¢›Ÿ’€œežšv–wŽŒ™†ƒŠ

    t‡‰‘…X„xf€~™gher{

26. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 cwrywsqYusihqxywrywsahfb`eWgqVpXdqtvUT

27. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 …€sƒ€tqawtievqud…b‚ttYwXqawtieqgxWfVr`„pUcqa…yhT ~m˜xctnlrqu}iWgev {™–•“ss™zkjy‘dsf™c—”’‰|ˆpw‡†

28. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 „ix`iywu‚ytswr€qpƒafdcƒgvb€XWV€eUhTY €XWV€eU˜h’j‘ƒˆ ‡q™g“–†e…

29. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 g€wƒ€xvtyxsrcvi‚hadb`XYVbeWuhfqpUT ”˜dfp•“bˆ‡–‘†… —„‰™

30. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 fitaubpgwevcXdqVUs`YWrTha €‚„„yxƒ • ‹7†…ƒ€}~Iqj‡|y5x ‰tdvezusp#mkhf • {oi€˜—–”7“3‰“l’r

    #e‚‰€ˆg‡‘ˆ#†…h™ „Œ • 4ÁÀñ·ªºI½k›y5x ‰®e¸x³À­•±Ãsphf • ˜—–”7“3‰©kžx“l’r #eg‡‘ˆ7¶3‰‘®h™ ÆÈDŽÉÄ • }~êì#âéܐÛàëßÙ}~ Ø#×ÖßÔjx®#rÐ • ÍçßÌi€Ýæ#Êᐠïîí • そ# 他# 様々€rÐ • Íçß 便利Ýæ#ÊᐠInfî • ©k‚ 固€ 環境I 目指3 上で参考7 €‰ プラÃ&6º’ ツ± ル# 提示 重大さ e 義の例 「検査Us` のYWV 、自組織のXdq 判e の ロジックを合わせc いr 、合わない…… 」 結果Vv てXdq 別の目標を持V うVv ても、計測r 困難になa こVr

31. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 f…w†…xcq€xtsycƒprvg„ihdeb‚aYuXWVrvT`U ƒprvxyxw{eqjgfgp˜l„ihd™k —u–•d”“€o’d‘huwd‰tzˆt‡ ”•d’l–lŒ‹Š‰ˆ‡‘g`…„ƒU ¯ª«•zz€¨¯¦™¡¥o§z­£›¢«“¥¦š¨˜z«¯¨«¯o¢¥£o¦œ¢§› ›€“œ¢—ošŸ­£o—«

32. ÉÈÇÇÆÅÄÄÃÂÇÇÁÇÀÈ 

33. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 WUTV ‰ ‡…€yviƒˆpt†shu„gedqcx‚b ‰ `Y€garwdXf fe–™—d“’˜”•‘d“ kjihg

    ‰ f‡¤‚f‡‹™z” ª‰ “™‘…ˆ†ž ‘¢¡§x‚b ‰ e€œ„–œ|{™—™f€~wv|{™’}x•srqp€‚n ©›¥d“mŸ•užu£lŽ ›³Ÿ¶ •”°µ®´n© ¸ ¹

34. ÆÈÉÉÅÇÄÃÉÉÂÉÁÀ HFBIC5A@S9&610'2490PIG3)À$ÃÇÇ8Á QHÁÀQÅÇ#(7"5 db`bYa YXaVcXWaT`U yYYi`srr`yb`yXgwvqrufa

35. ぜひこの辺語り合いましょう！ @lmt_swallow