Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SBOMを利用したソフトウェアサプライチェーンの保護
Search
Masahiro331
August 05, 2022
Technology
4
2.6k
SBOMを利用したソフトウェアサプライチェーンの保護
Masahiro331
August 05, 2022
Tweet
Share
More Decks by Masahiro331
See All by Masahiro331
Model Context Protocol 勉強会
masahiro331
0
37
OSSに新機能を追加するまでの苦労話
masahiro331
0
180
Analyze Filesystem in Virtual Machine Image
masahiro331
0
170
Introduction Supply Chain Security
masahiro331
0
150
Container Security with Trivy
masahiro331
0
200
VirtualMachine Image scanning PoC with Molysis
masahiro331
0
160
Other Decks in Technology
See All in Technology
AWS CDK 入門ガイド これだけは知っておきたいヒント集
anank
2
200
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
airtravelguide
0
340
What’s new in Android development tools
yanzm
0
430
面倒な作業はAIにおまかせ。Flutter開発をスマートに効率化
ruideengineer
0
360
高速なプロダクト開発を実現、創業期から掲げるエンタープライズアーキテクチャ
kawauso
3
9.7k
20250707-AI活用の個人差を埋めるチームづくり
shnjtk
6
4k
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
i35_267
6
13k
united airlines ™®️ USA Contact Numbers: Complete 2025 Support Guide
flyunitedhelp
1
430
対話型音声AIアプリケーションの信頼性向上の取り組み
ivry_presentationmaterials
1
330
Tokyo_reInforce_2025_recap_iam_access_analyzer
hiashisan
0
190
第4回Snowflake 金融ユーザー会 Snowflake summit recap
tamaoki
1
300
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
fujiwara3
3
460
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1031
460k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Gamification - CAS2011
davidbonilla
81
5.4k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
5.9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
A Tale of Four Properties
chriscoyier
160
23k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Transcript
Masahiro Fujimura (@masahiro331), 20 August 2022 Supply Chain Security with
SBOM CloudNative Security Conference 2022
ຊͷྲྀΕ • ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ • Supply Chain Security ͱʁ • SBOMͱʁ
• SBOMͷੜͱ੬ऑੑݕʹ͍ͭͯ • SBOM๊͕͑Δ՝
ࠓ͞ͳ͍͜ͱ • SBOMͷৄࡉͳ༷ͷղઆ • SBOMͷ੬ऑੑݕͷৄࡉ
ࣗݾհ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project
(Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜͱ੬ऑੑݕΛ࣮
ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ ࡢࠓͷϓϩμΫτηΩϡϦςΟͷಈ
ࡢࠓͷ߈ܸͷಈ • ͢ͰʹڴҖͱͯ͠αϓϥΠνΣʔϯͷऑΛѱ༻ͨ͠߈ܸ͕ʹͳ͍ͬͯΔ • IPA ͕ग़͍ͯ͠ΔใηΩϡϦςΟͷ10େڴҖʹϥϯΫΠϯ͍ͯ͠Δ
ࡢࠓͷ߈ܸͷಈ • Sonatype͔ΒϨϙʔτ͕ग़͍ͯΔ • 2020ࠒ͔Β Supply Chain ʹର͢Δ߈ܸ͕ٸܹʹ૿Ճ͍ͯ͠Δ
Supply Chain Security ͱʁ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ
Supply Chain ͱ • ιϑτΣΞͷڙڅϓϩηεͷ͜ͱ ϓϩμΫτΛ։ൃͯ͠Ϣʔβಧ͚Δ·Ͱͷϓϩηεͷશମ Engineer Source Code Vendor
OSS Artifact Production Server Server / Network Machine
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸͷରࡦ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
Supply Chain Security ͱ Supply Chain Security 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •
औҾઌؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸͷରࡦ λʔήοτاۀͱΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕͍औҾઌ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ ͘ར༻͞ΕΔιϑτΣΞɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ ΣΞιϑτΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓͷൣғ ͜Ε*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server Artifact OSS
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build
Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮Λ͍ͯ͠ΔՄೳੑ Artifact ࠓͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ߹ɺαʔόͰҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell
(Java) Event-Stream (Node.js) • 200ສμϯϩʔυΛ͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟ΥϨοτΛ౪͏ͱ͢Δίʔυ͕ೖ͞Ε͍ͯͨ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ґଘ ਪҠతґଘ
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ Ͳ͏͢Ε͍͍ͷ͔...
OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛѲ͢Δͷ͍͠ Software A Spring Framework Software b Software
c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠ΔιϑτΣΞ ԿͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼Կ͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
SBOMͱʁ
SBOMͱ • ιϑτΣΞͷߏཁૉΛ෦දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ༷4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX
(Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub Βͳ͍…
SBOMʹ͍ͭͯ • ιϑτΣΞͷߏґଘؔΛڞ௨ͷϑΥʔϚοτͱͯ͠දݱ͢Δ͜ͱ͕Մೳ
ԿͷͨΊʹSBOMΛ͏ͷ͔ • SBOMΛೖྗͱͯ͠੬ऑੑͷݕͳͲ͕Մೳ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ CycloneDX SPDX SBOM ϑΥʔϚοτ SCAπʔϧͳͲ
ͦͷଞͷ༻్ • ։ൃϕϯμʔϕϯμʔ͕ར༻ϞδϡʔϧΛSBOMͱͯ͠ެ։ • ιϑτΣΞɾϥΠηϯεͷཧ Vendor A Vendor B Vendor
C Engineer AͷSBOM ιϑτΣΞBͷSBOM CͷSBOM
ੈͷதͷಈ • ถࠃͰɺେ౷ྖྩͱͯ͠Ұ෦ͷاۀʹؔͯ͠SBOMͷ࡞Λཁ݅Խ͍ͯ͠Δ • ຊͰɺαΠόʔηΩϡϦςΟઓུͱͯ͠SBOMʹݴٴ͍ͯ͠Δ αΠόʔηΩϡϦςΟ̎̌̎̎ͷ֓ཁ ࠃՈͷαΠόʔηΩϡϦςΟվળʹؔ͢Δେ౷ྖྩ
σϞ
SBOMͷੜ ࣮ࡍʹSBOMΛ࡞ͬͯΈΔ ΊͬͪΌ؆୯
σϞͷղઆ ղੳ CycloneDX ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container
σϞͷղઆ ղੳ ग़ྗ • ίϯςφͷɺOSύοέʔδΞϓϦέʔγϣϯύοέʔδΛղੳ Container OS OS Package Application
Application Library Application Application Library Container
ิ • CycloneDXͷSBOMͰɺ෦ʢComponentʣͷछྨ͕͍͔ͭ͘ଘࡏ͢Δ • ਖ਼ந͕ߴͯ͘ɺ࣮ͨ͠ͷͷɺະͩʹΑ͘Θ͔͍ͬͯͳ͍
SBOMΛ༻͍ͨ੬ऑੑݕ ࡞ͨ͠SBOMΛར׆༻ͯ͠ΈΔ ΊͬͪΌ؆୯
σϞͷղઆ Container OS OS Package Application Application Library Application Application
Library CycloneDX ੬ऑੑݕ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ
͍··Ͱ ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ੬ऑੑݕ
͜Ε͔Β ෆಛఆଟͷιϑτΣΞϞδϡʔϧ ར׆༻ʢྫ͑੬ऑੑݕʣ ଞͷ׆༻ํ๏ߟ͑ΒΕΔ CycloneDX SPDX SBOM ϑΥʔϚοτ
SBOMͰશͯͷιϑτΣΞΛՄࢹԽɺར׆༻Ͱ͖Δ!
ͱͳΒͳ͍…
࣮ࡍʹ SBOM Λੜɺݕ͢ΔπʔϧΛ ։ൃ͢Δͱɺଟͷ՝Λݟ͚ͭΔ (CycloneDXͷࣄྫΛհ)
1. શͯͷґଘؔΛՄࢹԽͰ͖ΔΘ͚Ͱͳ͍ • ίϯςφΛղੳ͢ΔTrivyGrypeͳͲͷπʔϧͰ make ͳͲͰϏϧυ͞Εͨ ύοέʔδΛՄࢹԽ͢Δ͜ͱͰ͖ͳ͍ ͪΖΜSBOMͱͯ͠ग़ྗ͢Δ͜ͱͰ͖ͳ͍
2. ʮඪ४ϑΥʔϚοτʯޓੑ͕͋Δͱݴͬͯͳ͍ • πʔϧʹΑͬͯग़ྗ͢ΔϑΥʔϚοτ͕ҟͳΔͨΊޓੑ͕ͳ͍ Grype CycloneDX Trivy CycloneDX ͪΖΜ͓ޓ͍ͷSBOMͰਖ਼͘͠ݕͰ͖ͳ͍
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ • ͦͦґଘؔͱʁ • ελςΟοΫϦϯΫ • GoͷΑ͏ͳ୯ҰͷBinary • JavaͩͱJarͷதʹJar͕ೖΔґଘؔଘࡏ
• μΠφϛοΫϦϯΫ • ϓϩηεؒ௨৴HTTPͳͲͷ௨৴ʹΑΔґଘ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ
3. ෦ͷґଘؔͷछྨ͕ଟ͗͢Δ SBOMͱͯ͠දݱ͢Δʹෳࡶ͗͢Δ Component͕ωετ͢Δґଘؔ DependencyʹΑΔґଘؔ
4. ༷͕ेͰͳ͍͜ͱ͋Δ • SBOM੬ऑੑΛݕ͢Δจ຺Ͱ༻͍ΒΕΔ͜ͱ͕ଟ͍ • ݱঢ়ͷ֤छSBOMͷ༷Ͱਖ਼͘͠੬ऑੑݕͰ͖ͳ͍ SBOMʹπʔϧಠࣗͷ֦ுϓϩύςΟΛಋೖͯ͠ରԠ SBOMͰ༻͍ΒΕ͍ͯΔύοέʔδ දݱ͚ͩͰΓͳ͍
·ͱΊ • ύοέʔδߏϑΝΠϧDocker Image͔Β؆୯ʹSBOM͕ੜͰ͖Δ • ੜͨ͠SBOM͔Β੬ऑੑݕ͕Մೳ • SBOMࠓ·࣮ͩݧஈ֊Ͱ՝ଟ͘ݟΒΕΔ • ੜ͢Δπʔϧͷ༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ
• ੜπʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
༨ஊ • SBOMͷະདྷͷ
SBOMͷະདྷͷ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻அͰ͖ΔΑ͏ʹ͢Δ͜ͱ
Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠ͷɻ Software Attestation Digital Identity Attestation ͷҰछ
Software Attestationͱ • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷ ϝλσʔλΛϞσϧԽͨ͠ͷɻ
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
ιϑτΣΞʹର͢Δॺ໊ • SBOMΛϝλσʔλͱͯ͠ιϑτΣΞίϯςφΠϝʔδʹॺ໊͢Δ͜ͱ ͰɺSBOMΛҰݩཧ͢ΔΈ͕։ൃ͞Εͭͭ͋Δ %PDLFS3FHJTUPSZʢ0$*3FHJTUSZʣ SBOM Docker Image Maintainer
Thank you for attention
ͪͳΈʹ SBOMͷ༷ʹߩݙͨ͠Γͨ͠ 8PSLJOH(SPVQʹ໊લ͕ࡌͬͯͨ • SBOMͱͯ͠੬ऑੑΛදݱ͢Δ༷ʹߩݙ