Upgrade to Pro — share decks privately, control downloads, hide ads and more …

カンムにおけるプロダクトセキュリティのこれまでとこれから

Moto Ishizawa
September 30, 2022
Technology
1
1.7k

 カンムにおけるプロダクトセキュリティのこれまでとこれから

Moto Ishizawa

September 30, 2022
Tweet

More Decks by Moto Ishizawa

See All by Moto Ishizawa
Sharing test cases of internet protocols with Go and OCI Artifacts
summerwind
0
480
Using Thanos as a long-term storage for your Prometheus metrics
summerwind
1
10k
Using Kubernetes as a datastore for SPIRE
summerwind
1
780
Whitebox Controller
summerwind
5
1.6k
Managing Kubernetes manifests with Spruce
summerwind
2
3.7k
Understanding HTTP/2 prioritization
summerwind
17
5.5k
HTTP/2 Deep Dive: Priority & Server Push
summerwind
17
3.1k
HTTP/2 Server Push Considered Harmful
summerwind
1
1.9k
Implementing HTTP/2 client in 60 minutes
summerwind
3
2.3k

Other Decks in Technology

See All in Technology
ジェネレーティブAIとの共創
yuyakakizaki08
1
470
Head toward Java 20 and Java 21
line_developers
PRO
0
400
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
1.1k
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1.1k
高速な深層学習モデルアーキテクチャ2023
yu4u
2
1.6k
[DevDojo] 成功するスクラムチームとは
mercari
PRO
0
120
Microsoft Build 2023 ふりかえり - IoT と AI 周りを中心に
mode86
0
160
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
210
Web API development in Visual Studio 2022
tsubakimoto_s
0
150
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
150
データマイニングと機械学習 - ニューラルネットワーク
trycycle
0
170
Spotify API を使ったアイマス楽曲の楽しみ方
takemikami
0
120

Featured

See All Featured
The Language of Interfaces
destraynor
149
21k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Side Projects
sachag
450
39k
For a Future-Friendly Web
brad_frost
166
8k
RailsConf 2023
tenderlove
0
110
ReactJS: Keep Simple. Everything can be a component!
pedronauck
658
120k
It's Worth the Effort
3n
179
26k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Designing with Data
zakiwarfel
92
4.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
Practical Orchestrator
shlominoach
179
9.1k

Transcript

  1. ΧϯϜʹ͓͚Δ
    ϓϩμΫτηΩϡϦςΟͷ
    ͜Ε·Ͱͱ͜Ε͔Β
    -BZFS9ͱ,BONV'JO5FDIελʔτΞοϓηΩϡϦςΟࣄ৘

    View Slide

  2. Moto Ishizawa
    Software Engineer, Kanmu, Inc.

    View Slide

  3. View Slide

  4. ϓϩμΫτηΩϡϦςΟʜ
    🤔
    AWS
    API
    Go
    Python
    γεςϜߏ੒
    ੬ऑੑ؅ཧ
    WAF
    Logging
    PCI DSS
    GitHub
    ݖݶ؅ཧ
    IAM
    VPC
    PKI
    TLS
    มߋ؅ཧ
    Monitoring
    σϓϩΠ
    ίϯςφ
    Linux
    Django

    View Slide

  5. ϓϩμΫτηΩϡϦςΟʜ
    🤔
    AWS
    API
    Go
    Python
    γεςϜߏ੒
    ੬ऑੑ؅ཧ
    WAF
    Logging
    PCI DSS
    GitHub
    ݖݶ؅ཧ
    IAM
    VPC
    PKI
    TLS
    มߋ؅ཧ
    Monitoring
    σϓϩΠ
    ίϯςφ
    Linux
    Django

    View Slide

  6. ౰ॳͷঢ়گ
    • ϓϩμΫτ͸ʮόϯυϧΧʔυʯͷΈ

    • ܾࡁͷ࢓૊ΈΛఏڙ͍ͯ͠ΔͨΊɺηΩϡϦςΟ͸࠷΋ॏཁͳཁૉ

    • όοΫΤϯυΤϯδχΞ͸ CTO ΛؚΊͯ4ਓ

    • ϓϩμΫτηΩϡϦςΟͷྖҬ͸ओʹ CTO ͕୲౰

    • ࠷ॳͷΠϯϑϥઐ೚ΤϯδχΞͱͯ͠ೖࣾ

    • AWS Կ΋Θ͔ΒΜϚϯ

    View Slide

  7. ͻͱ·ͣͷઓུ
    • ϓϩμΫτ։ൃʹࢀՃͯ͠γεςϜͷมߋϑϩʔΛ೺Ѳ͢Δ

    • AWS ͳͲͷΫϥ΢υαʔϏεͷ؅ཧऀݖݶΛ΋Β͍ར༻ঢ়گΛ೺Ѳ͢Δ

    • ։ൃ΍ӡ༻ʹؔΘΔ֤छαʔϏεͷݖݶ؅ཧͷঢ়گΛ೺Ѳ͢Δ

    • ηΩϡϦςΟ໘Ͱͷ੍໿Λ೺Ѳ͢Δ

    View Slide

  8. ݟ͖͑ͯͨ՝୊΍ϦεΫ
    • ຀Վతͳ AWS ͷ؅ཧ

    • ͍͋·͍ͳݖݶ؅ཧ΍มߋ؅ཧͷϓϩηε

    • ։ൃ࣌ظʹΑΓҟͳΔγεςϜߏ੒

    • PCI DSS ʹΑΔ੍໿ͱଐਓతͳͦͷӡ༻

    • Կ͔ى͖ͯ΋ؾ෇͚ͳ͍ɾௐࠪͰ͖ͳ͍ྖҬ͕͋Δ

    • ͳͲͳͲ…

    View Slide

  9. 1$*%44ͱ͸
    • Payment Card Industry (PCI) ͱ͍͏ΫϨδοτΧʔυͷۀքஂମ͕ࡦఆͯ͠
    ͍Δ Data Security Standard (DSS) ͱ͍͏ඪ४ͷ͜ͱ

    • Χʔυ৘ใΛద੾ʹ؅ཧ͢ΔͨΊͷηΩϡϦςΟج४͕ఆٛ͞Ε͍ͯΔ

    • ΧϯϜ͸ΫϨδοτΧʔυΛൃߦ͢Δཱ৔ͱͯ͠४ڌ͕ٻΊΒΕ͍ͯΔ

    • υΩϡϝϯτ͸ެࣜαΠτ͔Β୭Ͱ΋μ΢ϯϩʔυͰ͖Δ

    • https://www.pcisecuritystandards.org/document_library/

    View Slide

  10. վળํ਑ʮϕʔεϥΠϯΛ੔͑Δʯ
    • ઃఆͷ౷Ұ΍ΨόφϯεͷڧԽ

    • ϚωʔδυαʔϏεΛ׆༻ͨ͠γεςϜߏ੒ͷ੔ཧ

    • Կ͔͕ى͖ͯ΋ͦΕʹؾ͖ͮɺௐࠪͰ͖ΔΑ͏ʹ͢Δ (؂ࠪੑͷ޲্)

    • ࠷খݖݶͷݪଇʹै͏

    • CTO ʹλεΫ͕ूத͢Δঢ়ଶ͔Βͷ୤٫

    • ։ൃऀͷମݧ΋Ұॹʹվળ͢Δ

    View Slide

  11. "84ͷվળྫ
    • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ

    • AWS Organization ͱ AWS SSO (AWS IAM Identity Center) ͷಋೖ

    • CloudTrail ͱ AWS Con
    fi
    g ͷ༗ޮԽͱϩάઐ༻ΞΧ΢ϯτͰͷҰݩ؅ཧ

    • GuardDuty ͱ Security Hub ͷಋೖ

    • վળޮՌ

    • ਺ଟ͘ଘࡏ͍ͯͨ͠ IAM User Λ׬શʹഇࢭ

    • SSO ʹΑΓෳ਺ͷ AWS ΞΧ΢ϯτ΁ͷϩάΠϯ͕༰қʹ

    • Կ͔ҟৗ͕͋ͬͯ΋ͦΕʹؾ͍ͮͯௐ͕ࠪͰ͖Δঢ়ଶʹ

    View Slide

  12. (JU)VCͷվળྫ
    • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ

    • ݖݶͷ୨Է͠ͱ Team ΍ Permission ͷ੔උ

    • CODEOWNERS ΍ Branch Protection ͷઃఆ

    • ࣗಈΞαΠϯ΍ Slack ௨஌ͷ༗ޮԽ

    • վળޮՌ

    • ѱҙͷ͋Δมߋ΍վ͟ΜΛ࠷௿ݶ๷ࢭ

    • มߋݖݶΛ࣋ͭਓͷ໌֬Խ

    • Slack Ͱ౎౓΍ΓͱΓ͍ͯͨ͠ϨϏϡʔґཔͷࣗಈԽ

    View Slide

  13. γεςϜߏ੒ͷվળྫ
    • ϚωʔδυαʔϏε΁ͷஔ͖׵͑΍ΞΫηε੍ޚͷݟ௚͠Λ࣮ࢪ

    • Session Manager Λಋೖ͠ɺ2िؒʹ1ճ͙Β͍յΕΔ LDAP Λൃഁղମ

    • Cloud One Λಋೖ͠ɺಠࣗӡ༻͍ͯͨ͠ OSSEC Λൃഁղମ

    • վળޮՌ

    • ӡ༻ෛՙͷܰݮ

    • ϞχλϦϯά͓Αͼ؂ࠪੑͷ޲্

    • SSO ʹΑΓ EC2 Πϯελϯε΁ͷΞΫηε͕༰қʹ

    View Slide

  14. 1$*%44ؔ࿈ͷվળྫ
    • ཁ݅ͷཧղͱӡ༻໘ͷ੔උ

    • ؂ࠪʹରԠ͢ΔϝϯόʔͰશ12ཁ݅ͷಡΈ߹ΘͤձΛ࣮ࢪ

    • ఆظతʹඞཁͳӡ༻λεΫΛચ͍ग़͠ͱͦͷλεΫͷ࣮ࢪ

    • ཁ݅ͱ࣮ࡍͷγεςϜʹ͋Θͤͨࣾ಺ϙϦγʔͷݟ௚͠

    • վળޮՌ

    • CTO ͕ରԠ͍ͯͨ͠ӡ༻ΛνʔϜͰͰ͖ΔΑ͏ʹͳͬͨ

    • 3.5ਓఔ౓Ͱ2ͭͷϓϩμΫτͷ PCI DSS ४ڌΛୡ੒

    View Slide

  15. ৽ϓϩμΫτ1PPMͷϦϦʔε
    • ϦϦʔεલʹϕʔεϥΠϯ͸੔͓͖͍͑ͯͨ

    • AWS ΍γεςϜશମͷઃఆͷϨϏϡʔ

    • PCI DSS ཁ݅ͷ४ڌʹؔΘΔઃఆͳͲͷϨϏϡʔ

    • όϯυϧΧʔυͰݟ͔ͭͬͨط஌ͷ੬ऑੑ౳ͷରԠ

    • վળޮՌ

    • ط஌ͷ੬ऑੑʹ͍ͭͯϦϦʔεલʹରࡦͰ͖ͨ

    • ϦϦʔε࣌ͷߏ੒Ͱ PCI DSS ͷ४ڌΛୡ੒

    View Slide

  16. ͜͜·Ͱͷঢ়گ
    • ϓϩμΫτηΩϡϦςΟͷϕʔεϥΠϯ͸੔͖ͬͯͨ

    • େ͖ͳ੍໿ͱͳΔ PCI DSS ͷӡ༻΍؂ࠪ΋νʔϜͰରԠͰ͖͍ͯΔ

    • ࠓޙ͸ࣗಈԽͷਪਐ΍৽ٕज़ͷಋೖɺ͞ΒͳΔϦεΫܰݮࡦͷ࣮૷ΛਐΊΔ

    • ηΩϡϦςΟΛιϑτ΢ΣΞͰ࣮૷͍ͯ͘͠ɺ৭ʑͱָ͘͠ͳΔϑΣʔζ

    View Slide

  17. ࠓޙ΍͍͖͍ͬͯͨ͜ͱ
    • EC2 ΛՄೳͳݶΓഇࢭͯ͠ίϯςφ΁Ҡߦ (ਐߦத)

    • ηΩϡΞͰͳ͍ Go ͳͲͷίʔυͷࣗಈݕ஌

    • ੬ऑੑ͓ΑͼαϓϥΠνΣʔϯؔ࿈ͷϞχλϦϯάͱͦͷରԠͷڧԽ

    • AWS ΍ GitHub ͳͲͷઃఆͷܧଓతͳݕূͱͦͷରԠͷࣗಈԽ

    • PCI DSS ͓ΑͼίϯϓϥΠΞϯεؔ࿈ӡ༻ͷࣗಈԽ

    • PCI DSS v4 ΁ͷ४ڌ

    View Slide

  18. Ұॹʹ΍Γ·ͤΜ͔ʂ
    https://team.kanmu.co.jp/

    View Slide

  19. Thanks!

    View Slide