Upgrade to Pro — share decks privately, control downloads, hide ads and more …

カンムにおけるプロダクトセキュリティのこれまでとこれから

Avatar for Moto Ishizawa Moto Ishizawa
September 30, 2022
Technology
1
3k

 カンムにおけるプロダクトセキュリティのこれまでとこれから

Avatar for Moto Ishizawa

Moto Ishizawa

September 30, 2022
Tweet

More Decks by Moto Ishizawa

See All by Moto Ishizawa
LLM エージェントを使った実験
Avatar for Moto Ishizawa summerwind
0
1.3k
Sharing test cases of internet protocols with Go and OCI Artifacts
Avatar for Moto Ishizawa summerwind
0
1.2k
Using Thanos as a long-term storage for your Prometheus metrics
Avatar for Moto Ishizawa summerwind
1
13k
Using Kubernetes as a datastore for SPIRE
Avatar for Moto Ishizawa summerwind
1
1.2k
Whitebox Controller
Avatar for Moto Ishizawa summerwind
5
1.8k
Managing Kubernetes manifests with Spruce
Avatar for Moto Ishizawa summerwind
2
4.4k
Understanding HTTP/2 prioritization
Avatar for Moto Ishizawa summerwind
16
6.4k
HTTP/2 Deep Dive: Priority & Server Push
Avatar for Moto Ishizawa summerwind
17
3.6k
HTTP/2 Server Push Considered Harmful
Avatar for Moto Ishizawa summerwind
1
2.2k

Other Decks in Technology

See All in Technology
変化するコーディングエージェントとの現実的な付き合い方 〜Cursor安定択説と、ツールに依存しない「資産」〜
Avatar for empitsu empitsu
4
1.3k
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
Avatar for Kuniaki Moriya zepprix
0
410
AWS Network Firewall Proxyを触ってみた
Avatar for nagisa_53 nagisa53
0
150
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
5
2.8k
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
3
440
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
13k
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
12
4.9k
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
Avatar for AEON aeonpeople
1
190
Introduction to Sansan for Engineers / エンジニア向け会社紹介
Avatar for Sansan, Inc. sansan33
PRO
6
68k
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
Avatar for SansanTech sansantech
PRO
3
1.3k
SREのプラクティスを用いた3領域同時 マネジメントへの挑戦 〜SRE・情シス・セキュリティを統合した チーム運営術〜
Avatar for coconala_engineer coconala_engineer
2
610

Featured

See All Featured
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
8.6k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
128
17k
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
2
250
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.1k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
Avatar for konakalab konakalab
0
350
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
3k
The Curse of the Amulet
Avatar for Matthew Lei leimatthew05
1
8.3k

Transcript

  1. ΧϯϜʹ͓͚Δ ϓϩμΫτηΩϡϦςΟͷ ͜Ε·Ͱͱ͜Ε͔Β -BZFS9ͱ,BONV'JO5FDIελʔτΞοϓηΩϡϦςΟࣄ৘ 

  2. Moto Ishizawa Software Engineer, Kanmu, Inc.

  3. None

  4. ϓϩμΫτηΩϡϦςΟʜ 🤔 AWS API Go Python γεςϜߏ੒ ੬ऑੑ؅ཧ WAF Logging

    PCI DSS GitHub ݖݶ؅ཧ IAM VPC PKI TLS มߋ؅ཧ Monitoring σϓϩΠ ίϯςφ Linux Django

  5. ϓϩμΫτηΩϡϦςΟʜ 🤔 AWS API Go Python γεςϜߏ੒ ੬ऑੑ؅ཧ WAF Logging

    PCI DSS GitHub ݖݶ؅ཧ IAM VPC PKI TLS มߋ؅ཧ Monitoring σϓϩΠ ίϯςφ Linux Django

  6. ౰ॳͷঢ়گ • ϓϩμΫτ͸ʮόϯυϧΧʔυʯͷΈ • ܾࡁͷ࢓૊ΈΛఏڙ͍ͯ͠ΔͨΊɺηΩϡϦςΟ͸࠷΋ॏཁͳཁૉ • όοΫΤϯυΤϯδχΞ͸ CTO ΛؚΊͯ4ਓ •

    ϓϩμΫτηΩϡϦςΟͷྖҬ͸ओʹ CTO ͕୲౰ • ࠷ॳͷΠϯϑϥઐ೚ΤϯδχΞͱͯ͠ೖࣾ • AWS Կ΋Θ͔ΒΜϚϯ

  7. ͻͱ·ͣͷઓུ • ϓϩμΫτ։ൃʹࢀՃͯ͠γεςϜͷมߋϑϩʔΛ೺Ѳ͢Δ • AWS ͳͲͷΫϥ΢υαʔϏεͷ؅ཧऀݖݶΛ΋Β͍ར༻ঢ়گΛ೺Ѳ͢Δ • ։ൃ΍ӡ༻ʹؔΘΔ֤छαʔϏεͷݖݶ؅ཧͷঢ়گΛ೺Ѳ͢Δ • ηΩϡϦςΟ໘Ͱͷ੍໿Λ೺Ѳ͢Δ

  8. ݟ͖͑ͯͨ՝୊΍ϦεΫ • ຀Վతͳ AWS ͷ؅ཧ • ͍͋·͍ͳݖݶ؅ཧ΍มߋ؅ཧͷϓϩηε • ։ൃ࣌ظʹΑΓҟͳΔγεςϜߏ੒ •

    PCI DSS ʹΑΔ੍໿ͱଐਓతͳͦͷӡ༻ • Կ͔ى͖ͯ΋ؾ෇͚ͳ͍ɾௐࠪͰ͖ͳ͍ྖҬ͕͋Δ • ͳͲͳͲ…

  9. 1$*%44ͱ͸ • Payment Card Industry (PCI) ͱ͍͏ΫϨδοτΧʔυͷۀքஂମ͕ࡦఆͯ͠ ͍Δ Data Security

    Standard (DSS) ͱ͍͏ඪ४ͷ͜ͱ • Χʔυ৘ใΛద੾ʹ؅ཧ͢ΔͨΊͷηΩϡϦςΟج४͕ఆٛ͞Ε͍ͯΔ • ΧϯϜ͸ΫϨδοτΧʔυΛൃߦ͢Δཱ৔ͱͯ͠४ڌ͕ٻΊΒΕ͍ͯΔ • υΩϡϝϯτ͸ެࣜαΠτ͔Β୭Ͱ΋μ΢ϯϩʔυͰ͖Δ • https://www.pcisecuritystandards.org/document_library/

  10. վળํ਑ʮϕʔεϥΠϯΛ੔͑Δʯ • ઃఆͷ౷Ұ΍ΨόφϯεͷڧԽ • ϚωʔδυαʔϏεΛ׆༻ͨ͠γεςϜߏ੒ͷ੔ཧ • Կ͔͕ى͖ͯ΋ͦΕʹؾ͖ͮɺௐࠪͰ͖ΔΑ͏ʹ͢Δ (؂ࠪੑͷ޲্) • ࠷খݖݶͷݪଇʹै͏

    • CTO ʹλεΫ͕ूத͢Δঢ়ଶ͔Βͷ୤٫ • ։ൃऀͷମݧ΋Ұॹʹվળ͢Δ

  11. "84ͷվળྫ • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ • AWS Organization ͱ AWS SSO (AWS

    IAM Identity Center) ͷಋೖ • CloudTrail ͱ AWS Con fi g ͷ༗ޮԽͱϩάઐ༻ΞΧ΢ϯτͰͷҰݩ؅ཧ • GuardDuty ͱ Security Hub ͷಋೖ • վળޮՌ • ਺ଟ͘ଘࡏ͍ͯͨ͠ IAM User Λ׬શʹഇࢭ • SSO ʹΑΓෳ਺ͷ AWS ΞΧ΢ϯτ΁ͷϩάΠϯ͕༰қʹ • Կ͔ҟৗ͕͋ͬͯ΋ͦΕʹؾ͍ͮͯௐ͕ࠪͰ͖Δঢ়ଶʹ

  12. (JU)VCͷվળྫ • ϕετϓϥΫςΟεʹجͮ͘ઃఆͷಋೖ • ݖݶͷ୨Է͠ͱ Team ΍ Permission ͷ੔උ •

    CODEOWNERS ΍ Branch Protection ͷઃఆ • ࣗಈΞαΠϯ΍ Slack ௨஌ͷ༗ޮԽ • վળޮՌ • ѱҙͷ͋Δมߋ΍վ͟ΜΛ࠷௿ݶ๷ࢭ • มߋݖݶΛ࣋ͭਓͷ໌֬Խ • Slack Ͱ౎౓΍ΓͱΓ͍ͯͨ͠ϨϏϡʔґཔͷࣗಈԽ

  13. γεςϜߏ੒ͷվળྫ • ϚωʔδυαʔϏε΁ͷஔ͖׵͑΍ΞΫηε੍ޚͷݟ௚͠Λ࣮ࢪ • Session Manager Λಋೖ͠ɺ2िؒʹ1ճ͙Β͍յΕΔ LDAP Λൃഁղମ •

    Cloud One Λಋೖ͠ɺಠࣗӡ༻͍ͯͨ͠ OSSEC Λൃഁղମ • վળޮՌ • ӡ༻ෛՙͷܰݮ • ϞχλϦϯά͓Αͼ؂ࠪੑͷ޲্ • SSO ʹΑΓ EC2 Πϯελϯε΁ͷΞΫηε͕༰қʹ

  14. 1$*%44ؔ࿈ͷվળྫ • ཁ݅ͷཧղͱӡ༻໘ͷ੔උ • ؂ࠪʹରԠ͢ΔϝϯόʔͰશ12ཁ݅ͷಡΈ߹ΘͤձΛ࣮ࢪ • ఆظతʹඞཁͳӡ༻λεΫΛચ͍ग़͠ͱͦͷλεΫͷ࣮ࢪ • ཁ݅ͱ࣮ࡍͷγεςϜʹ͋Θͤͨࣾ಺ϙϦγʔͷݟ௚͠ •

    վળޮՌ • CTO ͕ରԠ͍ͯͨ͠ӡ༻ΛνʔϜͰͰ͖ΔΑ͏ʹͳͬͨ • 3.5ਓఔ౓Ͱ2ͭͷϓϩμΫτͷ PCI DSS ४ڌΛୡ੒

  15. ৽ϓϩμΫτ1PPMͷϦϦʔε • ϦϦʔεલʹϕʔεϥΠϯ͸੔͓͖͍͑ͯͨ • AWS ΍γεςϜશମͷઃఆͷϨϏϡʔ • PCI DSS ཁ݅ͷ४ڌʹؔΘΔઃఆͳͲͷϨϏϡʔ

    • όϯυϧΧʔυͰݟ͔ͭͬͨط஌ͷ੬ऑੑ౳ͷରԠ • վળޮՌ • ط஌ͷ੬ऑੑʹ͍ͭͯϦϦʔεલʹରࡦͰ͖ͨ • ϦϦʔε࣌ͷߏ੒Ͱ PCI DSS ͷ४ڌΛୡ੒

  16. ͜͜·Ͱͷঢ়گ • ϓϩμΫτηΩϡϦςΟͷϕʔεϥΠϯ͸੔͖ͬͯͨ • େ͖ͳ੍໿ͱͳΔ PCI DSS ͷӡ༻΍؂ࠪ΋νʔϜͰରԠͰ͖͍ͯΔ • ࠓޙ͸ࣗಈԽͷਪਐ΍৽ٕज़ͷಋೖɺ͞ΒͳΔϦεΫܰݮࡦͷ࣮૷ΛਐΊΔ

    • ηΩϡϦςΟΛιϑτ΢ΣΞͰ࣮૷͍ͯ͘͠ɺ৭ʑͱָ͘͠ͳΔϑΣʔζ

  17. ࠓޙ΍͍͖͍ͬͯͨ͜ͱ • EC2 ΛՄೳͳݶΓഇࢭͯ͠ίϯςφ΁Ҡߦ (ਐߦத) • ηΩϡΞͰͳ͍ Go ͳͲͷίʔυͷࣗಈݕ஌ •

    ੬ऑੑ͓ΑͼαϓϥΠνΣʔϯؔ࿈ͷϞχλϦϯάͱͦͷରԠͷڧԽ • AWS ΍ GitHub ͳͲͷઃఆͷܧଓతͳݕূͱͦͷରԠͷࣗಈԽ • PCI DSS ͓ΑͼίϯϓϥΠΞϯεؔ࿈ӡ༻ͷࣗಈԽ • PCI DSS v4 ΁ͷ४ڌ

  18. Ұॹʹ΍Γ·ͤΜ͔ʂ https://team.kanmu.co.jp/

  19. Thanks!