Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
カンムにおけるプロダクトセキュリティのこれまでとこれから
Search
Moto Ishizawa
September 30, 2022
Technology
1
2.3k
カンムにおけるプロダクトセキュリティのこれまでとこれから
Moto Ishizawa
September 30, 2022
Tweet
Share
More Decks by Moto Ishizawa
See All by Moto Ishizawa
LLM エージェントを使った実験
summerwind
0
930
Sharing test cases of internet protocols with Go and OCI Artifacts
summerwind
0
790
Using Thanos as a long-term storage for your Prometheus metrics
summerwind
1
11k
Using Kubernetes as a datastore for SPIRE
summerwind
1
940
Whitebox Controller
summerwind
5
1.7k
Managing Kubernetes manifests with Spruce
summerwind
2
4k
Understanding HTTP/2 prioritization
summerwind
16
5.8k
HTTP/2 Deep Dive: Priority & Server Push
summerwind
17
3.2k
HTTP/2 Server Push Considered Harmful
summerwind
1
2k
Other Decks in Technology
See All in Technology
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
0
190
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
720
反実仮想機械学習とは何か
usaito
PRO
7
2.3k
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220
強みを伸ばすキャリアデザイン
yug1224
0
200
Databricks:『生成AI World Cup』のご案内
databricksjapan
2
150
Data and AI Governance: Existing Challenges and Emerging Trends
scotthsieh825
0
160
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
610
SREとその組織類型
tatsuo48
8
1.5k
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.9k
The CloudCompare project by Dr. Daniel Girardeau-Montaut
kentaitakura
0
510
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
GraphQLとの向き合い方2022年版
quramy
31
12k
Gamification - CAS2011
davidbonilla
76
4.6k
BBQ
matthewcrist
80
8.7k
Designing with Data
zakiwarfel
95
4.8k
How STYLIGHT went responsive
nonsquared
92
4.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
273
13k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Side Projects
sachag
451
41k
Transcript
ΧϯϜʹ͓͚Δ ϓϩμΫτηΩϡϦςΟͷ ͜Ε·Ͱͱ͜Ε͔Β -BZFS9ͱ,BONV'JO5FDIελʔτΞοϓηΩϡϦςΟࣄ
Moto Ishizawa Software Engineer, Kanmu, Inc.
None
ϓϩμΫτηΩϡϦςΟʜ 🤔 AWS API Go Python γεςϜߏ ੬ऑੑཧ WAF Logging
PCI DSS GitHub ݖݶཧ IAM VPC PKI TLS มߋཧ Monitoring σϓϩΠ ίϯςφ Linux Django
ϓϩμΫτηΩϡϦςΟʜ 🤔 AWS API Go Python γεςϜߏ ੬ऑੑཧ WAF Logging
PCI DSS GitHub ݖݶཧ IAM VPC PKI TLS มߋཧ Monitoring σϓϩΠ ίϯςφ Linux Django
ॳͷঢ়گ • ϓϩμΫτʮόϯυϧΧʔυʯͷΈ • ܾࡁͷΈΛఏڙ͍ͯ͠ΔͨΊɺηΩϡϦςΟ࠷ॏཁͳཁૉ • όοΫΤϯυΤϯδχΞ CTO ΛؚΊͯ4ਓ •
ϓϩμΫτηΩϡϦςΟͷྖҬओʹ CTO ͕୲ • ࠷ॳͷΠϯϑϥઐΤϯδχΞͱͯ͠ೖࣾ • AWS ԿΘ͔ΒΜϚϯ
ͻͱ·ͣͷઓུ • ϓϩμΫτ։ൃʹࢀՃͯ͠γεςϜͷมߋϑϩʔΛѲ͢Δ • AWS ͳͲͷΫϥυαʔϏεͷཧऀݖݶΛΒ͍ར༻ঢ়گΛѲ͢Δ • ։ൃӡ༻ʹؔΘΔ֤छαʔϏεͷݖݶཧͷঢ়گΛѲ͢Δ • ηΩϡϦςΟ໘Ͱͷ੍ΛѲ͢Δ
ݟ͖͑ͯͨ՝ϦεΫ • Վతͳ AWS ͷཧ • ͍͋·͍ͳݖݶཧมߋཧͷϓϩηε • ։ൃ࣌ظʹΑΓҟͳΔγεςϜߏ •
PCI DSS ʹΑΔ੍ͱଐਓతͳͦͷӡ༻ • Կ͔ى͖ͯؾ͚ͳ͍ɾௐࠪͰ͖ͳ͍ྖҬ͕͋Δ • ͳͲͳͲ…
1$*%44ͱ • Payment Card Industry (PCI) ͱ͍͏ΫϨδοτΧʔυͷۀքஂମ͕ࡦఆͯ͠ ͍Δ Data Security
Standard (DSS) ͱ͍͏ඪ४ͷ͜ͱ • ΧʔυใΛదʹཧ͢ΔͨΊͷηΩϡϦςΟج४͕ఆٛ͞Ε͍ͯΔ • ΧϯϜΫϨδοτΧʔυΛൃߦ͢Δཱͱͯ͠४ڌ͕ٻΊΒΕ͍ͯΔ • υΩϡϝϯτެࣜαΠτ͔Β୭ͰμϯϩʔυͰ͖Δ • https://www.pcisecuritystandards.org/document_library/
վળํʮϕʔεϥΠϯΛ͑Δʯ • ઃఆͷ౷ҰΨόφϯεͷڧԽ • ϚωʔδυαʔϏεΛ׆༻ͨ͠γεςϜߏͷཧ • Կ͔͕ى͖ͯͦΕʹؾ͖ͮɺௐࠪͰ͖ΔΑ͏ʹ͢Δ (ࠪੑͷ্) • ࠷খݖݶͷݪଇʹै͏
• CTO ʹλεΫ͕ूத͢Δঢ়ଶ͔Βͷ٫ • ։ൃऀͷମݧҰॹʹվળ͢Δ
"84ͷվળྫ • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ • AWS Organization ͱ AWS SSO (AWS
IAM Identity Center) ͷಋೖ • CloudTrail ͱ AWS Con fi g ͷ༗ޮԽͱϩάઐ༻ΞΧϯτͰͷҰݩཧ • GuardDuty ͱ Security Hub ͷಋೖ • վળޮՌ • ଟ͘ଘࡏ͍ͯͨ͠ IAM User Λશʹഇࢭ • SSO ʹΑΓෳͷ AWS ΞΧϯτͷϩάΠϯ͕༰қʹ • Կ͔ҟৗ͕͋ͬͯͦΕʹؾ͍ͮͯௐ͕ࠪͰ͖Δঢ়ଶʹ
(JU)VCͷվળྫ • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ • ݖݶͷ୨Է͠ͱ Team Permission ͷඋ •
CODEOWNERS Branch Protection ͷઃఆ • ࣗಈΞαΠϯ Slack ௨ͷ༗ޮԽ • վળޮՌ • ѱҙͷ͋Δมߋվ͟ΜΛ࠷ݶࢭ • มߋݖݶΛ࣋ͭਓͷ໌֬Խ • Slack ͰΓͱΓ͍ͯͨ͠ϨϏϡʔґཔͷࣗಈԽ
γεςϜߏͷվળྫ • ϚωʔδυαʔϏεͷஔ͖͑ΞΫηε੍ޚͷݟ͠Λ࣮ࢪ • Session Manager Λಋೖ͠ɺ2िؒʹ1ճ͙Β͍յΕΔ LDAP Λൃഁղମ •
Cloud One Λಋೖ͠ɺಠࣗӡ༻͍ͯͨ͠ OSSEC Λൃഁղମ • վળޮՌ • ӡ༻ෛՙͷܰݮ • ϞχλϦϯά͓Αͼࠪੑͷ্ • SSO ʹΑΓ EC2 ΠϯελϯεͷΞΫηε͕༰қʹ
1$*%44ؔ࿈ͷվળྫ • ཁ݅ͷཧղͱӡ༻໘ͷඋ • ࠪʹରԠ͢ΔϝϯόʔͰશ12ཁ݅ͷಡΈ߹ΘͤձΛ࣮ࢪ • ఆظతʹඞཁͳӡ༻λεΫΛચ͍ग़͠ͱͦͷλεΫͷ࣮ࢪ • ཁ݅ͱ࣮ࡍͷγεςϜʹ͋ΘͤͨࣾϙϦγʔͷݟ͠ •
վળޮՌ • CTO ͕ରԠ͍ͯͨ͠ӡ༻ΛνʔϜͰͰ͖ΔΑ͏ʹͳͬͨ • 3.5ਓఔͰ2ͭͷϓϩμΫτͷ PCI DSS ४ڌΛୡ
৽ϓϩμΫτ1PPMͷϦϦʔε • ϦϦʔεલʹϕʔεϥΠϯ͓͖͍͑ͯͨ • AWS γεςϜશମͷઃఆͷϨϏϡʔ • PCI DSS ཁ݅ͷ४ڌʹؔΘΔઃఆͳͲͷϨϏϡʔ
• όϯυϧΧʔυͰݟ͔ͭͬͨطͷ੬ऑੑͷରԠ • վળޮՌ • طͷ੬ऑੑʹ͍ͭͯϦϦʔεલʹରࡦͰ͖ͨ • ϦϦʔε࣌ͷߏͰ PCI DSS ͷ४ڌΛୡ
͜͜·Ͱͷঢ়گ • ϓϩμΫτηΩϡϦςΟͷϕʔεϥΠϯ͖ͬͯͨ • େ͖ͳ੍ͱͳΔ PCI DSS ͷӡ༻ࠪνʔϜͰରԠͰ͖͍ͯΔ • ࠓޙࣗಈԽͷਪਐ৽ٕज़ͷಋೖɺ͞ΒͳΔϦεΫܰݮࡦͷ࣮ΛਐΊΔ
• ηΩϡϦςΟΛιϑτΣΞͰ࣮͍ͯ͘͠ɺ৭ʑͱָ͘͠ͳΔϑΣʔζ
ࠓޙ͍͖͍ͬͯͨ͜ͱ • EC2 ΛՄೳͳݶΓഇࢭͯ͠ίϯςφҠߦ (ਐߦத) • ηΩϡΞͰͳ͍ Go ͳͲͷίʔυͷࣗಈݕ •
੬ऑੑ͓ΑͼαϓϥΠνΣʔϯؔ࿈ͷϞχλϦϯάͱͦͷରԠͷڧԽ • AWS GitHub ͳͲͷઃఆͷܧଓతͳݕূͱͦͷରԠͷࣗಈԽ • PCI DSS ͓ΑͼίϯϓϥΠΞϯεؔ࿈ӡ༻ͷࣗಈԽ • PCI DSS v4 ͷ४ڌ
ҰॹʹΓ·ͤΜ͔ʂ https://team.kanmu.co.jp/
Thanks!