Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SBOMを利用したソフトウェアサプライチェーンの保護
Search
Masahiro331
August 05, 2022
Technology
2
2.1k
SBOMを利用したソフトウェアサプライチェーンの保護
Masahiro331
August 05, 2022
Tweet
Share
More Decks by Masahiro331
See All by Masahiro331
OSSに新機能を追加するまでの苦労話
masahiro331
0
98
Analyze Filesystem in Virtual Machine Image
masahiro331
0
89
Introduction Supply Chain Security
masahiro331
0
100
Container Security with Trivy
masahiro331
0
150
VirtualMachine Image scanning PoC with Molysis
masahiro331
0
110
Other Decks in Technology
See All in Technology
JAWS-UG Bedrock Claude Night
yamahiro
3
710
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
400
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
2.4k
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
280
The AI Revolution Will Not Be Monopolized: Behind the scenes
inesmontani
PRO
1
160
M5stackで使用できるpHセンサの開発
shinrinakamura
0
120
Cracking the KubeCon CfP
inductor
2
270
Improve Your Development Workflow with Gemini Code Assist
meteatamel
0
130
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
330
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
510
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
1
360
Featured
See All Featured
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Adopting Sorbet at Scale
ufuk
69
8.6k
BBQ
matthewcrist
80
8.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
14
1.5k
The Mythical Team-Month
searls
216
42k
Code Review Best Practice
trishagee
56
15k
Typedesign – Prime Four
hannesfritz
36
2.1k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
Building Effective Engineering Teams - LeadDev
addyosmani
32
1.9k
Facilitating Awesome Meetings
lara
43
5.6k
Transcript
Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with
SBOM CloudNative Security Conference 2022
ຊͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ • Supply Chain Security ͱʁ • SBOMͱʁ
• SBOMͷੜͱ੬ऑੑݕʹ͍ͭͯ • SBOM๊͕͑Δ՝
ࠓ͞ͳ͍͜ͱ • SBOMͷৄࡉͳ༷ͷղઆ • SBOMͷ੬ऑੑݕͷৄࡉ
ࣗݾհ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project
(Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜͱ੬ऑੑݕΛ࣮
ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ
ࡢࠓͷ߈ܸͷಈ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑΛѱ༻ͨ͠߈ܸ͕ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠ΔใηΩϡϦςΟͷ10େڴҖʹϥϯΫΠϯ͍ͯ͠Δ
ࡢࠓͷ߈ܸͷಈ • Sonatype͔ΒϨϙʔτ͕ग़͍ͯΔ • 2020ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ
Supply Chain Security ͱʁ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor
OSS Artifact Production Server Server / Network Machine
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸͷରࡦ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞιϑτΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓͷൣғ ͜Ε*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server Artifact OSS
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ Artifact ࠓͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ߹ɺαʔόͰҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell
(Java) Event-Stream (Node.js) • 200ສμϯϩʔυΛ͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟ΥϨοτΛ౪͏ͱ͢Δίʔυ͕ೖ͞Ε͍ͯͨ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ґଘ ਪҠతґଘ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔...
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
SBOMͱʁ
SBOMͱ • ιϑτΣΞͷߏཁૉΛ෦දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ༷4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX
(Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub Βͳ͍…
SBOMʹ͍ͭͯ • ιϑτΣΞͷߏґଘؔΛڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ
ԿͷͨΊʹSBOMΛ͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕͳͲ͕Մೳ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ
ͦͷଞͷ༻్ • ։ൃϕϯμʔϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτΣΞɾϥΠηϯεͷཧ Vendor A Vendor B Vendor
C Engineer AͷSBOM ιϑτΣΞBͷSBOM CͷSBOM
ੈͷதͷಈ • ถࠃͰɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠SBOMͷ࡞Λཁ݅Խ͍ͯ͠Δ • ຊͰɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ
σϞ
SBOMͷੜ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯
σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container
σϞͷղઆ ղੳ ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application
Application Library Application Application Library Container
ิ • CycloneDXͷSBOMͰɺ෦ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼ந͕ߴͯ͘ɺ࣮ͨ͠ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍
SBOMΛ༻͍ͨ੬ऑੑݕ ࡞ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯
σϞͷղઆ Container OS OS Package Application Application Library Application Application
Library CycloneDX ੬ऑੑݕ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ
͍··Ͱ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ੬ऑੑݕ
͜Ε͔Β ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ར׆༻ʢྫ͑੬ऑੑݕʣ ଞͷ׆༻ํ๏ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ
SBOMͰશͯͷιϑτΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!
ͱͳΒͳ͍…
࣮ࡍʹ SBOM Λੜɺݕ͢ΔπʔϧΛ ։ൃ͢Δͱɺଟͷ՝Λݟ͚ͭΔ (CycloneDXͷࣄྫΛհ)
1. શͯͷґଘؔΛՄࢹԽͰ͖ΔΘ͚Ͱͳ͍ • ίϯςφΛղੳ͢ΔTrivyGrypeͳͲͷπʔϧͰ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱͰ͖ͳ͍ ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱͰ͖ͳ͍
2. ʮඪ४ϑΥʔϚοτʯޓੑ͕͋Δͱݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ͪΖΜ͓ޓ͍ͷSBOMͰਖ਼͘͠ݕͰ͖ͳ͍
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ • ͦͦґଘؔͱʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔଘࡏ
• μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ DependencyʹΑΔґଘؔ
4. ༷͕ेͰͳ͍͜ͱ͋Δ • SBOM੬ऑੑΛݕ͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ༷Ͱਖ਼͘͠੬ऑੑݕͰ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰΓͳ͍
·ͱΊ • ύοέʔδߏϑΝΠϧDocker Image͔Β؆୯ʹSBOM͕ੜͰ͖Δ • ੜͨ͠SBOM͔Β੬ऑੑݕ͕Մೳ • SBOMࠓ·࣮ͩݧஈ֊Ͱ՝ଟ͘ݟΒΕΔ • ੜ͢Δπʔϧͷ༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ
• ੜπʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
༨ஊ • SBOMͷະདྷͷ
SBOMͷະདྷͷ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻அͰ͖ΔΑ͏ʹ͢Δ͜ͱ
Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠ͷɻ Software Attestation Digital Identity Attestation ͷҰछ
Software Attestationͱ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠ͷɻ
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
Thank you for attention
ͪͳΈʹ SBOMͷ༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ༷ʹߩݙ