DevOpsã«ãããã·ããã¬ããã»ãã¥ãªãã£ã®å æ¬çã¬ã€ããã»ãã¥ã¢ãªãœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ïŒSDLCïŒã®ããã®ååãå®è·µãå©ç¹ã課é¡ãå®è£ æŠç¥ã解説ããŸãã
ã»ãã¥ãªãã£DevOpsïŒã»ãã¥ã¢ãªSDLCã®ããã®ã»ãã¥ãªãã£ã®ã·ããã¬ãã
仿¥ã®æ¥éã«å€åããããžã¿ã«ç°å¢ã«ãããŠãçµç¹ã¯ãœãããŠã§ã¢ãããéããããé »ç¹ã«æäŸãããšãã倧ããªãã¬ãã·ã£ãŒã«ãããããŠããŸãããã®èŠæ±ãããœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ïŒSDLCïŒã®åçåãç®æãDevOpsãã©ã¯ãã£ã¹ã®æ¡çšãä¿é²ããŸãããããããã¹ããŒããšä¿ææ§ã¯ã»ãã¥ãªãã£ãç ç²ã«ããŠã¯ãªããŸãããããã§ç»å Žããã®ãããã°ãã°DevSecOpsãšåŒã°ããã»ãã¥ãªãã£DevOpsã§ããDevSecOpsã®äžæ žçãªååã¯ãã·ããã¬ããã»ãã¥ãªãã£ãã§ãããã»ãã¥ãªãã£ãåŸä»ãã§å¯Ÿå¿ããã®ã§ã¯ãªããSDLCã®æ©ã段éã§ã»ãã¥ãªãã£ãã©ã¯ãã£ã¹ãçµ±åããããšãéèŠããŸãã
ã·ããã¬ããã»ãã¥ãªãã£ãšã¯ïŒ
ã·ããã¬ããã»ãã¥ãªãã£ãšã¯ãè匱æ§è©äŸ¡ãè åšã¢ããªã³ã°ãã»ãã¥ãªãã£ãã¹ããšãã£ãã»ãã¥ãªãã£æŽ»åãéçºããã»ã¹ã®æ©ã段éã«ç§»è¡ããå®è·µã§ããSDLCã®æçµæ®µéã§ã»ãã¥ãªãã£åé¡ãç¹å®ããŠä¿®æ£ããã®ãåŸ ã€ã®ã§ã¯ãªããã·ããã¬ããã»ãã¥ãªãã£ã¯èšèšãã³ãŒãã£ã³ã°ããã¹ãã®åãã§ãŒãºã§è匱æ§ãæ€åºãã解決ããããšãç®æããŸãããã®ããã¢ã¯ãã£ããªã¢ãããŒãã¯ãä¿®æ£ã«ãããã³ã¹ããšè€éããåæžãããšåæã«ãã¢ããªã±ãŒã·ã§ã³å šäœã®ã»ãã¥ãªãã£äœå¶ãåäžãããã®ã«åœ¹ç«ã¡ãŸãã
å®¶ã建ãŠãããšãæ³åããŠã¿ãŠãã ãããåŸæ¥ã®ã»ãã¥ãªãã£ã¯ãå®¶ãå®å šã«å®æããåŸã«ã®ã¿æ€æ»ãããããªãã®ã§ãããã®æ®µéã§çºèŠãããæ¬ é¥ã¯ãä¿®æ£ã«ã³ã¹ããšæéãããããå€§å¹ ãªæçŽããå¿ èŠã«ãªãå¯èœæ§ããããŸããäžæ¹ãã·ããã¬ããã»ãã¥ãªãã£ã¯ã建èšã®å段éã§æ€æ»å®ãåºç€ã骚çµã¿ã黿°é ç·ã確èªãããããªãã®ã§ããããã«ãããåé¡ãåŸã§å€§ããªåé¡ã«ãªãã®ãé²ããæ©æã«æ€åºããŠä¿®æ£ããããšãã§ããŸãã
ãªãã·ããã¬ããã»ãã¥ãªãã£ãéèŠãªã®ã
çµç¹ãã·ããã¬ããã»ãã¥ãªãã£ã¢ãããŒããæ¡çšãã¹ã説åŸåã®ããçç±ã¯ããã€ããããŸãïŒ
- ã³ã¹ãåæžïŒ SDLCã®æ©ã段éã§è匱æ§ãç¹å®ããŠä¿®æ£ããæ¹ããæ¬çªç°å¢ã§ä¿®æ£ãããããå€§å¹ ã«å®äŸ¡ã§ããè匱æ§ã®çºèŠãé ããã»ã©ãã³ãŒãã®ä¿®æ£ããã¹ãããããã€ã®ã³ã¹ããªã©ã®èŠå ã«ãããä¿®æ£è²»çšã¯é«ããªããŸããIBMã®èª¿æ»ã«ãããšãèšèšãã§ãŒãºã§è匱æ§ãä¿®æ£ããã³ã¹ãã¯ããã¹ããã§ãŒãºã§ä¿®æ£ããå Žåã®6åã®1ãæ¬çªç°å¢ã§ä¿®æ£ããå Žåã®15åã®1ã§ãã
- éçºãµã€ã¯ã«ã®é«éåïŒ éçºããã»ã¹ã«ã»ãã¥ãªãã£ãçµ±åããããšã§ãã·ããã¬ããã»ãã¥ãªãã£ã¯ãåŸå·¥çšã§ã®ã»ãã¥ãªãã£ææã«ããã³ã¹ãã®ãããé å»¶ãææ»ããåé¿ããã®ã«åœ¹ç«ã¡ãŸããããã«ãããéçºããŒã ã¯é«ãã¬ãã«ã®ã»ãã¥ãªãã£ãç¶æããªããããœãããŠã§ã¢ãããéããããé »ç¹ã«æäŸã§ããŸãã
- ã»ãã¥ãªãã£äœå¶ã®åäžïŒ ã»ãã¥ãªãã£ãå·Šã«ã·ãããããããšã§ãSDLCã®æ©ã段éã§è匱æ§ãç¹å®ãã察åŠããããšãã§ããã»ãã¥ãªãã£äŸµå®³ãããŒã¿æŒæŽ©ã®å¯èœæ§ãäœæžããŸãããã®ããã¢ã¯ãã£ããªã¢ãããŒãã¯ãã¢ããªã±ãŒã·ã§ã³ãšçµç¹å šäœã®ã»ãã¥ãªãã£äœå¶ãåäžãããã®ã«åœ¹ç«ã¡ãŸãã
- ã³ã©ãã¬ãŒã·ã§ã³ã®åŒ·åïŒ ã·ããã¬ããã»ãã¥ãªãã£ã¯ãéçºãã»ãã¥ãªãã£ãéçšã®åããŒã éã®ã³ã©ãã¬ãŒã·ã§ã³ãä¿é²ããã»ãã¥ãªãã£ã«å¯Ÿããå ±å責任æãè²ã¿ãŸãããã®ã³ã©ãã¬ãŒã·ã§ã³ã¯ããµã€ããæç Žããã³ãã¥ãã±ãŒã·ã§ã³ãæ¹åãããã广çãªã»ãã¥ãªãã£ãã©ã¯ãã£ã¹ã«ã€ãªãããŸãã
- èŠå¶éµå®ïŒ å€ãã®æ¥çã¯ãGDPRãHIPAAãPCI DSSãªã©ã®å³æ Œãªã»ãã¥ãªãã£èŠå¶ã®å¯Ÿè±¡ãšãªã£ãŠããŸããã·ããã¬ããã»ãã¥ãªãã£ã¯ãã¢ããªã±ãŒã·ã§ã³ã«æåããã»ãã¥ãªãã£ãçµã¿èŸŒãããšã§ãçµç¹ããããã®èŠå¶èŠä»¶ãæºããã®ã«åœ¹ç«ã¡ãŸãã
ã·ããã¬ããã»ãã¥ãªãã£ã®åå
ã·ããã¬ããã»ãã¥ãªãã£ã广çã«å®è£ ããããã«ãçµç¹ã¯ä»¥äžã®ååãéµå®ãã¹ãã§ãïŒ
- ã»ãã¥ãªãã£ã»ã¢ãºã»ã³ãŒãïŒSecurity as CodeïŒïŒ ã»ãã¥ãªãã£æ§æãšããªã·ãŒãã³ãŒããšããŠæ±ããããŒãžã§ã³ç®¡çãèªååãç¶ç¶çã€ã³ãã°ã¬ãŒã·ã§ã³/ç¶ç¶çããªããªãŒïŒCI/CDïŒãã€ãã©ã€ã³ã䜿çšããŠç®¡çããŸããããã«ãããäžè²«æ§ã®ããåçŸå¯èœãªã»ãã¥ãªãã£ãã©ã¯ãã£ã¹ãå¯èœã«ãªããŸãã
- èªååïŒ è匱æ§ã¹ãã£ã³ãéçã³ãŒãè§£æãåçã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ãã¹ãïŒDASTïŒãªã©ã®ã»ãã¥ãªãã£ã¿ã¹ã¯ãèªååããæäœæ¥ãæžãããŠå¹çãåäžãããŸããèªååã¯ãŸããã»ãã¥ãªãã£ãã§ãã¯ãäžè²«ããŠé »ç¹ã«å®è¡ãããããšãä¿èšŒããã®ã«åœ¹ç«ã¡ãŸãã
- ç¶ç¶çãªãã£ãŒãããã¯ïŒ ã»ãã¥ãªãã£åé¡ã«é¢ããç¶ç¶çãªãã£ãŒãããã¯ãéçºè ã«æäŸãã圌ããééãããåŠã³ãã³ãŒãã£ã³ã°ãã©ã¯ãã£ã¹ãæ¹åã§ããããã«ããŸããããã¯ãèªååãããã»ãã¥ãªãã£ãã¹ããã»ãã¥ãªãã£ãã¬ãŒãã³ã°ãã»ãã¥ãªãã£å°éå®¶ãšã®ã³ã©ãã¬ãŒã·ã§ã³ãéããŠéæã§ããŸãã
- å ±åè²¬ä»»ïŒ ã¢ããªã±ãŒã·ã§ã³ãšãã®ããŒã¿ãä¿è·ãã責任ã¯çµç¹ã®å šå¡ã«ãããšãããã»ãã¥ãªãã£ã«å¯Ÿããå ±åè²¬ä»»ã®æåãè²ã¿ãŸããããã«ã¯ããã¬ãŒãã³ã°ãæèåäžããã°ã©ã ãæç¢ºãªã³ãã¥ãã±ãŒã·ã§ã³ãã£ãã«ãå¿ èŠã§ãã
- ãªã¹ã¯ããŒã¹ã®ã¢ãããŒãïŒ æãéèŠãªè匱æ§ãšè³ç£ã«çŠç¹ãåœãŠããªã¹ã¯ã«åºã¥ããŠã»ãã¥ãªãã£ã®åãçµã¿ã«åªå é äœãä»ããŸããããã«ãããã»ãã¥ãªãã£ãªãœãŒã¹ã广çã«äœ¿çšãããæãéèŠãªè åšã«æåã«å¯ŸåŠã§ããããã«ãªããŸãã
ã·ããã¬ããã»ãã¥ãªãã£ãå®è£ ããããã®ãã©ã¯ãã£ã¹
以äžã¯ãçµç¹ãã»ãã¥ãªãã£ãå·Šã«ã·ãããããããã«å®è£ ã§ããå®è·µçãªãã©ã¯ãã£ã¹ã§ãïŒ
1. è åšã¢ããªã³ã°
è åšã¢ããªã³ã°ãšã¯ãã¢ããªã±ãŒã·ã§ã³ãšãã®ããŒã¿ã«å¯Ÿããæœåšçãªè åšãç¹å®ããããã»ã¹ã§ããããã¯ãã»ãã¥ãªãã£ã®åãçµã¿ã«åªå é äœãä»ããæãéèŠãªè匱æ§ãç¹å®ããã®ã«åœ¹ç«ã¡ãŸããè åšã¢ããªã³ã°ã¯ãæœåšçãªã»ãã¥ãªãã£ãªã¹ã¯ãç¹å®ããç·©åçãèšèšããããã«ãSDLCã®æ©ã段éãèšèšãã§ãŒãºã§å®æœããå¿ èŠããããŸãã
äŸïŒ eã³ããŒã¹ã¢ããªã±ãŒã·ã§ã³ãèããŠã¿ãŸããããè åšã¢ãã«ã¯ãSQLã€ã³ãžã§ã¯ã·ã§ã³ãã¯ãã¹ãµã€ãã¹ã¯ãªããã£ã³ã°ïŒXSSïŒããµãŒãã¹æåŠïŒDoSïŒæ»æãªã©ã®æœåšçãªè åšãç¹å®ãããããããŸããããããã®è åšã«åºã¥ããŠãéçºããŒã ã¯å ¥åæ€èšŒãåºåãšã³ã³ãŒãã£ã³ã°ãã¬ãŒãå¶éãªã©ã®ã»ãã¥ãªãã£ã³ã³ãããŒã«ãå®è£ ã§ããŸãã
2. éçã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ãã¹ãïŒSASTïŒ
SASTã¯ããœãŒã¹ã³ãŒãã®è匱æ§ãåæããã»ãã¥ãªãã£ãã¹ãã®äžçš®ã§ããSASTããŒã«ã¯ããããã¡ãªãŒããŒãããŒãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®æ¬ é¥ãXSSè匱æ§ãªã©ã®äžè¬çãªã³ãŒãã£ã³ã°ãšã©ãŒãç¹å®ã§ããŸããSASTã¯ãã³ãŒããæžãããã³ãããããããã³ã«ãéçºããã»ã¹å šäœãéããŠå®æçã«å®è¡ããå¿ èŠããããŸãã
äŸïŒ ã€ã³ãã®éçºããŒã ã¯ãSASTããŒã«ã§ããSonarQubeã䜿çšããŠãJavaã³ãŒãã®è匱æ§ãã¹ãã£ã³ããŸããSonarQubeã¯ã³ãŒãå ã«ããã€ãã®æœåšçãªSQLã€ã³ãžã§ã¯ã·ã§ã³ã®æ¬ é¥ãç¹å®ããŸããéçºè ã¯ãã³ãŒããæ¬çªç°å¢ã«ãããã€ãããåã«ãããã®æ¬ é¥ãä¿®æ£ããŸãã
3. åçã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ãã¹ãïŒDASTïŒ
DASTã¯ãå®è¡äžã®ã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãåæããã»ãã¥ãªãã£ãã¹ãã®äžçš®ã§ããDASTããŒã«ã¯ãèªèšŒãã€ãã¹ãèªå¯ã®æ¬ é¥ãæ å ±æŒæŽ©ãªã©ã®è匱æ§ãç¹å®ããããã«ãå®éã®æ»æãã·ãã¥ã¬ãŒãããŸããDASTã¯ãç¹ã«ã³ãŒã倿Žãè¡ãããåŸãéçºããã»ã¹å šäœãéããŠå®æçã«å®è¡ããå¿ èŠããããŸãã
äŸïŒ ãã€ãã®ã»ãã¥ãªãã£ããŒã ã¯ãDASTããŒã«ã§ããOWASP ZAPã䜿çšããŠãWebã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ãã¹ãã£ã³ããŸããOWASP ZAPã¯ãæœåšçãªèªèšŒãã€ãã¹ã®è匱æ§ãç¹å®ããŸããéçºè ã¯ãã¢ããªã±ãŒã·ã§ã³ãäžè¬ã«å ¬éãããåã«ãã®è匱æ§ãä¿®æ£ããŸãã
4. ãœãããŠã§ã¢æ§æåæïŒSCAïŒ
SCAã¯ãã¢ããªã±ãŒã·ã§ã³ã§äœ¿çšãããŠãããµãŒãããŒãã£ã®ã³ã³ããŒãã³ããã©ã€ãã©ãªã®è匱æ§ãåæããã»ãã¥ãªãã£ãã¹ãã®äžçš®ã§ããSCAããŒã«ã¯ããããã®ã³ã³ããŒãã³ãã®æ¢ç¥ã®è匱æ§ãã©ã€ã»ã³ã¹ã³ã³ãã©ã€ã¢ã³ã¹ã®åé¡ãç¹å®ã§ããŸããSCAã¯ãæ°ããã³ã³ããŒãã³ãã远å ãŸãã¯æŽæ°ããããã³ã«ãéçºããã»ã¹å šäœãéããŠå®æçã«å®è¡ããå¿ èŠããããŸãã
äŸïŒ ãã©ãžã«ã®éçºããŒã ã¯ãSCAããŒã«ã§ããSnykã䜿çšããŠããµãŒãããŒãã£ã©ã€ãã©ãªã®è匱æ§ãã¹ãã£ã³ããŸããSnykã¯ã人æ°ã®ããJavaScriptã©ã€ãã©ãªã®æ¢ç¥ã®è匱æ§ãç¹å®ããŸããéçºè ã¯ãè匱æ§ã«å¯ŸåŠããããã«ã©ã€ãã©ãªããããé©çšæžã¿ã®ããŒãžã§ã³ã«æŽæ°ããŸãã
5. Infrastructure as CodeïŒIaCïŒã¹ãã£ã³
IaCã¹ãã£ã³ã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£ã³ãŒãïŒäŸïŒTerraformãCloudFormationïŒãåæããŠãã»ãã¥ãªãã£ã®èª€èšå®ãè匱æ§ãæ€åºããããšãå«ã¿ãŸããããã«ãããåºç€ãšãªãã€ã³ãã©ã¹ãã©ã¯ãã£ãå®å šã«ããããžã§ãã³ã°ããã³èšå®ãããããšãä¿èšŒãããŸãã
äŸïŒ ã·ã³ã¬ããŒã«ã®ã¯ã©ãŠãã€ã³ãã©ã¹ãã©ã¯ãã£ããŒã ã¯ãCheckovã䜿çšããŠãAWS S3ãã±ããã®Terraformæ§æãã¹ãã£ã³ããŸããCheckovã¯ãäžéšã®ãã±ãããå ¬éãããŠããããšãç¹å®ããŸããããŒã ã¯ãæ©å¯ããŒã¿ãžã®äžæ£ã¢ã¯ã»ã¹ãé²ãããã«ããã±ããããã©ã€ããŒãã«ããããã«æ§æã倿ŽããŸãã
6. ã»ãã¥ãªãã£ãã£ã³ããªã³
ã»ãã¥ãªãã£ãã£ã³ããªã³ãšã¯ãã»ãã¥ãªãã£ã«åŒ·ãé¢å¿ãæã¡ãããŒã å ã§ã»ãã¥ãªãã£ã®æå±è ãšããŠè¡åããéçºè ããã®ä»ã®ããŒã ã¡ã³ããŒã§ããã»ãã¥ãªãã£ãã£ã³ããªã³ã¯ãã»ãã¥ãªãã£æèã®åäžãã»ãã¥ãªãã£ã¬ã€ãã³ã¹ã®æäŸãã»ãã¥ãªãã£ã¬ãã¥ãŒã®å®æœãæ¯æŽã§ããŸãã
äŸïŒ ã«ããã®éçºããŒã ã¯ãã³ãŒãã®ã»ãã¥ãªãã£ã¬ãã¥ãŒã宿œããä»ã®éçºè ã«ã»ãã¥ãªãã£ãã¬ãŒãã³ã°ãæäŸããææ°ã®ã»ãã¥ãªãã£è åšãè匱æ§ã«é¢ããæ å ±ãåžžã«ææ¡ãã責任ãè² ãã»ãã¥ãªãã£ãã£ã³ããªã³ãä»»åœããŸãã
7. ã»ãã¥ãªãã£ãã¬ãŒãã³ã°ãšæèåäž
éçºè ãä»ã®ããŒã ã¡ã³ããŒã«ã»ãã¥ãªãã£ãã¬ãŒãã³ã°ãšæèåäžãæäŸããããšã¯ãã»ãã¥ãªãã£æåãä¿é²ããããã«äžå¯æ¬ ã§ãããã¬ãŒãã³ã°ã§ã¯ãã»ãã¥ã¢ã³ãŒãã£ã³ã°ã®å®è·µãäžè¬çãªã»ãã¥ãªãã£è匱æ§ãçµç¹ã®ã»ãã¥ãªãã£ããªã·ãŒãšæé ãªã©ã®ãããã¯ãã«ããŒããå¿ èŠããããŸãã
äŸïŒ è±åœã®ããçµç¹ã¯ãéçºè åãã«å®æçãªã»ãã¥ãªãã£ãã¬ãŒãã³ã°ãæäŸããŠãããOWASP Top 10ã®è匱æ§ãã»ãã¥ã¢ã³ãŒãã£ã³ã°ã®å®è·µãè åšã¢ããªã³ã°ãªã©ã®ãããã¯ãã«ããŒããŠããŸãããã®ãã¬ãŒãã³ã°ã¯ãéçºè ã®ã»ãã¥ãªãã£ãªã¹ã¯ãšããã軜æžããæ¹æ³ã«ã€ããŠã®çè§£ãæ·±ããã®ã«åœ¹ç«ã¡ãŸãã
8. CI/CDãã€ãã©ã€ã³ã«ãããèªåã»ãã¥ãªãã£ãã¹ã
ã»ãã¥ãªãã£ãã¹ãããŒã«ãCI/CDãã€ãã©ã€ã³ã«çµ±åããŠãéçºããã»ã¹ã®å段éã§ã»ãã¥ãªãã£ãã§ãã¯ãèªååããŸããããã«ãããç¶ç¶çãªã»ãã¥ãªãã£ç£èŠãå¯èœã«ãªããè匱æ§ãè¿ éã«ç¹å®ããŠå¯ŸåŠããã®ã«åœ¹ç«ã¡ãŸãã
äŸïŒ æ¥æ¬ã®éçºããŒã ã¯ãSASTãDASTãSCAããŒã«ãCI/CDãã€ãã©ã€ã³ã«çµ±åããŸããã³ãŒããã³ãããããããã³ã«ããã€ãã©ã€ã³ã¯ãããã®ããŒã«ãèªåçã«å®è¡ããè匱æ§ãããã°éçºè ã«å ±åããŸããããã«ãããéçºè ã¯éçºããã»ã¹ã®æ©ã段éã§ãæ¬çªç°å¢ã«å ¥ãåã«è匱æ§ãä¿®æ£ã§ããŸãã
ã·ããã¬ããã»ãã¥ãªãã£ã®å©ç¹
ã·ããã¬ããã»ãã¥ãªãã£ã®å©ç¹ã¯æ°å€ããããçµç¹ã®ã»ãã¥ãªãã£äœå¶ãšå¹çãå€§å¹ ã«åäžãããããšãã§ããŸãïŒ
- ã»ãã¥ãªãã£äŸµå®³ã®ãªã¹ã¯äœæžïŒ SDLCã®æ©ã段éã§è匱æ§ãç¹å®ã察åŠããããšã§ãçµç¹ã¯ã»ãã¥ãªãã£äŸµå®³ãããŒã¿æŒæŽ©ã®ãªã¹ã¯ãå€§å¹ ã«åæžã§ããŸãã
- ä¿®æ£ã³ã¹ãã®åæžïŒ SDLCã®æ©ã段éã§è匱æ§ãä¿®æ£ããæ¹ããæ¬çªç°å¢ã§ä¿®æ£ãããããã¯ããã«å®äŸ¡ã§ããã·ããã¬ããã»ãã¥ãªãã£ã¯ãè匱æ§ãæ¬çªç°å¢ã«å ¥ãã®ãé²ãããšã§ãä¿®æ£ã³ã¹ããåæžããã®ã«åœ¹ç«ã¡ãŸãã
- åžå Žæå ¥ãŸã§ã®æéççž®ïŒ éçºããã»ã¹ã«ã»ãã¥ãªãã£ãçµ±åããããšã§ãã·ããã¬ããã»ãã¥ãªãã£ã¯ãåŸå·¥çšã§ã®ã»ãã¥ãªãã£ææã«ããã³ã¹ãã®ãããé å»¶ãææ»ããåé¿ããã®ã«åœ¹ç«ã¡ãŸããããã«ãããéçºããŒã ã¯ãœãããŠã§ã¢ãããéããããé »ç¹ã«æäŸã§ããŸãã
- éçºè ã®çç£æ§åäžïŒ éçºè ã«ã»ãã¥ãªãã£åé¡ã«é¢ããç¶ç¶çãªãã£ãŒãããã¯ãæäŸããããšã§ãã·ããã¬ããã»ãã¥ãªãã£ã¯åœŒããééãããåŠã³ãã³ãŒãã£ã³ã°ãã©ã¯ãã£ã¹ãæ¹åããã®ã«åœ¹ç«ã¡ãŸããããã¯ãéçºè ã®çç£æ§åäžãšã»ãã¥ãªãã£é¢é£ã®ãšã©ãŒã®åæžã«ã€ãªãããŸãã
- ã³ã³ãã©ã€ã¢ã³ã¹ã®åŒ·åïŒ ã·ããã¬ããã»ãã¥ãªãã£ã¯ãã¢ããªã±ãŒã·ã§ã³ã«æåããã»ãã¥ãªãã£ãçµã¿èŸŒãããšã§ãçµç¹ãèŠå¶èŠä»¶ãæºããã®ã«åœ¹ç«ã¡ãŸãã
ã·ããã¬ããã»ãã¥ãªãã£ã®èª²é¡
ã·ããã¬ããã»ãã¥ãªãã£ã®å©ç¹ã¯æããã§ããããã®ã¢ãããŒããå®è£ ããéã«çµç¹ãçŽé¢ããå¯èœæ§ã®ãã課é¡ãããã€ããããŸãïŒ
- æåã®å€é©ïŒ ã»ãã¥ãªãã£ãå·Šã«ã·ãããããã«ã¯ãçµç¹å ã§ã®æåçãªå€é©ãå¿ èŠã§ããã誰ããã»ãã¥ãªãã£ã«å¯ŸããŠè²¬ä»»ãè² ãããã«ãªããŸããããã¯ãç¹ã«ã»ãã¥ãªãã£ãäŒçµ±çã«å¥ã®ã»ãã¥ãªãã£ããŒã ã®è²¬ä»»ã§ãã£ãçµç¹ã§ã¯ãéæãå°é£ãªå ŽåããããŸãã
- ããŒã«ãšèªååïŒ ã·ããã¬ããã»ãã¥ãªãã£ãå®è£ ããã«ã¯ãé©åãªããŒã«ãšèªååæ©èœãå¿ èŠã§ããçµç¹ã¯ãã»ãã¥ãªãã£ã¿ã¹ã¯ãèªååããã»ãã¥ãªãã£ãCI/CDãã€ãã©ã€ã³ã«çµ±åããããã«ãæ°ããããŒã«ããã¯ãããžãŒã«æè³ããå¿ èŠããããããããŸããã
- ãã¬ãŒãã³ã°ãšã¹ãã«ïŒ éçºè ãä»ã®ããŒã ã¡ã³ããŒã¯ãã·ããã¬ããã»ãã¥ãªãã£ã广çã«å®è£ ããããã«ããã¬ãŒãã³ã°ãšã¹ãã«éçºãå¿ èŠã«ãªãå ŽåããããŸããçµç¹ã¯ãã»ãã¥ã¢ã³ãŒãã£ã³ã°ã®å®è·µãã»ãã¥ãªãã£ãã¹ããè åšã¢ããªã³ã°ã«é¢ãããã¬ãŒãã³ã°ãæäŸããå¿ èŠããããããããŸããã
- æ¢åããã»ã¹ãšã®çµ±åïŒ æ¢åã®éçºããã»ã¹ã«ã»ãã¥ãªãã£ãçµ±åããããšã¯å°é£ãªå ŽåããããŸããçµç¹ã¯ãã»ãã¥ãªãã£æŽ»åã«å¯Ÿå¿ããããã«ãããã»ã¹ãã¯ãŒã¯ãããŒãé©å¿ãããå¿ èŠããããããããŸããã
- 誀æ€ç¥ïŒãã©ãŒã«ã¹ããžãã£ãïŒïŒ èªåã»ãã¥ãªãã£ãã¹ãããŒã«ã¯ãæã«èª€æ€ç¥ãçæããããšããããéçºè ã®æéãšåŽåãç¡é§ã«ããå¯èœæ§ããããŸãã誀æ€ç¥ãæå°éã«æããããã«ãããŒã«ã調æŽããé©åã«èšå®ããããšãéèŠã§ãã
課é¡ã®å æ
ã·ããã¬ããã»ãã¥ãªãã£ã®èª²é¡ãå æããããã«ãçµç¹ã¯ä»¥äžã®æé ãèžãããšãã§ããŸãïŒ
- ã»ãã¥ãªãã£æåã®è²æïŒ ã¢ããªã±ãŒã·ã§ã³ãšãã®ããŒã¿ãä¿è·ãã責任ã¯çµç¹ã®å šå¡ã«ãããšãããã»ãã¥ãªãã£ã«å¯Ÿããå ±åè²¬ä»»ã®æåãä¿é²ããŸãã
- ããŒã«ãšèªååãžã®æè³ïŒ ã»ãã¥ãªãã£ã¿ã¹ã¯ãèªååããã»ãã¥ãªãã£ãCI/CDãã€ãã©ã€ã³ã«çµ±åããããã«ãé©åãªããŒã«ãšãã¯ãããžãŒã«æè³ããŸãã
- ãã¬ãŒãã³ã°ãšã¹ãã«éçºã®æäŸïŒ éçºè ãä»ã®ããŒã ã¡ã³ããŒã«ãã·ããã¬ããã»ãã¥ãªãã£ã广çã«å®è£ ããããã«å¿ èŠãªãã¬ãŒãã³ã°ãšã¹ãã«ãæäŸããŸãã
- æ¢åããã»ã¹ã®é©å¿ïŒ æ¢åã®éçºããã»ã¹ãšã¯ãŒã¯ãããŒãã»ãã¥ãªãã£æŽ»åã«å¯Ÿå¿ããããã«é©å¿ãããŸãã
- ã»ãã¥ãªãã£ããŒã«ã®èª¿æŽïŒ 誀æ€ç¥ãæå°éã«æããããã«ãã»ãã¥ãªãã£ãã¹ãããŒã«ã調æŽããé©åã«èšå®ããŸãã
- å°ããå§ããŠå埩ããïŒ ã·ããã¬ããã»ãã¥ãªãã£ãäžåºŠã«ãã¹ãŠå®è£ ããããšããªãã§ãã ãããå°ããªãã€ããããããžã§ã¯ãããå§ããŠãçµéšãç©ãã«ã€ããŠåŸã ã«ç¯å²ãæ¡å€§ããŸãã
ã·ããã¬ããã»ãã¥ãªãã£ã®ããã®ããŒã«ãšãã¯ãããžãŒ
ã·ããã¬ããã»ãã¥ãªãã£ãå®è£ ããããã«ãããŸããŸãªããŒã«ããã¯ãããžãŒã䜿çšã§ããŸãã以äžã«ããã€ãã®äŸã瀺ããŸãïŒ
- SASTããŒã«ïŒ SonarQube, Veracode, Checkmarx, Fortify
- DASTããŒã«ïŒ OWASP ZAP, Burp Suite, Acunetix
- SCAããŒã«ïŒ Snyk, Black Duck, WhiteSource
- IaCã¹ãã£ã³ããŒã«ïŒ Checkov, Bridgecrew, Kube-bench
- è匱æ§ç®¡çããŒã«ïŒ Qualys, Rapid7, Tenable
- ã¯ã©ãŠãã»ãã¥ãªãã£ãã¹ãã£ç®¡çïŒCSPMïŒããŒã«ïŒ AWS Security Hub, Azure Security Center, Google Cloud Security Command Center
çµè«
ã·ããã¬ããã»ãã¥ãªãã£ã¯ãã»ãã¥ã¢ãªãœãããŠã§ã¢ãããéããããé »ç¹ã«æäŸãããçµç¹ã«ãšã£ãŠäžå¯æ¬ ãªãã©ã¯ãã£ã¹ã§ããéçºããã»ã¹ã®æåããã»ãã¥ãªãã£ãçµ±åããããšã§ãçµç¹ã¯ã»ãã¥ãªãã£äŸµå®³ã®ãªã¹ã¯ãäœæžããä¿®æ£ã³ã¹ããåæžããéçºè ã®çç£æ§ãåäžãããããšãã§ããŸããã·ããã¬ããã»ãã¥ãªãã£ã®å®è£ ã«ã¯èª²é¡ããããŸãããã»ãã¥ãªãã£æåãè²ã¿ãé©åãªããŒã«ãšãã¯ãããžãŒã«æè³ããéçºè ã«å¿ èŠãªãã¬ãŒãã³ã°ãšã¹ãã«ãæäŸããããšã§ãããããå æã§ããŸããã·ããã¬ããã»ãã¥ãªãã£ãæ¡çšããããšã§ãçµç¹ã¯ããå®å šã§å埩åã®ãããœãããŠã§ã¢éçºã©ã€ããµã€ã¯ã«ïŒSDLCïŒãæ§ç¯ãã貎éãªè³ç£ãä¿è·ããããšãã§ããŸãã
ã·ããã¬ããã»ãã¥ãªãã£ã¢ãããŒãã®æ¡çšã¯ãã¯ãéžæè¢ã§ã¯ãªããè€éã§çµ¶ããé²åããè åšã®ç¶æ³ã®äžã§æŽ»åããçŸä»£ã®çµç¹ã«ãšã£ãŠã¯å¿ é äºé ã§ããã»ãã¥ãªãã£ãå ±å責任ãšãããããDevOpsã¯ãŒã¯ãããŒã«ã·ãŒã ã¬ã¹ã«çµ±åããããšãã仿¥ã®ããžãã¹ãšãã®äžçäžã®é¡§å®¢ã®ããŒãºãæºãããå®å šã§ä¿¡é Œæ§ã®é«ããœãããŠã§ã¢ãæ§ç¯ããããã®éµãšãªããŸãã