Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SBOMを利用したソフトウェアサプライチェーンの保護

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Masahiro331 Masahiro331
August 05, 2022

 SBOMを利用したソフトウェアサプライチェーンの保護

Avatar for Masahiro331

Masahiro331

August 05, 2022
Tweet

More Decks by Masahiro331

Other Decks in Technology

Transcript

  1. ࣗݾ঺հ • ໊લ: ౻ଜ ڡ߂ʢ@masahiro331ʣ • ॴଐ: OWASP CycloneDX project

    (Volunteer) • झຯ: • ϑΝΠϧγεςϜͷύʔα։ൃ • ԿΛ͍ͯ͠Δਓͳͷ͔ • TrivyʹSBOMͷੜ੒ͱ੬ऑੑݕ஌Λ࣮૷
  2. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ΁ͷରࡦ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ͦΕΒͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ
  3. Supply Chain Security ͱ͸ Supply Chain Security ͸ 2ͭͷจ຺Ͱ༻͍ΒΕ͍ͯΔ •

    औҾઌ΍ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝ͨ͠߈ܸ΁ͷରࡦ 
 λʔήοτاۀͱ΍ΓऔΓ͕͋ΔൺֱతηΩϡϦςΟϨϕϧ͕௿͍औҾઌ΍ ؔ࿈ձࣾɺάϧʔϓձࣾΛܦ༝͠ɺ߈ܸΛߦ͏ํ๏ɻ • ιϑτ΢ΣΞ͕ґଘ͍ͯ͠ΔϞδϡʔϧͳͲΛඪతͱͨ͠߈ܸ 
 ޿͘ར༻͞ΕΔιϑτ΢ΣΞ΍ɺλʔήοτاۀ͕ར༻͢ΔͰ͋Ζ͏ιϑτ΢ ΣΞ΍ιϑτ΢ΣΞͷߋ৽ϓϩάϥϜʹ߈ܸΛߦ͏ํ๏ɻ ࠓ೔ͷൣғ ͜Ε͸*TMBOE)PQQJOH"UUBDLͱ͔ݴΘΕΔΒ͍͠
  4. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server OSS Artifact ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ Build Server ͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ
  5. Supply Chain Security Engineer SCM (e.g. GitHub) Source Code Build

    Server Production Server ѱҙ͋ΔΤϯδχΞͷՄೳੑ ϦϙδτϦ্ͷιʔείʔυ͕ վ͟Μ͞ΕΔՄೳੑ #VJME4FSWFS͕ ৐ͬऔΒΕ͍ͯΔՄೳੑ ֎෦͔Β߈ܸՄೳͳ੬ऑੑ͕ ଘࡏ͢ΔՄೳੑ ੬ऑͳ࣮૷Λ͍ͯ͠ΔՄೳੑ Artifact ࠓ೔ͷൣғ ґଘ͍ͯ͠Διʔείʔυ͕ ੬ऑͳՄೳੑ ϦϦʔε͞ΕΔιϑτ΢ΣΞ͕ վ͟Μ͞ΕΔՄೳੑ OSS
  6. OSS ʹର͢Δ߈ܸͷࣄྫ • JDK 9Ҏ্ͰɺSpring Framework Λར༻͍ͯ͠Δ΄΅શͯͷγεςϜʹӨڹ • Өڹ͢Δ৔߹͸ɺαʔόͰ೚ҙͷίʔυ͕࣮ߦͰ͖Δঢ়ଶʹ… Spring4Shell

    (Java) Event-Stream (Node.js) • 200ສμ΢ϯϩʔυΛ௒͑ΔϥΠϒϥϦʹѱҙ͋Δόʔδϣϯ͕ϦϦʔε͞Εͨ • ҉߸௨՟΢ΥϨοτΛ౪΋͏ͱ͢Δίʔυ͕஫ೖ͞Ε͍ͯͨ
  7. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ௚઀ґଘ ਪҠతґଘ
  8. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔... ͜ΕΒͷ߈ܸ͔ΒϓϩμΫτΛकΔͨΊʹ͸ Ͳ͏͢Ε͹͍͍ͷ͔...
  9. OSS ʹର͢Δ߈ܸ ࣗࣾͰར༻͍ͯ͠ΔOSSΛ೺Ѳ͢Δͷ͸೉͍͠ Software A Spring Framework Software b Software

    c Software e Log4j ࣗࣾͰ։ൃ͍ͯ͠Διϑτ΢ΣΞ Կ࢖ͬͯΔ͔Θ͔͍ͬͯΔൣғ ਖ਼௚Կ࢖͍ͬͯΔ͔ɺ΄΅Θ͔Βͳ͍ൣғ Software B SBOMͰղܾ͠·͠ΐ͏ SBOMͰղܾ͠·͠ΐ͏
  10. SBOMͱ͸ • ιϑτ΢ΣΞͷߏ੒ཁૉΛ෦඼දͱଊ͑ɺͲͷΑ͏ͳϞδϡʔϧͰߏ੒͞Εͯ ͍Δ͔Λࣔ֓͢೦ • SBOMͷ࢓༷͸4ͭ΄Ͳଘࡏ͢Δ • CycloneDX • SPDX

    (Software Package Data Exchange) • GitHub SBOM • SWID (Software Identification tags) OWASP Linux Foundation GitHub ஌Βͳ͍…
  11. σϞͷղઆ Container OS OS Package Application Application Library Application Application

    Library CycloneDX ੬ऑੑݕ஌ ग़ྗ $7&9999 $7&9999 $7&9999 • SBOMʹهࡌ͞Ε͍ͯΔύοέʔδʹରͯ͠੬ऑੑΛݕ஌
  12. ·ͱΊ • ύοέʔδߏ੒ϑΝΠϧ΍Docker Image͔Β؆୯ʹSBOM͕ੜ੒Ͱ͖Δ • ੜ੒ͨ͠SBOM͔Β੬ऑੑݕ஌͕Մೳ • SBOM͸ࠓ͸·࣮ͩݧஈ֊Ͱ՝୊΋ଟ͘ݟΒΕΔ • ੜ੒͢Δπʔϧͷ࢓༷Λཧղͯ͠ӡ༻͢Δඞཁ͕ٻΊΒΕΔ

    • ੜ੒πʔϧ͕ॆ࣮͢ΔʹͭΕͯɺར׆༻͢Δπʔϧ͕ग़ͯ͘Δ • ֤੡඼ϕϯμʔ͕SBOMΛެ։͢ΔͳͲͷੈք͕͘Δͱخ͍͠ • SBOMΛར׆༻͢Δπʔϧ͸·ͩ·ͩগͳ͍ͨΊɺOSSΛ։ൃ͢Δνϟϯεʂ
  13. SBOMͷະདྷͷ࿩ Digital Identity Attestation • OSS։ൃऀ/ߩݙऀ/ར༻ऀ͕ɺอक/։ൃ/ར༻͢Δίʔυ͕ Ͳ͔͜Β ͲͷΑ͏ ʹ ڙڅ͞Ε͍ͯΔ͔Λཧղ͠ɺར༻൑அͰ͖ΔΑ͏ʹ͢Δ͜ͱ

    Software Attestation • ʮԿ͕(Subject)ɺͲͷΑ͏ʹ࡞੒(Predicate)ɺ୭͕ॺ໊(Signature)ʯͳͲͷϝλ σʔλΛϞσϧԽͨ͠΋ͷɻ Software Attestation ͸ Digital Identity Attestation ͷҰछ