Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SBOMを利用したソフトウェアサプライチェーンの保護
Search
Masahiro331
August 05, 2022
Technology
4
2.6k
SBOMを利用したソフトウェアサプライチェーンの保護
Masahiro331
August 05, 2022
Tweet
Share
More Decks by Masahiro331
See All by Masahiro331
Model Context Protocol 勉強会
masahiro331
0
52
OSSに新機能を追加するまでの苦労話
masahiro331
0
190
Analyze Filesystem in Virtual Machine Image
masahiro331
0
180
Introduction Supply Chain Security
masahiro331
0
160
Container Security with Trivy
masahiro331
0
210
VirtualMachine Image scanning PoC with Molysis
masahiro331
0
170
Other Decks in Technology
See All in Technology
AI ReadyなData PlatformとしてのAutonomous Databaseアップデート
oracle4engineer
PRO
0
170
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
120
動画データのポテンシャルを引き出す! Databricks と AI活用への奮闘記(現在進行形)
databricksjapan
0
140
Optuna DashboardにおけるPLaMo2連携機能の紹介 / PFN LLM セミナー
pfn
PRO
1
870
非エンジニアのあなたもできる&もうやってる!コンテキストエンジニアリング
findy_eventslides
3
910
Why Governance Matters: The Key to Reducing Risk Without Slowing Down
sarahjwells
0
100
Trust as Infrastructure
bcantrill
0
320
データエンジニアがこの先生きのこるには...?
10xinc
0
440
生成AIを活用したZennの取り組み事例
ryosukeigarashi
0
200
自動テストのコストと向き合ってみた
qa
0
100
許しとアジャイル
jnuank
1
120
SOC2取得の全体像
shonansurvivors
1
370
Featured
See All Featured
The Language of Interfaces
destraynor
162
25k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
GraphQLの誤解/rethinking-graphql
sonatard
73
11k
Rails Girls Zürich Keynote
gr2m
95
14k
Writing Fast Ruby
sferik
629
62k
For a Future-Friendly Web
brad_frost
180
9.9k
The Cost Of JavaScript in 2023
addyosmani
53
9k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
2.6k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Transcript
Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with
SBOM CloudNative Security Conference 2022
ຊͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ • Supply Chain Security ͱʁ • SBOMͱʁ
• SBOMͷੜͱ੬ऑੑݕʹ͍ͭͯ • SBOM๊͕͑Δ՝
ࠓ͞ͳ͍͜ͱ • SBOMͷৄࡉͳ༷ͷղઆ • SBOMͷ੬ऑੑݕͷৄࡉ
ࣗݾհ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project
(Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜͱ੬ऑੑݕΛ࣮
ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ
ࡢࠓͷ߈ܸͷಈ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑΛѱ༻ͨ͠߈ܸ͕ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠ΔใηΩϡϦςΟͷ10େڴҖʹϥϯΫΠϯ͍ͯ͠Δ
ࡢࠓͷ߈ܸͷಈ • Sonatype͔ΒϨϙʔτ͕ग़͍ͯΔ • 2020ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ
Supply Chain Security ͱʁ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor
OSS Artifact Production Server Server / Network Machine
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸͷରࡦ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞιϑτΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓͷൣғ ͜Ε*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server Artifact OSS
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ Artifact ࠓͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ߹ɺαʔόͰҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell
(Java) Event-Stream (Node.js) • 200ສμϯϩʔυΛ͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟ΥϨοτΛ౪͏ͱ͢Δίʔυ͕ೖ͞Ε͍ͯͨ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ґଘ ਪҠతґଘ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔...
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
SBOMͱʁ
SBOMͱ • ιϑτΣΞͷߏཁૉΛ෦දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ༷4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX
(Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub Βͳ͍…
SBOMʹ͍ͭͯ • ιϑτΣΞͷߏґଘؔΛڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ
ԿͷͨΊʹSBOMΛ͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕͳͲ͕Մೳ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ
ͦͷଞͷ༻్ • ։ൃϕϯμʔϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτΣΞɾϥΠηϯεͷཧ Vendor A Vendor B Vendor
C Engineer AͷSBOM ιϑτΣΞBͷSBOM CͷSBOM
ੈͷதͷಈ • ถࠃͰɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠SBOMͷ࡞Λཁ݅Խ͍ͯ͠Δ • ຊͰɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ
σϞ
SBOMͷੜ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯
σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container
σϞͷղઆ ղੳ ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application
Application Library Application Application Library Container
ิ • CycloneDXͷSBOMͰɺ෦ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼ந͕ߴͯ͘ɺ࣮ͨ͠ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍
SBOMΛ༻͍ͨ੬ऑੑݕ ࡞ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯
σϞͷղઆ Container OS OS Package Application Application Library Application Application
Library CycloneDX ੬ऑੑݕ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ
͍··Ͱ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ੬ऑੑݕ
͜Ε͔Β ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ར׆༻ʢྫ͑੬ऑੑݕʣ ଞͷ׆༻ํ๏ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ
SBOMͰશͯͷιϑτΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!
ͱͳΒͳ͍…
࣮ࡍʹ SBOM Λੜɺݕ͢ΔπʔϧΛ ։ൃ͢Δͱɺଟͷ՝Λݟ͚ͭΔ (CycloneDXͷࣄྫΛհ)
1. શͯͷґଘؔΛՄࢹԽͰ͖ΔΘ͚Ͱͳ͍ • ίϯςφΛղੳ͢ΔTrivyGrypeͳͲͷπʔϧͰ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱͰ͖ͳ͍ ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱͰ͖ͳ͍
2. ʮඪ४ϑΥʔϚοτʯޓੑ͕͋Δͱݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ͪΖΜ͓ޓ͍ͷSBOMͰਖ਼͘͠ݕͰ͖ͳ͍
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ • ͦͦґଘؔͱʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔଘࡏ
• μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ DependencyʹΑΔґଘؔ
4. ༷͕ेͰͳ͍͜ͱ͋Δ • SBOM੬ऑੑΛݕ͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ༷Ͱਖ਼͘͠੬ऑੑݕͰ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰΓͳ͍
·ͱΊ • ύοέʔδߏϑΝΠϧDocker Image͔Β؆୯ʹSBOM͕ੜͰ͖Δ • ੜͨ͠SBOM͔Β੬ऑੑݕ͕Մೳ • SBOMࠓ·࣮ͩݧஈ֊Ͱ՝ଟ͘ݟΒΕΔ • ੜ͢Δπʔϧͷ༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ
• ੜπʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
༨ஊ • SBOMͷະདྷͷ
SBOMͷະདྷͷ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻அͰ͖ΔΑ͏ʹ͢Δ͜ͱ
Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠ͷɻ Software Attestation Digital Identity Attestation ͷҰछ
Software Attestationͱ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠ͷɻ
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
Thank you for attention
ͪͳΈʹ SBOMͷ༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ༷ʹߩݙ