Upgrade to Pro — share decks privately, control downloads, hide ads and more …

カンムにおけるプロダクトセキュリティのこれまでとこれから

Moto Ishizawa
September 30, 2022

 カンムにおけるプロダクトセキュリティのこれまでとこれから

Moto Ishizawa

September 30, 2022
Tweet

More Decks by Moto Ishizawa

Other Decks in Technology

Transcript

  1. ΧϯϜʹ͓͚Δ
    ϓϩμΫτηΩϡϦςΟͷ
    ͜Ε·Ͱͱ͜Ε͔Β
    -BZFS9ͱ,BONV'JO5FDIελʔτΞοϓηΩϡϦςΟࣄ৘

    View full-size slide

  2. Moto Ishizawa
    Software Engineer, Kanmu, Inc.

    View full-size slide

  3. ϓϩμΫτηΩϡϦςΟʜ
    🤔
    AWS
    API
    Go
    Python
    γεςϜߏ੒
    ੬ऑੑ؅ཧ
    WAF
    Logging
    PCI DSS
    GitHub
    ݖݶ؅ཧ
    IAM
    VPC
    PKI
    TLS
    มߋ؅ཧ
    Monitoring
    σϓϩΠ
    ίϯςφ
    Linux
    Django

    View full-size slide

  4. ϓϩμΫτηΩϡϦςΟʜ
    🤔
    AWS
    API
    Go
    Python
    γεςϜߏ੒
    ੬ऑੑ؅ཧ
    WAF
    Logging
    PCI DSS
    GitHub
    ݖݶ؅ཧ
    IAM
    VPC
    PKI
    TLS
    มߋ؅ཧ
    Monitoring
    σϓϩΠ
    ίϯςφ
    Linux
    Django

    View full-size slide

  5. ౰ॳͷঢ়گ
    • ϓϩμΫτ͸ʮόϯυϧΧʔυʯͷΈ

    • ܾࡁͷ࢓૊ΈΛఏڙ͍ͯ͠ΔͨΊɺηΩϡϦςΟ͸࠷΋ॏཁͳཁૉ

    • όοΫΤϯυΤϯδχΞ͸ CTO ΛؚΊͯ4ਓ

    • ϓϩμΫτηΩϡϦςΟͷྖҬ͸ओʹ CTO ͕୲౰

    • ࠷ॳͷΠϯϑϥઐ೚ΤϯδχΞͱͯ͠ೖࣾ

    • AWS Կ΋Θ͔ΒΜϚϯ

    View full-size slide

  6. ͻͱ·ͣͷઓུ
    • ϓϩμΫτ։ൃʹࢀՃͯ͠γεςϜͷมߋϑϩʔΛ೺Ѳ͢Δ

    • AWS ͳͲͷΫϥ΢υαʔϏεͷ؅ཧऀݖݶΛ΋Β͍ར༻ঢ়گΛ೺Ѳ͢Δ

    • ։ൃ΍ӡ༻ʹؔΘΔ֤छαʔϏεͷݖݶ؅ཧͷঢ়گΛ೺Ѳ͢Δ

    • ηΩϡϦςΟ໘Ͱͷ੍໿Λ೺Ѳ͢Δ

    View full-size slide

  7. ݟ͖͑ͯͨ՝୊΍ϦεΫ
    • ຀Վతͳ AWS ͷ؅ཧ

    • ͍͋·͍ͳݖݶ؅ཧ΍มߋ؅ཧͷϓϩηε

    • ։ൃ࣌ظʹΑΓҟͳΔγεςϜߏ੒

    • PCI DSS ʹΑΔ੍໿ͱଐਓతͳͦͷӡ༻

    • Կ͔ى͖ͯ΋ؾ෇͚ͳ͍ɾௐࠪͰ͖ͳ͍ྖҬ͕͋Δ

    • ͳͲͳͲ…

    View full-size slide

  8. 1$*%44ͱ͸
    • Payment Card Industry (PCI) ͱ͍͏ΫϨδοτΧʔυͷۀքஂମ͕ࡦఆͯ͠
    ͍Δ Data Security Standard (DSS) ͱ͍͏ඪ४ͷ͜ͱ

    • Χʔυ৘ใΛద੾ʹ؅ཧ͢ΔͨΊͷηΩϡϦςΟج४͕ఆٛ͞Ε͍ͯΔ

    • ΧϯϜ͸ΫϨδοτΧʔυΛൃߦ͢Δཱ৔ͱͯ͠४ڌ͕ٻΊΒΕ͍ͯΔ

    • υΩϡϝϯτ͸ެࣜαΠτ͔Β୭Ͱ΋μ΢ϯϩʔυͰ͖Δ

    • https://www.pcisecuritystandards.org/document_library/

    View full-size slide

  9. վળํ਑ʮϕʔεϥΠϯΛ੔͑Δʯ
    • ઃఆͷ౷Ұ΍ΨόφϯεͷڧԽ

    • ϚωʔδυαʔϏεΛ׆༻ͨ͠γεςϜߏ੒ͷ੔ཧ

    • Կ͔͕ى͖ͯ΋ͦΕʹؾ͖ͮɺௐࠪͰ͖ΔΑ͏ʹ͢Δ (؂ࠪੑͷ޲্)

    • ࠷খݖݶͷݪଇʹै͏

    • CTO ʹλεΫ͕ूத͢Δঢ়ଶ͔Βͷ୤٫

    • ։ൃऀͷମݧ΋Ұॹʹվળ͢Δ

    View full-size slide

  10. "84ͷվળྫ
    • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ

    • AWS Organization ͱ AWS SSO (AWS IAM Identity Center) ͷಋೖ

    • CloudTrail ͱ AWS Con
    fi
    g ͷ༗ޮԽͱϩάઐ༻ΞΧ΢ϯτͰͷҰݩ؅ཧ

    • GuardDuty ͱ Security Hub ͷಋೖ

    • վળޮՌ

    • ਺ଟ͘ଘࡏ͍ͯͨ͠ IAM User Λ׬શʹഇࢭ

    • SSO ʹΑΓෳ਺ͷ AWS ΞΧ΢ϯτ΁ͷϩάΠϯ͕༰қʹ

    • Կ͔ҟৗ͕͋ͬͯ΋ͦΕʹؾ͍ͮͯௐ͕ࠪͰ͖Δঢ়ଶʹ

    View full-size slide

  11. (JU)VCͷվળྫ
    • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ

    • ݖݶͷ୨Է͠ͱ Team ΍ Permission ͷ੔උ

    • CODEOWNERS ΍ Branch Protection ͷઃఆ

    • ࣗಈΞαΠϯ΍ Slack ௨஌ͷ༗ޮԽ

    • վળޮՌ

    • ѱҙͷ͋Δมߋ΍վ͟ΜΛ࠷௿ݶ๷ࢭ

    • มߋݖݶΛ࣋ͭਓͷ໌֬Խ

    • Slack Ͱ౎౓΍ΓͱΓ͍ͯͨ͠ϨϏϡʔґཔͷࣗಈԽ

    View full-size slide

  12. γεςϜߏ੒ͷվળྫ
    • ϚωʔδυαʔϏε΁ͷஔ͖׵͑΍ΞΫηε੍ޚͷݟ௚͠Λ࣮ࢪ

    • Session Manager Λಋೖ͠ɺ2िؒʹ1ճ͙Β͍յΕΔ LDAP Λൃഁղମ

    • Cloud One Λಋೖ͠ɺಠࣗӡ༻͍ͯͨ͠ OSSEC Λൃഁղମ

    • վળޮՌ

    • ӡ༻ෛՙͷܰݮ

    • ϞχλϦϯά͓Αͼ؂ࠪੑͷ޲্

    • SSO ʹΑΓ EC2 Πϯελϯε΁ͷΞΫηε͕༰қʹ

    View full-size slide

  13. 1$*%44ؔ࿈ͷվળྫ
    • ཁ݅ͷཧղͱӡ༻໘ͷ੔උ

    • ؂ࠪʹରԠ͢ΔϝϯόʔͰશ12ཁ݅ͷಡΈ߹ΘͤձΛ࣮ࢪ

    • ఆظతʹඞཁͳӡ༻λεΫΛચ͍ग़͠ͱͦͷλεΫͷ࣮ࢪ

    • ཁ݅ͱ࣮ࡍͷγεςϜʹ͋Θͤͨࣾ಺ϙϦγʔͷݟ௚͠

    • վળޮՌ

    • CTO ͕ରԠ͍ͯͨ͠ӡ༻ΛνʔϜͰͰ͖ΔΑ͏ʹͳͬͨ

    • 3.5ਓఔ౓Ͱ2ͭͷϓϩμΫτͷ PCI DSS ४ڌΛୡ੒

    View full-size slide

  14. ৽ϓϩμΫτ1PPMͷϦϦʔε
    • ϦϦʔεલʹϕʔεϥΠϯ͸੔͓͖͍͑ͯͨ

    • AWS ΍γεςϜશମͷઃఆͷϨϏϡʔ

    • PCI DSS ཁ݅ͷ४ڌʹؔΘΔઃఆͳͲͷϨϏϡʔ

    • όϯυϧΧʔυͰݟ͔ͭͬͨط஌ͷ੬ऑੑ౳ͷରԠ

    • վળޮՌ

    • ط஌ͷ੬ऑੑʹ͍ͭͯϦϦʔεલʹରࡦͰ͖ͨ

    • ϦϦʔε࣌ͷߏ੒Ͱ PCI DSS ͷ४ڌΛୡ੒

    View full-size slide

  15. ͜͜·Ͱͷঢ়گ
    • ϓϩμΫτηΩϡϦςΟͷϕʔεϥΠϯ͸੔͖ͬͯͨ

    • େ͖ͳ੍໿ͱͳΔ PCI DSS ͷӡ༻΍؂ࠪ΋νʔϜͰରԠͰ͖͍ͯΔ

    • ࠓޙ͸ࣗಈԽͷਪਐ΍৽ٕज़ͷಋೖɺ͞ΒͳΔϦεΫܰݮࡦͷ࣮૷ΛਐΊΔ

    • ηΩϡϦςΟΛιϑτ΢ΣΞͰ࣮૷͍ͯ͘͠ɺ৭ʑͱָ͘͠ͳΔϑΣʔζ

    View full-size slide

  16. ࠓޙ΍͍͖͍ͬͯͨ͜ͱ
    • EC2 ΛՄೳͳݶΓഇࢭͯ͠ίϯςφ΁Ҡߦ (ਐߦத)

    • ηΩϡΞͰͳ͍ Go ͳͲͷίʔυͷࣗಈݕ஌

    • ੬ऑੑ͓ΑͼαϓϥΠνΣʔϯؔ࿈ͷϞχλϦϯάͱͦͷରԠͷڧԽ

    • AWS ΍ GitHub ͳͲͷઃఆͷܧଓతͳݕূͱͦͷରԠͷࣗಈԽ

    • PCI DSS ͓ΑͼίϯϓϥΠΞϯεؔ࿈ӡ༻ͷࣗಈԽ

    • PCI DSS v4 ΁ͷ४ڌ

    View full-size slide

  17. Ұॹʹ΍Γ·ͤΜ͔ʂ
    https://team.kanmu.co.jp/

    View full-size slide