サプライチェーン・セキュリティ Infra Study 2nd #4「セキュリティエンジニアリングの世界」

αϓϥΠνΣʔϯɾηΩϡϦςΟ 1 *OGSB4UVEZOEʮηΩϡϦςΟΤϯδχΞϦϯάͷੈքʯ

໊લླ໦ݚޗ !LFOTDBM ॴଐ -BZFS9גࣜձࣾ$50ࣨ ࡾҪ෺࢈σδλϧΞηοτɾϚωδϝϯτग़޲
དྷྺ ূ݊޲͚.BOBHFE4FDVSJUZ4FSWJDFɺՈܭ฽ɾΫϥ΢υձܭɺূ݊ձࣾ ݸਓͷ׆ಈ ಉਓʮ4FDVSFཱྀஂʯʹͯ1PEDBTUʮ4FDVSF-JBJTPOʯ΍ಉਓࢽ࡞੒ िץʮ๩͍͠ਓͷͨΊͷηΩϡϦςΟɾΠϯςϦδΣϯεʯൃߦ ॻ੶ 0`3FJMMZʮ;FSP5SVTU/FUXPSLʯ؂༁ ΠϯϓϨε3%ʮΞΠσϯςΟςΟ͸ͩΕͷ΋ͷʁ)ZQFSMFEHFS*OEZ"SJFTͰ࣮ݱ͢Δ෼ࢄΞΠσϯςΟςΟʯஶ࡞ ॴଐઌ঺հࣗݾ঺հ 2

Ϧετ Ϧετ Ϧετ Ϧετͷڧௐจࣈ Ϧετ
ݟग़͠ 3

ブロックチェーンの会社ではないです 4 IUUQTOPUFDPNGVLLZZOOGFECD

ݟग़͠ 5

ʮίϯςφ΍,VCFSOFUFTͱ͍ͬͨ͜Ε͔ΒͷΠϯϑ ϥج൫ٕज़ʹ͓͚Δ߈ܸྫͱରࡦʯ લճ ͷৼΓฦΓ 6 IUUQTTQFBLFSEFDLDPNNSUDJOIVSBKJQBOKJTIVGBMTFTFLJZVSJUFJUPLPSFLBSB

ʮίϯςφ΍,VCFSOFUFTͱ͍ͬͨ͜Ε͔ΒͷΠϯϑ ϥج൫ٕज़ʹ͓͚Δ߈ܸྫͱରࡦʯ લճ ͷৼΓฦΓ 7 IUUQTTQFBLFSEFDLDPNNSUDJOIVSBKJQBOKJTIVGBMTFTFLJZVSJUFJUPLPSFLBSB w ΨΠυϥΠϯ΍ࣗಈԽɾج൫ʹΑΔηΩϡϦςΟจԽͷৢ੒
w $0ʢ$PNNVOJDBUJPO $PNQMFUFOFTT $POUJOVPVTʣ w 5FTU%SJWFO4FDVSJUZ

৅௃తͳΠϯγσϯτ ΠϯγσϯτΛड͚ͨಈ޲ 1VCMJDTFDUPSͷಈ͖ 044ͷಈ͖ ϓϥοτϑΥʔϚʔͷಈ͖
ΞδΣϯμ 8

৅௃తͳΠϯγσϯτ 9

$PJODIFDL ະ਱ ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʮ໊͓લDPNʯͰൃੜͨ͠ࣄ৅ʹ͍ͭͯ d4PMBS8JOET 'JSF&ZF 6OBVUIPSJ[FE"DDFTTPG'JSF&ZF3FE5FBN5PPMT
.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 10

ଞ૊৫ͷαʔϏεʹ ӨڹΛٴ΅͢ 11

.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 12 ϓϥοτϑΥʔϜʹର͢Δ৵֐͔Β ൃੜͨ͠αʔϏε΁ͷӨڹ

.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 13 ؂ࢹͳͲͷඇػೳཁ͔݅Βൃੜͨ͠ αʔϏε΁ͷӨڹ

.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 14 ৽͍͠αʔϏε͔Β چࣾձΠϯϑϥʢαʔϏεʣ΁ͷӨڹ

.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 15 σϓϩΠલͷ։ൃஈ֊͔ΒͷӨڹ͕ ٙΘΕΔΠϯγσϯτ

.JDSPTPGU .JDSPTPGU*OUFSOBM4PMPSJHBUF*OWFTUJHBUJPO6QEBUF ۜߦޱ࠲ܦ༝Ͱͷෆਖ਼ૹۚ ʢυίϞޱ࠲ɺΏ͏ͪΐۜߦʣۜߦͷޱ࠲ೝূಥഁ͔ΒͷΩϟογϡϨεࣄۀऀܦ༝ͷෆਖ਼ग़ۚ ʢΏ͏ͪΐۜߦɾࡾඛ6'+ۜߦɺ4#*ূ݊ʣূ݊ձࣾͷϢʔβʔೝূಥഁ͔Βͷۜߦޱ࠲ܦ༝ͷෆਖ਼ग़ۚ ,BTFZB 6QEBUFT3FHBSEJOH74"4FDVSJUZ*ODJEFOU -JRVJE ౰ࣾར༻ͷυϝΠϯొ࿥αʔϏεʹ͓͚Δෆਖ਼ΞΫηεʹ͍ͭͯʢୈೋใʣ (P%BEEZ (P%BEEZ&NQMPZFFT6TFEJO"UUBDLTPO.VMUJQMF$SZQUPDVSSFODZ4FSWJDFT ࡾඛύϫʔ ϚωʔδυɾαʔϏεɾϓϩόΠμΛܦ༝ͨ͠ୈࡾऀ͔Βͷෆਖ਼ΞΫηε -*/& Ϣʔβʔͷݸਓ৘ใʹؔ͢ΔҰ෦ใಓʹ͍ͭͯ $PEF$PW #BTI6QMPBEFS4FDVSJUZ6QEBUF 1)1 1)1SFQPTJUPSZNPWFEUP(JU)VCBGUFSNBMJDJPVTDPEFJOTFSUFEVOEFSDSFBUPS3BTNVT-FSEPSGTOBNF ถ࠷େڃͷੴ༉ύΠϓϥΠϯɺαΠόʔ߈ܸͰҰ࣌ఀࢭ ଜా੡࡞ॴ ଜా੡࡞ॴͷ࠶ҕୗઌ*#.தࠃ๏ਓࣾһɺۀ຿৘ใΛແஅ%-ˍΫϥ΢υ΁Ξοϓ Πϯγσϯτ 16 ۀ຿ҕୗ͔Βͷ Өڹ

ΤϯυϢʔβʔ΁ͷՁ஋ఏڙ ΤϯυϢʔβʔ 17 αʔϏε

ΤϯυϢʔβʔ΁ͷՁ஋ఏڙ ΤϯυϢʔβʔ 18

lUIFMJOLFETFUPGSFTPVSDFTBOEQSPDFTTFT CFUXFFOBOEBNPOHNVMUJQMFMFWFMTPG FOUFSQSJTFT FBDIPGXIJDIJTBOBDRVJSFSUIBU CFHJOTXJUIUIFTPVSDJOHPGQSPEVDUTBOE TFSWJDFTBOEFYUFOETUISPVHIUIFJSMJGFDZDMF l 19 IUUQTOWMQVCTOJTUHPWOJTUQVCT4QFDJBM1VCMJDBUJPOT/*4541SESBGUQEG

lUIFMJOLFETFUPGSFTPVSDFTBOEQSPDFTTFT CFUXFFOBOEBNPOHNVMUJQMFMFWFMTPG FOUFSQSJTFT FBDIPGXIJDIJTBOBDRVJSFSUIBU CFHJOTXJUIUIFTPVSDJOHPGQSPEVDUTBOE TFSWJDFTBOEFYUFOETUISPVHIUIFJSMJGFDZDMF l 20 IUUQTOWMQVCTOJTUHPWOJTUQVCT4QFDJBM1VCMJDBUJPOT/*4541SESBGUQEG 4VQQMZ$IBJO

ݟग़͠ 21

"MFY#JSTBO %FQFOEFODZ$POGVTJPO)PX*)BDLFE*OUP"QQMF .JDSPTPGUBOE%P[FOTPG 0UIFS$PNQBOJFT !3ZPUB, .43$.PTU7BMVBCMF4FDVSJUZ3FTFBSDIFST
)PNFCSFXͷ$BTLϦϙδτϦΛհͨ͠೚ҙίʔυ࣮ߦ 3FNPUFDPEFFYFDVUJPOJODEOKTPG$MPVE fl BSF OQNͷ!UZQFTείʔϓʹ͓͚Δ೚ҙͷύοέʔδͷվ᜵ 1Z1*ʹ͓͚Δજࡏతͳ೚ҙίʔυ࣮ߦ !3,9 $&0'PVOEFSPG3JDFSDB4FDVSJUZ ͦ͏͍ͬͨ੬ऑੑʹ஫໨ͨ͠ઐ໳Ո 22 IUUQTUXJUUFSDPN3,9TUBUVT

"MFY#JSTBO %FQFOEFODZ$POGVTJPO)PX*)BDLFE*OUP"QQMF .JDSPTPGUBOE%P[FOTPG 0UIFS$PNQBOJFT !3ZPUB, .43$.PTU7BMVBCMF4FDVSJUZ3FTFBSDIFST
)PNFCSFXͷ$BTLϦϙδτϦΛհͨ͠೚ҙίʔυ࣮ߦ 3FNPUFDPEFFYFDVUJPOJODEOKTPG$MPVE fl BSF OQNͷ!UZQFTείʔϓʹ͓͚Δ೚ҙͷύοέʔδͷվ᜵ 1Z1*ʹ͓͚Δજࡏతͳ೚ҙίʔυ࣮ߦ !3,9 $&0'PVOEFSPG3JDFSDB4FDVSJUZ ͦ͏͍ͬͨ੬ऑੑʹ஫໨ͨ͠ઐ໳Ո 23 IUUQTUXJUUFSDPN3,9TUBUVT

1VCMJD4FDUPSͷಈ͖ 24

6OEFSTUBOEJOHUIFJODSFBTFJO4VQQMZ$IBJO4FDVSJUZ"UUBDLT 4VQQMZDIBJO߈ܸͷ෼ྨΛ੔ཧ 4VQQMJFSͱ$VTUPNFSΛఆٛ͠ɺͦΕʹର͢Δ߈ܸʢBUUBDLUFDIOJRVFTʣͱλʔ ήοτʢBTTFUTʣΛମܥԽ dʹ͔͚ΔͷΠϯγσϯτΛ্هͷମܥʹ౰ͯ͸Ίͯ෼ੳ
࠷ऴతͳλʔήοτΛ߈ܸͨ͠͸αϓϥΠϠʔͱͷ৴པνΣʔϯΛѱ༻ Πϯγσϯτͷ͸αϓϥΠϠʔͷίʔυΛૂͬͨ ࠷ऴతͳ໨తͷˋ͸σʔλ ߈ܸऀͷαϓϥΠϠʔଆͷ߈ܸख๏͸͸48ͷ੬ऑੑΛಥ͘΋ͷɻ͸ෆ໌ Ԥभ&/*4" 25

׭ຽؒͰͷڴҖ৘ใڞ༗ ׭ிܥ΁ͷαΠόʔηΩϡϦςΟඪ४ͷϞμϯԽ ιϑτ΢ΣΞαϓϥΠνΣʔϯηΩϡϦςΟͷڧԽ αΠόʔηΩϡϦςΟ4BGFUZ3FWJFX#PBSEͷઃཱ ΠϯγσϯτରԠͷͨΊͷඪ४ϓϨΠϒοΫͷ࡞੒
ௐࠪɾ؇࿨ೳྗͷ޲্ ถࠃେ౷ྖྩ &0 *NQSPWJOHUIF/BUJPOT$ZCFSTFDVSJUZ 26

׭ຽؒͰͷڴҖ৘ใڞ༗ ׭ிܥ΁ͷαΠόʔηΩϡϦςΟඪ४ͷϞμϯԽ ιϑτ΢ΣΞαϓϥΠνΣʔϯηΩϡϦςΟͷڧԽ αΠόʔηΩϡϦςΟ4BGFUZ3FWJFX#PBSEͷઃཱ ΠϯγσϯτରԠͷͨΊͷඪ४ϓϨΠϒοΫͷ࡞੒
ௐࠪɾ؇࿨ೳྗͷ޲্ ถࠃେ౷ྖྩ &0 *NQSPWJOHUIF/BUJPOT$ZCFSTFDVSJUZ 27 JNQSPWFUIFTFDVSJUZBOEJOUFHSJUZ PGUIFTPGUXBSFTVQQMZDIBJO

*NQSPWJOHUIF/BUJPOT$ZCFSTFDVSJUZ/*45`T 3FTQPOTJCJMJUJFTVOEFSUIF&YFDVUJWF0SEFS ιϑτ΢ΣΞηΩϡϦςΟධՁͷΫϥΠςϦΞ ։ൃऀ΍αϓϥΠϠʔͷηΩϡϦςΟධՁͷΫϥΠςϦΞ ηΩϡϦςΟϓϥΫςΟε΁ͷ४ڌঢ়ଶΛܭଌ ʢEFNPOTUSBUFʣ͢Δπʔϧɾख๏
&0ʹج͍ͮͨಈ͖ᶃ 28

(VJEFMJOFTPO.JOJNVN4UBOEBSETGPS%FWFMPQFS 7FSJ fi DBUJPOPG4PGUXBSF ։ൃͨ͠ιϑτΣΞͷ7FSJ fi DBUJPO ݕূ
ͷͨΊͷϛχ ϚϜඪ४ ڴҖϞσϦϯάɺࣗಈςετɺ4"45ɺ%"45ɺύοέʔ δνΣοΫΛؚΉ &0ʹج͍ͮͨಈ͖ᶄ 29

044ͷಈ͖ 30

ઃཱ ڞ௨ળͰ͋ΓɺϞμϯͳ48͓ΑͼΫϦςΟ ΧϧΠϯϑϥͷجૅͰ͋Δ044ͷηΩϡϦ ςΟΛଟํ໘తʹ֬อ͢Δ͜ͱ͕໨త 4VQQMZ$IBJOͦͷ΋ͷΑΓ΋044։ൃͦ ͷ΋ͷͷ҆શੑΛ޲্ͤ͞Δ΋ͷʹݟ͑Δ 0QFO4PVSDF4FDVSJUZ'PVOEBUJPO
31

*EFOUJGZJOH4FDVSJUZ5ISFBUT 4FDVSJUZ5PPMJOH #FTU1SBDUJDFT 7VMOFSBCJMJUZ%JTDMPTVSFT %JHJUBM*EFOUJUZ"UUFTUBUJPO
4FDVSJOH$SJUJDBM1SPKFDUT 0QFO4PVSDF4FDVSJUZ'PVOEBUJPO8(T 32

*EFOUJGZJOH4FDVSJUZ5ISFBUT 33 IUUQTHJUIVCDPNPTTGXHJEFOUJGZJOHTFDVSJUZUISFBUTCMPCNBJO QVCMJDBUJPOTUISFBUTSJTLTNJUJHBUJPOTW4PVSDF&DPTZTUFN WQEG 044ʹؔ͢ΔηΩϡϦςΟϦε ΫͷڴҖͱ؇࿨ࡦ 044ΤίγεςϜͷ֤ཁૉͱཁ
ૉؒͷؔ܎Λ։ൃϑΣʔζʹ෼ ྨͨ͠ڴҖϞσϦϯά

4DPSFDBSE 1PMJDZ "MMTUBSʢ&OGPSDFSʣ$SJUJDBMJUZ4DPSF 34 5ISFBU.PEFM΁ͷηΩϡϦςΟରࡦνΣοΫ ࣗಈతͳ෼ੳͱ෼ੳ݁Ռͷ৴པੑΛείΞϦϯά 4DPSFDBSET
4DPSFDBSETͷ݁Ռ͔Β0SH಺ͷϦϙδτϦʹରͯ͠JTTVF fi Yͳ ͲͷΞΫγϣϯΛ࣮ߦ͢Δʢ"MMTUBS $SJUJDBMMZ4DPSF͸ɺίϛοτස౓ͳͲͷύϥϝλ͔ΒӨڹ౓ͱॏ ཁੑΛ਺஋Խ͠ɺϓϩδΣΫτ͕Ͳͷఔ౓$SJUJDBM͔ΛείΞ෇͢ Δ ͜ΕʹΑΓɺηΩϡϦςΟରࡦͷ༏ઌ౓Λ෇͚ΒΕΔΑ͏ʹͳΔ IUUQTHJUIVCDPNPTTGTDPSFDBSE

4FDVSJUZ.FUSJDT %BTICPBSE 35 IUUQTHJUIVCDPNPTTG1SPKFDU4FDVSJUZ.FUSJDT

4VQQMZDIBJO-FWFMTGPS4PGUXBSF"SUJGBDUT 36 IUUQTTMTBEFW Ϗϧυ͞ΕͨαϓϥΠνΣʔϯ಺ͷ 48ΞʔςΟϑΝΫτʢྫόΠφϦʣ ͕ͲΕ͚͔ͩ֬ͳ΋ͷ͔ʢ׬શੑ͕୲ อ͞Ε͍ͯΔ͔ʣΛࣔ͢੒ख़౓Ϟσϧ

37 { "_type": "https://in-toto.io/Statement/v0.1" , "subject": [ { "name": "salsa.txt"
, "digest": { "sha256": "f8161d035cdf328c7bb124fce192cb90b603f34ca78d73e33b736b4f6bddf993" } }] , "predicateType": "https://in-toto.io/Provenance/v0.1" , "predicate": { "builder": { "id": "https://github.com/slsa-framework/github-actions-demo/Attestations/GitHubHostedActions@v1"} , "metadata": { "buildInvocationId": "https://github.com/slsa-framework/github-actions-demo/actions/runs/940567173" , "completeness": { "arguments": true , "environment": false , "materials": false } , "reproducible": false , "buildFinishedOn": "2021-06-15T20:04:10Z" } , "recipe": { "type": "https://github.com/Attestations/GitHubActionsWork fl ow@v1" , "de fi nedInMaterial": 0 , "entryPoint": "Create a sample provenance" , "arguments": { "foo": "baz" } , "environment": null } , "materials": [ { "uri": "git+https://github.com/slsa-framework/github-actions-demo" , "digest": { "sha1": "494b4d52182de3baedf592c4ac1dc597f0bd93b0"

1SPGFTTJPOBM$FSUJ fi DBUFJO4FDVSF4PGUXBSF %FWFMPQNFOU'VOEBNFOUBMT 08"414FDVSJUZ,OPXMFEHF'SBNFXPSL &EVDBUJPO5SBJOJOH 38

αϓϥΠνΣʔϯʹ͔ܽͤͳ͍֤छॺ໊ٕज़Λఏڙ͢ΔϓϩδΣΫτ ॺ໊ͦͷ΋ͷ͸༰қ͚ͩͲɺπʔϧ͸Ξοϓϩʔυઌຖʹόϥόϥɻ ࢖͍ʹ͍͘΋ͷ΋ଟ͍ IUUQTEPDTHPPHMFDPNQSFTFOUBUJPOE 9PTQ''EH3@W"&;"*9WVDJ(4KG*7[K;K0P3Z@P 5PPMT
$PTJHOίϯςφΠϝʔδॺ໊ɾݕূɾอଘ GVMDJP0*%$ϕʔεͷϝΞυʹূ໌ॻΛൃߦ͢Δ3PPU$" 3PPUTJHOJOHϧʔτ伴ͷੜ੒ͱ56'ϝλσʔλͷॺ໊ 3FLUPSॺ໊͓Αͼ伴ͷUSBOTQBSFODZMPHͷݕূɾอଘ 4JHTUPSF OPU044' 39

ϓϥοτϑΥʔϚʔͷಈ͖ 40

Ϣʔεέʔε ױऀͷσʔλΛෳ਺ͷΫϦχοΫɾපӃ͔ΒूΊͯ෼ੳ͢ΔαʔϏε ূ݊΍ۜߦͷऔҾ͕൓ࣾձ੎ྗ΍".-ʹؔΘͬͯͳ͍͔νΣοΫ͢Δ αʔϏε ެӹੑ͕ߴ͍ͱ͸͍͑ɺͱͯ΋4FOTJUJWF
ͦͷࣄۀऀ͸Ռͨͯ͠৴པͰ͖Δͷ͔ʁ γεςϜۀ຿ҕୗઌͰ͋ΔΫϥ΢υࣄۀऀ͕ݖݶΛߦ࢖͢Δ͜ͱ͸ຊ౰ ʹͳ͍ͷ͔ʁ ϫʔΫϩʔυʹ͓͚Δ*OUFHSJUZ 41

$PO fi EFOUJBM$PNQVUJOH 42 ࣮ߦ͍ͯ͠ΔόΠφϦ͓Αͼ࣮ߦ؀ڥ͔Βࢉग़ͨ͠஋Λɺ࣮ࡍͷόΠ φϦΛর߹͢Δ͜ͱͰ͔֬ʢ5SVTUʣͰ͖Δʢ؂ࠪੑʣ ಉ࣌ʹϝϞϦ$16͕௨ৗͷ04͔Βִ཭͞Ε͍ͯΔͨΊɺΫϥ΢υࣄ ۀऀͳͲ͔Βσʔλ͕ൿಗ͞ΕΔʢൿಗੑʣ
ྫ *OUFM4(9 "[VSF ($1 "-JCBCB "84/JUSP&ODMBWF .JDSPT 1MVUPO (PPHMF5JUBO -BZFS9"OPOJGZ

Ͳ͏͜ΕΒΛج൫ͱͯ͠ ఆண͍͔ͤͯ͘͞ 43

ݟग़͠ 44

ΨΠυϥΠϯ΍ࣗಈԽɾج൫ʹΑΔηΩϡϦςΟจԽͷৢ੒ $0ʢ$PNNVOJDBUJPO $PNQMFUFOFTT ɹ$POUJOVPVTʣ 5FTU%SJWFO4FDVSJUZ ࠓޙ 45

46 ࠾༻͸ͪ͜Β IUUQTIFSQDBSFFSTWMBZFSY ΧδϡΞϧ໘ஊ͸ͪ͜Β IUUQTNFFUZOFUBSUJDMFTUXXKK

47 IUUQTNFFUZOFUNBUDIFTK"C ff [W-RK/B IUUQTIFSQDBSFFSTWMBZFSYZSR)(513Y

5IBOLZPV 48

サプライチェーン・セキュリティ Infra Study 2nd #4「セキュリティエンジニアリ...

サプライチェーン・セキュリティ Infra Study 2nd #4「セキュリティエンジニアリングの世界」

More Decks by Kengo Suzuki

Other Decks in Technology

Featured

Transcript