2 ã€ã®ã³ãŒã ã¢ãã©ã€ã¶ãŒã4 ã€ã®åçãã¹ã ããŒã«ãç¬èªã®ã¯ã©ããã250 ã®ã¹ã¯ãªããããããŸããã çŸåšã®ããã»ã¹ã§ããããã¹ãŠãå¿ èŠãšããããã§ã¯ãããŸããããDevSecOps ã®å®è£ ãéå§ããããæåŸãŸã§å®è¡ããå¿ èŠããããŸãã
SecDevOps ãšã¯äœã§ãã? DevSecOps ã«ã€ããŠã¯ã©ãã§ãã? éãã¯äœã§ãã? ã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªã㣠- ããã¯äœã§ãã? ãªãå€å
žçãªã¢ãããŒãã¯ããæ©èœããªãã®ã§ãããã? ããããã¹ãŠã®è³ªåã«å¯Ÿããçããç¥ã£ãŠããŸã çŸåã·ã£ããªã³ ã® ãœãŒããã£ãã·ã¥ã»ãã¥ãªãã£ã ãŠãŒãªã¯ãã¹ãŠã«è©³çŽ°ã«çããå€å
žçãªã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªã㣠ã¢ãã«ãã DevSecOps ããã»ã¹ãžã®ç§»è¡ã®åé¡ãåæããŸããå®å
šãªéçºããã»ã¹ã DevOps ããã»ã¹ã«çµ±åããäœãå£ããã«é©åã«ã¢ãããŒãããæ¹æ³ãäž»èŠãªæ®µéãééããæ¹æ³ãªã©ã§ããã»ãã¥ãªã㣠ãã¹ãã®æŠèŠã䜿çšã§ããããŒã«ãšãããã®éããèœãšãç©Žãé¿ããããã«ããããæ£ããèšå®ããæ¹æ³ã«ã€ããŠèª¬æããŸãã
ã¹ããŒã«ãŒã«ã€ããŠ: ãŠãªã»ã·ã£ããªã³ - 瀟å ã®ããŒãã»ãã¥ãªãã£ã¢ãŒããã¯ã ã«ãžãã®ã»ãã¥ãªãã£ã SSDL ã®å®è£ ãšãã¢ããªã±ãŒã·ã§ã³åæããŒã«ã®çµ±åãããéçºããã³ãã¹ã ãšã³ã·ã¹ãã ãžã®å šäœçãªçµ±åãæ åœããŸãã æ å ±ã»ãã¥ãªãã£åé㧠7 幎ã®çµéšã ãœãããŠã§ã¢éçºãšãµãŒãã¹ãæäŸããAlfa-BankãSberbankãPositive Technologiesã«å€åã åœéäŒè° ZerONightsãPHDaysãRISSPAãOWASP ã§è¬æŒã
ã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£: ããã¯äœã§ãã?
ã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªã㣠- ã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªãã£ãæ åœããã»ãã¥ãªãã£ã»ã¯ã·ã§ã³ã§ãã ããã¯ã€ã³ãã©ã¹ãã©ã¯ãã£ããããã¯ãŒã¯ ã»ãã¥ãªãã£ã«ã¯åœãŠã¯ãŸããŸãããããããç§ãã¡ãäœæããå 容ãéçºè ãåãçµãå 容ã«åœãŠã¯ãŸããŸãããããã¯ã¢ããªã±ãŒã·ã§ã³èªäœã®æ¬ ç¹ãè匱æ§ã§ãã
æ¹å
ã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªãã£ãš SSDL ã¯ãäžè¬ã«ä¿¡ããããŠããããã«ãè匱æ§ãæ€åºããããšãç®çãšãããã®ã§ã¯ãªãããã®çºçãé²ãããšãç®çãšããŠããŸãã æéã®çµéãšãšãã«ãMicrosoft ã®æšæºçãªã¢ãããŒãã¯æ¹åãéçºãããããæ·±ãããã詳现ãªèª¿æ»ã«å°å
¥ãããŠããŸããã
æ£èŠã® SDLC ã¯ãOpenSAMMãBSIMMãOWASP ãªã©ãããŸããŸãªæ¹æ³è«ã§éåžžã«è©³çŽ°ã«èª¬æãããŠããŸãã æ¹æ³è«ã¯ç°ãªããŸãããäžè¬çã«ã¯äŒŒãŠããŸãã
æç床ã¢ãã«ã§ã®ã»ãã¥ãªãã£ã®æ§ç¯
äžçªå¥œãã§ã ãã·ã -
112 ã®ã¢ã¯ãã£ããã£ã®ããããã«ã¯ã 3ã€ã®æç床ã¬ãã«: åå¿è
ãäžçŽè
ãäžçŽè
ã 12 ã®ãã©ã¯ãã£ã¹ãã¹ãŠãã»ã¯ã·ã§ã³ããšã«åŠç¿ããèªåã«ãšã£ãŠéèŠãªãã®ãéžæããããããå®è£
ããæ¹æ³ãèŠã€ããŠãéçããã³åçã³ãŒãåæãã³ãŒã ã¬ãã¥ãŒãªã©ã®èŠçŽ ãåŸã
ã«è¿œå ã§ããŸãã éžæãã掻åã®å®æœã®äžç°ãšããŠãèšç»ãæžãçããããã«åºã¥ããŠå·éã«åãçµã¿ãŸãã
DevSecOps ãéžæããçç±
DevOps ã¯ãã»ãã¥ãªãã£ãèæ ®ããå¿ èŠãããäžè¬çãªå€§èŠæš¡ãªããã»ã¹ã§ãã
åœåã¯
äž»ãªåé¡ã¯ãæ
å ±ã»ãã¥ãªãã£ãéçºãšã¯åãé¢ãããŠããããšã§ãã éåžžãããã¯ããçš®ã®æ
å ±ã»ãã¥ãªãã£åè·¯ã§ããã2 ïœ 3 ã€ã®å€§èŠæš¡ã§é«äŸ¡ãªããŒã«ãå«ãŸããŠããŸãã å幎ã«XNUMXåããã§ãã¯ãå¿
èŠãªãœãŒã¹ã³ãŒããã¢ããªã±ãŒã·ã§ã³ãå±ããXNUMX幎ã«XNUMXåå¶äœããã
åœç€Ÿã®ä»äºã®éçšã§ãããããåéãšæ¥çã®ã»ãã¥ãªãã£ããéçºãšåãè»èŒªã§è¿œãã€ããéçºãšå転ããææãæ¥ãããšãç解ããŠããããšãããããŸããã
DevSecOps ãžã®ç§»è¡
ã»ãã¥ãªãã£éçºã©ã€ããµã€ã¯ã«ã§æãéèŠãªèšèã¯æ¬¡ã®ãšããã§ãã "ããã»ã¹"ã ããŒã«ã®è³Œå ¥ãèããåã«ããããç解ããå¿ èŠããããŸãã
DevOps ããã»ã¹ã«ããŒã«ãçµã¿èŸŒãã ãã§ã¯ååã§ã¯ãããŸãããããã»ã¹åå è éã®ã³ãã¥ãã±ãŒã·ã§ã³ãšç解ãéèŠã§ãã
éå ·ã§ã¯ãªã人ããã£ãšéèŠã§ãã
å€ãã®å Žåãå®å šãªéçºããã»ã¹ã®èšç»ã¯ãããŒã«ã®éžæãšè³Œå ¥ããå§ãŸããããŒã«ãçŸåšã®ããã»ã¹ã«çµ±åããè©Šã¿ã§çµãããŸãã ãã¹ãŠã®ããŒã«ã«ã¯ç¬èªã®ç¹æ§ãšå¶éããããããããã¯æ®å¿µãªçµæã«ã€ãªãããŸãã
ããããã±ãŒã¹ã¯ãã»ãã¥ãªãã£éšéãå¹ åºãæ©èœãåããåªããé«äŸ¡ãªããŒã«ãéžæãããããããã»ã¹ã«çµ±åããããéçºè ã«äŸé Œããå Žåã§ãã ããããããã¯ããŸããããŸãããããã»ã¹ã¯ããã§ã«è³Œå ¥ããããŒã«ã®å¶éãçŸåšã®ãã©ãã€ã ã«é©åããªãããã«æ§é åãããŠããŸãã
ãŸããã©ã®ãããªçµæãæãã§ããã®ãããããŠãã®ããã»ã¹ãã©ã®ãããªãã®ã«ãªãã®ãã説æããŸãã ããã¯ãããã»ã¹ã«ãããããŒã«ã®åœ¹å²ãšå®å šæ§ãç解ããã®ã«åœ¹ç«ã¡ãŸãã
ãã§ã«äœ¿çšãããŠãããã®ããå§ãã
é«äŸ¡ãªããŒã«ãè³Œå ¥ããåã«ããã§ã«ææããŠãããã®ã確èªããŠãã ããã ã©ã®äŒæ¥ã«ãéçºã«ã¯ã»ãã¥ãªãã£èŠä»¶ãããããã§ãã¯ããããã¬ãŒã·ã§ã³ãã¹ãããããŸããããããã¹ãŠãã誰ã«ãšã£ãŠãç解ãããã䟿å©ãªåœ¢åŒã«å€æããŠã¿ãŸããã?
éåžžãèŠä»¶ã¯æ£ã«çœ®ãããçŽã®ã¿ã«ã ãŒãã§ãã ç§ãã¡ãããã»ã¹ãèŠå¯ããããã«ããäŒç€Ÿã蚪ãããœãããŠã§ã¢ã®ã»ãã¥ãªãã£èŠä»¶ã確èªããŠã»ãããšé ŒãŸããããšããããŸããã ãã®åé¡ã«å¯ŸåŠããå°é家ã¯ãé·ãæéããããŠæ¬¡ã®ããšãæ¢ããŸããã
- ããŠãã¡ã¢ã®ã©ããã«ããã®ææžã眮ãããŠãããã¹ããããŸããã
ãã®çµæãXNUMXé±éåŸã«æžé¡ãåãåããŸããã
èŠä»¶ããã§ãã¯ãªã©ã«ã€ããŠã¯ãããšãã°æ¬¡ã®ããŒãžãäœæããŠãã ããã åæµ - 誰ã«ãšã£ãŠã䟿å©ã§ãã
ãã§ã«æã£ãŠãããã®ãåãã©ãŒãããããŠãããã䜿çšããŠå§ããæ¹ãç°¡åã§ãã
ã»ãã¥ãªãã£ãã£ã³ããªã³ã䜿çšãã
éåžžã100 ïœ 200 人ã®éçºè
ãæ±ããå¹³åçãªäŒæ¥ã§ã¯ãè€æ°ã®æ©èœãå®è¡ããã»ãã¥ãªã㣠ã¹ãã·ã£ãªã¹ãã XNUMX 人ããŸããããã¹ãŠããã§ãã¯ããç©ççãªæéã¯ãããŸããã 圌ãæåãå°œããããšããŠããéçºãçæãããã¹ãŠã®ã³ãŒãã圌ã ãã§ãã§ãã¯ããããšã¯ã§ããŸããã ãã®ãããªå Žåã«åããŠãããã³ã³ã»ãããéçºãããŸãã -
ã»ãã¥ãªã㣠ãã£ã³ããªã³ãšã¯ã補åã®ã»ãã¥ãªãã£ã«é¢å¿ãæã€éçºããŒã å ã®äººã ã§ãã
Security Champion ã¯ãéçºããŒã ãžã®ãšã³ããªãŒãã€ã³ããšã»ãã¥ãªã㣠ãšãã³ãžã§ãªã¹ãã XNUMX ã€ã«ãŸãšãããããã®ã§ãã
éåžžãã»ãã¥ãªãã£å°é家ãéçºããŒã ã«æ¥ãŠã³ãŒãã®ãšã©ãŒãææãããšã次ã®ãããªé©ãã¹ãçããè¿ã£ãŠããŸãã
- ãããŠãããªãã¯ã ãã§ããïŒ åããŠãäŒãããŸãã ç§ã«ã¯äœãåé¡ãããŸãããå 茩ã®å人ãã³ãŒãã¬ãã¥ãŒã«ãå¿åãããŠãããã®ã§ã次ã«é²ã¿ãŸãã
ããã¯å žåçãªç¶æ³ã§ããéçºè ãä»äºãã³ãŒã ã¬ãã¥ãŒã§åžžã«ããåãããå 茩ãåã«ããŒã ã¡ã€ãã«å¯Ÿããä¿¡é Œãã¯ããã«é«ãããã§ãã ã»ãã¥ãªãã£æ åœè ã§ã¯ãªããã»ãã¥ãªãã£ãã£ã³ããªã³ãééããšãã®çµæãææããå Žåã圌ã®èšèã¯ããéã¿ãæã€ããšã«ãªããŸãã
ãŸããéçºè ã¯ã»ãã¥ãªãã£å°é家ãããèªåã®ã³ãŒããããç¥ã£ãŠããŸãã éçåæããŒã«ã§å°ãªããšã 5 ã€ã®ãããžã§ã¯ãã䜿çšããŠãã人ã«ãšã£ãŠããã¹ãŠã®ãã¥ã¢ã³ã¹ãèŠããŠããããšã¯éåžžå°é£ã§ãã ã»ãã¥ãªãã£ã®æè·è ã¯ãèªç€Ÿã®è£œåãäœãäœãšçžäºäœçšããã®ããæåã«äœãèŠãã¹ããªã®ããç¥ã£ãŠãããããå¹æçã§ãã
ãããã£ãŠãã»ãã¥ãªã㣠ãã£ã³ããªã³ãå°å ¥ããã»ãã¥ãªã㣠ããŒã ã®åœ±é¿åãæ¡å€§ããããšãæ€èšããŠãã ããã ããã¯ãã£ã³ããªã³èªèº«ã«ãšã£ãŠãæçã§ããæ°ããåéã§ã®å°éèœåã®éçºãæè¡çãªèŠéã®æ¡å€§ãæè¡ã¹ãã«ã管çã¹ãã«ããªãŒããŒã·ããã¹ãã«ã®åäžãåžå ŽäŸ¡å€ã®åäžãªã©ã§ãã ããã¯ãœãŒã·ã£ã« ãšã³ãžãã¢ãªã³ã°ã®èŠçŽ ã§ãããéçºããŒã ã®ãç®ãã§ãã
ãã¹ã段é
ããŒã«ã®äž»ãªåé¡ç¹
ãã¹ãŠã®æ©åšã«é¢é£ãã泚æãå¿ èŠãªåé¡ãåãäžããŸãã ãã以äžç¹°ãè¿ããªãããã«ãããã«è©³ããåæããŸãã
åææéãé·ãã ã³ããããããªãªãŒã¹ãŸã§ãã¹ãŠã®ãã¹ããšã¢ã»ã³ããªã« 30 åãããå Žåãæ å ±ã»ãã¥ãªãã£ã®ãã§ãã¯ã«ã¯ XNUMX æ¥ããããŸãã ãããã£ãŠã誰ãããã»ã¹ãé ãããããšã¯ãããŸããã ãã®ç¹åŸŽãèæ ®ããŠçµè«ãââå°ãåºããŸãã
é«ã¬ãã«ã®åœé°æ§ãŸãã¯åœéœæ§ã ãã¹ãŠã®è£œåã¯ç°ãªãããã¹ãŠç°ãªããã¬ãŒã ã¯ãŒã¯ãšç¬èªã®ã³ãŒãã£ã³ã° ã¹ã¿ã€ã«ã䜿çšããŸãã ã³ãŒãããŒã¹ããã¯ãããžãç°ãªããšãããŒã«ã«ãã£ãŠç°ãªãã¬ãã«ã®åœé°æ§ãšåœéœæ§ã衚瀺ãããå ŽåããããŸãã ããã§ãæ£ç¢ºã«äœãå ¥ã£ãŠãããèŠãŠãã ãã ããªãã® äŒæ¥ãšã®ããã« ããªãã® ã¢ããªã±ãŒã·ã§ã³ã¯è¯å¥œã§ä¿¡é Œæ§ã®é«ãçµæã瀺ããŸãã
æ¢åã®ããŒã«ãšã®çµ±åã¯ãããŸããã ãã§ã«äœ¿çšããŠãããã®ãšã®çµ±åãšãã芳ç¹ããããŒã«ãæ€èšããŠãã ããã ããšãã°ãJenkins ãŸã㯠TeamCity ã䜿çšããŠããå Žåã¯ã䜿çšããªã GitLab CI ã§ã¯ãªãããã®ãœãããŠã§ã¢ãšããŒã«ã®çµ±åã確èªããŠãã ããã
ã«ã¹ã¿ãã€ãºã®æ¬ åŠãŸãã¯é床ã®è€éãã ããŒã«ã« API ããªãå Žåããªã API ãå¿ èŠãªã®ã§ãããã? ã€ã³ã¿ãŒãã§ã€ã¹ã§å®è¡ã§ããããšã¯ãã¹ãŠãAPI ãéããŠå©çšã§ããå¿ èŠããããŸãã çæ³çã«ã¯ãããŒã«ã«ã¯ãã§ãã¯ãã«ã¹ã¿ãã€ãºããæ©èœãå¿ èŠã§ãã
補åéçºããŒããããã¯ãããŸããã éçºã¯æ¢ãŸãããšã¯ãªããåžžã«æ°ãããã¬ãŒã ã¯ãŒã¯ãé¢æ°ã䜿çšããå€ãã³ãŒããæ°ããèšèªã«æžãæããŠããŸãã ç§ãã¡ã¯ã賌å
¥ããããŒã«ãæ°ãããã¬ãŒã ã¯ãŒã¯ãšãã¯ãããžãŒããµããŒãããŠããããšã確èªããããšèããŠããŸãã ãããã£ãŠã補åãæ¬ç©ã§æ£ãããã®ã§ããããšãç¥ãããšãéèŠã§ãã
ããã»ã¹æ©èœ
ããŒã«ã®æ©èœã«å ããŠãéçºããã»ã¹ã®æ©èœãèæ ®ã«å ¥ããŠãã ããã ããšãã°ãéçºã劚ããããšã¯ããããééãã§ãã ä»ã«ã©ã®ãããªæ©èœãèæ ®ããå¿ èŠããããããŸãã»ãã¥ãªã㣠ããŒã ãäœã«æ³šæãæãå¿ èŠãããããèŠãŠã¿ãŸãããã
éçºããªãªãŒã¹ã®æéã«é ããªãããã«ã ç°ãªãã«ãŒã« ãããŠéã ã·ã§ãŒã¹ããã㌠â è匱æ§ãååšããå Žåã«ãã«ãããã»ã¹ãåæ¢ããåºæº â ããŸããŸãªç°å¢ã«å¯Ÿå¿ã ããšãã°ãçŸåšã®ãã©ã³ããéçºã¹ã¿ã³ããŸã㯠UAT ã«éãããããšãç解ããŠããŸããã€ãŸããç«ã¡æ¢ãŸã£ãŠæ¬¡ã®ããã«èšãå¿ èŠã¯ãããŸããã
ãããã«ã¯è匱æ§ãããã®ã§ããã以äžé²ãããšã¯ã§ããŸããïŒã
ãã®æç¹ã§ã泚æãå¿ èŠãªã»ãã¥ãªãã£äžã®åé¡ãããããšãéçºè ã«äŒããããšãéèŠã§ãã
è匱æ§ã®ååšã¯ãããªããã¹ãã®é害ã«ã¯ãªããŸãã: ããã¥ã¢ã«ãçµ±åããŸãã¯ããã¥ã¢ã«ã äžæ¹ã§ãéçºè ãå®å šã ãšå€æãããã®ãç¡èŠããªãããã«ãäœããã®æ¹æ³ã§è£œåã®ã»ãã¥ãªãã£ã匷åããå¿ èŠããããŸãã ãããã£ãŠãç§ãã¡ã¯æã ãããè¡ããŸããéçºç°å¢ã«ããŒã«ã¢ãŠãããããšãã«ãã¹ã¿ã³ãã§éçºè ã«æ¬¡ã®ããã«éç¥ããã ãã§ãã
- çãããåé¡ãããã®ã§ã泚æããŠãã ããã
UAT 段éã§åã³è匱æ§ã«é¢ããèŠåã衚瀺ãããªãªãŒã¹æ®µéã§æ¬¡ã®ããã«èšããŸãã
- çãããç§ãã¡ã¯äœåºŠãèŠåããŸããããããªãã¯äœãããŸããã§ãã - ç§ãã¡ã¯ããã§ããªããéæŸããŸããã
ã³ãŒããšãã€ããã¯ã¹ã«ã€ããŠè©±ãå Žåããããã®æ©èœãšãã®æ©èœã§èšè¿°ãããã°ããã®ã³ãŒãã®è匱æ§ã®ã¿ã衚瀺ããŠèŠåããå¿ èŠããããŸãã éçºè ããã¿ã³ã 3 ãã¯ã»ã«ç§»åãããšãã«ãããã« SQL ã€ã³ãžã§ã¯ã·ã§ã³ãããããæ©æ¥ã«ä¿®æ£ããå¿ èŠããããšäŒããå Žåãããã¯ééãã§ãã ä»æžãããŠããããšãšãã¢ããªã±ãŒã·ã§ã³ã«èµ·ããå€æŽã ããèŠãŠãã ããã
ç¹å®ã®æ©èœäžã®æ¬ é¥ããããšããŸããã€ãŸããã¢ããªã±ãŒã·ã§ã³ãåäœãã¹ãã§ã¯ãªããšããããšã§ããã€ãŸãããéãééãããªãããã¿ã³ãã¯ãªãã¯ããŠã次ã®ããŒãžã«é·ç§»ããªãããŸãã¯è£œåãèªã¿èŸŒãŸããªããªã©ã§ãã ã»ãã¥ãªãã£äžã®æ¬ é¥ - ãããã¯åãæ¬ é¥ã§ãããã¢ããªã±ãŒã·ã§ã³ã®åäœã«é¢ãããã®ã§ã¯ãªããã»ãã¥ãªãã£ã«é¢ãããã®ã§ãã
ãã¹ãŠã®ãœãããŠã§ã¢å質åé¡ãã»ãã¥ãªãã£åé¡ã§ããããã§ã¯ãããŸããã ãããããã¹ãŠã®ã»ãã¥ãªãã£åé¡ã¯ãœãããŠã§ã¢ã®å質ã«é¢é£ããŠããŸãã ã·ã§ãªãã»ãã³ã¹ãŒã«ããšã¯ã¹ããã£ã¢ã
ãã¹ãŠã®è匱æ§ã¯åãæ¬ é¥ã§ããããããã¹ãŠã®éçºäžã®æ¬ é¥ãšåãå Žæã«ååšããå¿ èŠããããŸãã ãããã£ãŠã誰ãèªãŸãªãã¬ããŒããæããã PDF ã®ããšã¯å¿ããŠãã ããã
éçºäŒç€Ÿã«å€ããŠããæãéç解æããŒã«ããã¬ããŒããåãåããŸããã ç§ã¯ãããéããŠææãæããã³ãŒããŒãå
¥ããŠ350ããŒãžãããããéããŠä»äºãç¶ããŸããã 倧ããªã¬ããŒãã¯æ»ãã ã¬ããŒãã§ãã éåžžãæçŽã¯ã©ãã«ãè¡ãããåé€ãããããå¿ããããããçŽå€±ãããããããäŒæ¥ããªã¹ã¯ãæ¿ç¥ããŠãããšèšããŸãã
äœããããïŒ çºèŠããã確èªæžã¿ã®æ¬ é¥ããéçºã«äŸ¿å©ãªåœ¢åŒã«å€æããã ãã§ããããšãã°ãJira ã®ããã¯ãã°ã«å ¥ããŸãã æ©èœäžã®æ¬ é¥ããã¹ãäžã®æ¬ é¥ãšåæ§ã«ãæ¬ é¥ã«åªå é äœãä»ããŠåªå é äœããæé€ããŸãã
éç解æ - SAST
ã³ãŒãã®è匱æ§è§£æã§ãã, ãã ããSonarQubeãšã¯ç°ãªããŸãã ç§ãã¡ã¯ãã¿ãŒã³ãã¹ã¿ã€ã«ããã§ãã¯ããã ãã§ã¯ãããŸããã åæã§ã¯å€ãã®ã¢ãããŒãã䜿çšãããŸããè匱æ§ããªãŒã«åŸã£ãŠã
ãã®ã¢ãããŒãã®é·æ: éçºã®åæ段éã§ã³ãŒãã®è匱æ§ãç¹å®ããã¹ã¿ã³ããæ¢è£œã®ããŒã«ããŸã ãªãå Žåã ã€ã³ã¯ãªã¡ã³ã¿ã«ã¹ãã£ã³æ©èœ: å€æŽãããã³ãŒãã®ã»ã¯ã·ã§ã³ãšãçŸåšå®è¡ããŠããæ©èœã®ã¿ãã¹ãã£ã³ããŸããããã«ãããã¹ãã£ã³æéãççž®ãããŸãã
ã³ã³ãº - ããã¯ãå¿ èŠãªèšèªããµããŒããããŠããªãããšã§ãã
å¿ èŠãªçµ±åã ç§ã®äž»èŠ³çãªæèŠã§ã¯ãããã¯ããŒã«ã«å«ãŸããã¹ãã§ãã
- çµ±åããŒã«: JenkinsãTeamCityãGitlab CIã
- éçºç°å¢ïŒIntellij IDEAãVisual Studioã éçºè ã«ãšã£ãŠã¯ããŸã èŠããå¿ èŠãããç解ã§ããªãã€ã³ã¿ãŒãã§ã€ã¹ãæäœããã®ã§ã¯ãªããèªåã®éçºç°å¢ã®è·å Žã§èŠã€ããå¿ èŠãªçµ±åãšè匱æ§ããã¹ãŠç¢ºèªã§ããæ¹ã䟿å©ã§ãã
- ã³ãŒãã¬ãã¥ãŒ: SonarQube ãšæåã¬ãã¥ãŒã
- æ¬ é¥ãã©ãã«ãŒ: Jira ãš Bugzillaã
ãã®å³ã¯ãéç解æã®æã代衚çãªãã®ã®äžéšã瀺ããŠããŸãã
éèŠãªã®ã¯ããŒã«ã§ã¯ãªãããã»ã¹ã§ãããããããã»ã¹ã®ãã¹ãã«ãé©ãããªãŒãã³ãœãŒã¹ ãœãªã¥ãŒã·ã§ã³ããããŸãã
SAST ãªãŒãã³ãœãŒã¹ã§ã¯ãèšå€§ãªæ°ã®è匱æ§ãè€é㪠DataFlow ã¯æ€åºãããŸããããããã»ã¹ãæ§ç¯ããéã«ã¯ãããã䜿çšã§ããŸããã䜿çšããå¿
èŠããããŸãã ãããã¯ãããã»ã¹ãã©ã®ããã«æ§ç¯ããããã誰ããã°ã«å¯Ÿå¿ãããã誰ãå ±åããããç解ããã®ã«åœ¹ç«ã¡ãŸãã ã³ãŒãã®ã»ãã¥ãªãã£ãæ§ç¯ããåæ段éãå®è¡ãããå Žåã¯ããªãŒãã³ãœãŒã¹ ãœãªã¥ãŒã·ã§ã³ã䜿çšããŠãã ããã
åãçµã¿ã®éå§æ®µéã«ãããCIãJenkinsãTeamCity ãªã©äœãæããªãå Žåããããã©ã®ããã«çµ±åã§ããã§ãããã? ããã»ã¹ãžã®çµ±åãèããŠã¿ãŸãããã
CVSã¬ãã«ã®çµ±å
Bitbucket ãŸã㯠GitLab ããæã¡ã®å Žåã¯ã次ã®ã¬ãã«ã§çµ±åã§ããŸãã
ã€ãã³ãå¥ - ãã«ãªã¯ãšã¹ããã³ãããã ã³ãŒããã¹ãã£ã³ãããšããã«ã ã¹ããŒã¿ã¹ã«ã»ãã¥ãªã㣠ãã§ãã¯ãæåããã倱æãããã衚瀺ãããŸãã
ãã£ãŒãããã¯ã ãã¡ããããã£ãŒãããã¯ã¯åžžã«å¿ èŠã§ãã å¯æ¥ã§ã»ãã¥ãªãã£ãè¡ã£ãã ãã§ãããã«ã€ããŠèª°ã«ãäœãèšããã«ç®±ã«å ¥ããææ«ã«å€§éã®ãã°ãæšãŠããšããããããã¯æ£ãããªãããè¯ããããŸããã
ã³ãŒãã¬ãã¥ãŒã·ã¹ãã ãšã®çµ±å
ãã€ãŠãç§ãã¡ã¯å€ãã®éèŠãªãããžã§ã¯ãã«ãã㊠AppSec æè¡ãŠãŒã¶ãŒã®ããã©ã«ãã®ã¬ãã¥ãŒæ åœè ãšããŠã®åœ¹å²ãæãããŸããã æ°ããã³ãŒãã§ãšã©ãŒãç¹å®ããããããšã©ãŒããªããã«å¿ããŠãã¬ãã¥ãŒæ åœè ã¯ãã« ãªã¯ãšã¹ãã®ã¹ããŒã¿ã¹ããæ¿èªããŸãã¯ãäœæ¥ãå¿ èŠãã«èšå®ããŸãããã¹ãŠã OK ã§ããããæ£ç¢ºã«æ¹åãå¿ èŠãªéšåãžã®ãªã³ã¯ãèšå®ãããŠããŸããæ¹åããå¿ èŠããããŸãã æ¬çªç°å¢ã«ç§»è¡ããããŒãžã§ã³ãšã®çµ±åã®ãããæ å ±ã»ãã¥ãªãã£ãã¹ãã«åæ Œããªãå Žåã®ããŒãžçŠæ¢ãæå¹ã«ããŸããã ãããæåã®ã³ãŒã ã¬ãã¥ãŒã«å«ããããã»ã¹ã®ä»ã®åå è ããã®ç¹å®ã®ããã»ã¹ã®ã»ãã¥ãªã㣠ã¹ããŒã¿ã¹ã確èªããŸããã
SonarQube ãšã®çµ±å
å€ãã®äººãæã£ãŠããŸã
CIã¬ãã«ã§ã®çµ±å
ããã§ããã¹ãŠéåžžã«åçŽã§ãã
- èªåãã¹ããšåçãåäœãã¹ãã
- çºé段éããšã«åãã: éçºããã¹ããæ¬çªã ããŸããŸãªã«ãŒã«ã®ã»ãããããŸããŸãªå€±ææ¡ä»¶ãå«ãŸããå ŽåããããŸããã€ãŸããã¢ã»ã³ããªãåæ¢ããããã¢ã»ã³ããªãåæ¢ããŸããã
- åæ/éåæèµ·åã ã»ãã¥ãªãã£ãã¹ããçµäºãããã©ãããåŸ ã£ãŠããŸãã ã€ãŸãããã ç«ã¡äžããŠå ã«é²ãã ã ãã§ããã¹ãŠãè¯ããæªãããšããã¹ããŒã¿ã¹ãåŸãããŸãã
ãã¹ãŠã¯å®ç§ãªãã³ã¯ã®äžçã§ãã çŸå®ã«ã¯ãããªããšã¯ãããŸããããç§ãã¡ã¯åªåããŠããŸãã ã»ãã¥ãªã㣠ãã§ãã¯ãå®è¡ããçµæã¯ãåäœãã¹ãã®çµæãšäŒŒãŠããã¯ãã§ãã
ããšãã°ã倧èŠæš¡ãªãããžã§ã¯ããåãäžããä»åºŠã¯ããã SAST ã§ã¹ãã£ã³ããããšã«ããŸãã - OKã ãã®ãããžã§ã¯ãã SAST ã«ããã·ã¥ãããšããã20 件ã®è匱æ§ãçããŸãããã匷ãæå¿ã«ããããã¹ãŠåé¡ãªããšå€æããŸããã 000 件ã®è匱æ§ã¯ç§ãã¡ã®æè¡çè² åµã§ãã ç§ãã¡ã¯åéãç®±ã«å ¥ãããã£ãããšæŽçããŠæ¬ é¥ãã©ãã«ãŒã«ãã°ãè¿œå ããŸãã äŒç€Ÿãéããããã¹ãŠãèªåãã¡ã§è¡ãããã»ãã¥ãªãã£ãã£ã³ããªã³ã«ååããŠããããŸããã - ããããã°æè¡çè² åµã¯æžå°ããŸãã
ãããŠãæ°ããã³ãŒãå ã«æ°ãã«åºçŸãããã¹ãŠã®è匱æ§ã¯ããŠããããŸãã¯èªåãã¹ãã®ãšã©ãŒãšåãæ¹æ³ã§æé€ããå¿ èŠããããŸãã çžå¯Ÿçã«èšãã°ãã¢ã»ã³ããªãéå§ãããå®è¡ãããŸããããXNUMX ã€ã®ãã¹ããš XNUMX ã€ã®ã»ãã¥ãªã㣠ãã¹ãã倱æããŸããã OK - è¡ã£ãŠãäœãèµ·ãã£ããã確èªããäœããä¿®æ£ããå¥ã®ããšãä¿®æ£ãã次åå®è¡ããŸããããã¹ãŠãé 調ã§ãæ°ããè匱æ§ã¯åºçŸããããã¹ãã«å€±æããããšããããŸããã§ããã ãã®ã¿ã¹ã¯ãããæ·±ããããç解ããå¿ èŠãããå ŽåããŸãã¯è匱æ§ã®ä¿®æ£ãå éšã«ãã倧ããªå±€ã«åœ±é¿ãäžããå Žåãã€ãŸããã°ãæ¬ é¥ãã©ãã«ãŒã«è¿œå ãããåªå é äœãä»ããããŠä¿®æ£ãããŸãã æ®å¿µãªãããäžçã¯å®ç§ã§ã¯ãªãããã¹ãã倱æããããšããããŸãã
ã»ãã¥ãªã㣠ã²ãŒãã®äŸã¯ãã³ãŒãå ã®è匱æ§ã®ååšãšæ°ã®ç¹ã§ãå質ã²ãŒãã«äŒŒãŠããŸãã
SonarQube ãšçµ±åããŠããŸã - ãã©ã°ã€ã³ãã€ã³ã¹ããŒã«ãããŠããããã¹ãŠãéåžžã«äŸ¿å©ã§ã¯ãŒã«ã§ãã
éçºç°å¢ãšã®çµ±å
çµ±åãªãã·ã§ã³:
- ã³ãããåã«éçºç°å¢ããã¹ãã£ã³ãå®è¡ããŸãã
- çµæã衚瀺ããŸãã
- çµæã®åæã
- ãµãŒããŒãšã®åæã
ãµãŒããŒããçµæãåãåããšæ¬¡ã®ããã«ãªããŸãã
åŒç€Ÿã®éçºç°å¢ã§ã¯
ãªãŒãã³ãœãŒã¹
ããã¯ç§ã®ãæ°ã«å ¥ãã®ãããã¯ã§ãã 誰ãããªãŒãã³ãœãŒã¹ ã©ã€ãã©ãªã䜿çšããŠããŸãããã¹ãŠããã§ã«å®è£ ãããŠããæ¢è£œã®ã©ã€ãã©ãªãå©çšã§ããã®ã«ããªã倧éã®æŸèæãèªè»¢è»ãäœæããå¿ èŠãããã®ã§ããããã
ãã¡ããããã¯çå®ã§ãããã©ã€ãã©ãªã人éã«ãã£ãŠæžãããŠãããäžå®ã®ãªã¹ã¯ã䌎ããå®æçãŸãã¯ç¶ç¶çã«å ±åãããè匱æ§ããããŸãã ãããã£ãŠãã¢ããªã±ãŒã·ã§ã³ ã»ãã¥ãªãã£ã«ã¯æ¬¡ã®ã¹ãããããããŸããããã¯ããªãŒãã³ ãœãŒã¹ ã³ã³ããŒãã³ãã®åæã§ãã
ãªãŒãã³ãœãŒã¹åæ - OSA
ãã®ããŒã«ã«ã¯ XNUMX ã€ã®å€§ããªã¹ããŒãžãå«ãŸããŠããŸãã
ã©ã€ãã©ãªå
ã®è匱æ§ãæ€çŽ¢ããŸãã ããšãã°ãããŒã«ã¯ãããã©ã€ãã©ãªã䜿çšããŠããããšãèªèããŠããã
ã©ã€ã»ã³ã¹ã®çŽåºŠã®åæã ãã®ããšã¯ãããã§ã¯ãŸã ç¹ã«äžè¬çã§ã¯ãããŸããããæµ·å€ã§åããŠããå Žåã䜿çšãŸãã¯å€æŽã§ããªããªãŒãã³ãœãŒã¹ ã³ã³ããŒãã³ãã®äœ¿çšã«å¯ŸããŠçŸå°ã§çšéã城åãããããšããããŸãã èªå¯å³æžé€šã®æ¹éã«ããã°ãããã¯ã§ããŸããã ãŸãã¯ãå€æŽããŠäœ¿çšããå Žåã¯ãã³ãŒããæçš¿ããå¿ èŠããããŸãã ãã¡ãããèªç€Ÿã®è£œåã®ã³ãŒããå ¬éããã人ã¯ããŸãããããããã身ãå®ãããšãã§ããŸãã
ç£æ¥ç°å¢ã§äœ¿çšãããã³ã³ããŒãã³ãã®åæã ã€ãã«éçºãå®äºãããã€ã¯ããµãŒãã¹ã®ææ°ãªãªãŒã¹ããªãªãŒã¹ããããšããä»®å®ã®ç¶æ³ãæ³åããŠã¿ãŸãããã 圌ã¯ããã§çŽ æŽãããç掻ãéã£ãŠããŸã - XNUMXé±éãXNUMXã¶æãXNUMX幎ã ç§ãã¡ã¯ãããåéããŸãããå®å šæ§æ€æ»ãè¡ããŸããããã¹ãŠã倧äžå€«ã®ããã§ãã ãããããªãªãŒã¹ãã XNUMX é±éåŸãçªç¶ããã®ç¹å®ã®ãã«ãã§äœ¿çšããŠããç£æ¥ç°å¢ã®ãªãŒãã³ ãœãŒã¹ ã³ã³ããŒãã³ãã«é倧ãªè匱æ§ãçºçããŸããã äœãã©ãã§äœ¿çšããããèšé²ããªããã°ããã®è匱æ§ã«æ°ã¥ãããšã¯ãããŸããã äžéšã®ããŒã«ã«ã¯ãçŸåšæ¥çã§äœ¿çšãããŠããã©ã€ãã©ãªã®è匱æ§ãç£èŠããæ©èœããããŸãã ãšãŠã䟿å©ã§ãã
ç¹åŸŽïŒ
- éçºã®ããŸããŸãªæ®µéã«å¿ããŠããŸããŸãªããªã·ãŒãé©çšãããŸãã
- ç£æ¥ç°å¢ã«ãããã³ã³ããŒãã³ãã®ç£èŠã
- çµç¹å ã®å³æžé€šã®ç®¡çã
- ããŸããŸãªãã«ã ã·ã¹ãã ãšèšèªã®ãµããŒãã
- Docker ã€ã¡ãŒãžã®åæã
ãªãŒãã³ãœãŒã¹åæã«æºããæ¥çãªãŒããŒã®äŸãããã€ã玹ä»ããŸãã
ç¡æãªã®ã¯ããã ã
ããã»ã¹ã®çµ±å
ã©ã€ãã©ãªã®å¢çå¶åŸ¡ãå€éšãœãŒã¹ããããŠã³ããŒããããŸãã åŒç€Ÿã«ã¯å€éšãªããžããªãšå éšãªããžããªããããŸãã ããšãã°ãEvent Central 㯠Nexus ãå®è¡ããŠããŸããããªããžããªå ã«ãé倧ããŸãã¯ãé«ãã¹ããŒã¿ã¹ã®è匱æ§ããªãããšã確èªããããšèããŠããŸãã Nexus Firewall Lifecycle ããŒã«ã䜿çšããŠãããã·ãæ§æãããšããã®ãããªè匱æ§ãé®æãããå éšãªããžããªã«æ®ããªãããã«ããããšãã§ããŸãã
CIãžã®çµ±åã èªåãã¹ããåäœãã¹ããéçºæ®µé (éçºããã¹ããæ¬çª) ãžã®åå²ãšåãã¬ãã«ã§ãã å段éã§ãä»»æã®ã©ã€ãã©ãªãããŠã³ããŒãããŠãäœã§ã䜿çšã§ããŸããããã¯ãªãã£ã«ã«ãã¹ããŒã¿ã¹ã«äœãé£ãããã®ãããå Žåã¯ãéçšç°å¢ãžã®ãªãªãŒã¹ã®æ®µéã§éçºè ã®æ³šæãåŒã䟡å€ããããããããŸããã
ã¢ãŒãã£ãã¡ã¯ããšã®çµ±å: Nexus ãš JFrogã
éçºç°å¢ãžã®çµ±åã éžæããããŒã«ã¯éçºç°å¢ãšçµ±åãããŠããå¿ èŠããããŸãã éçºè ã¯ãCVS ã«ã³ãããããåã«ãè·å Žããã¹ãã£ã³çµæã«ã¢ã¯ã»ã¹ã§ããããã³ãŒããã¹ãã£ã³ããŠè匱æ§ãèªåã§ãã§ãã¯ã§ããå¿ èŠããããŸãã
CDã®çµ±åã ããã¯ç§ããšãŠãæ°ã«å ¥ã£ãŠããçŽ æŽãããæ©èœã§ãç£æ¥ç°å¢ã«ãããæ°ããè匱æ§ã®åºçŸãç£èŠãããšããæ©èœã«ã€ããŠã¯ãã§ã«èª¬æããŸããã ããã¯æ¬¡ã®ããã«æ©èœããŸãã
æã
ã¯æã£ãŠããŸã ãããªãã¯ã³ã³ããŒãã³ããªããžã㪠â å€éšã®ããã€ãã®ããŒã«ãšå
éšãªããžããªã ä¿¡é Œã§ããã³ã³ããŒãã³ãã®ã¿ãå«ããããã«ããŸãã ãªã¯ãšã¹ãããããã·ããéãããŠã³ããŒããããã©ã€ãã©ãªã«è匱æ§ããªãããšã確èªããŸãã ãããåœç€Ÿãèšå®ããå¿
ç¶çã«éçºãšèª¿æŽããç¹å®ã®ããªã·ãŒã«è©²åœããå Žåããã®ãã¡ã€ã«ã¯ã¢ããããŒãããããå¥ã®ããŒãžã§ã³ã䜿çšããããã«æ±ããããŸãã ãããã£ãŠãã©ã€ãã©ãªã«æ¬åœã«é倧ã§åé¡ã®ãããã®ãååšããå Žåãéçºè
ã¯ã€ã³ã¹ããŒã«æ®µéã§ã©ã€ãã©ãªãåãåããŸãããéçºè
ã«ã¯ãããé«ãããŒãžã§ã³ãŸãã¯ããäœãããŒãžã§ã³ã䜿çšãããŸãã
- æ§ç¯ãããšãã誰ãæªãããšãæ»ãããŠããªããããã¹ãŠã®ã³ã³ããŒãã³ããå®å šã§ãããããã©ãã·ã¥ãã©ã€ãã«å±éºãªãã®ãæã¡èŸŒãã§ããªããã確èªããŸãã
- ãªããžããªã«ã¯ä¿¡é Œã§ããã³ã³ããŒãã³ãã®ã¿ããããŸãã
- ãããã€æã«ãããã±ãŒãžèªäœ (warãjarãDLããŸã㯠Docker ã€ã¡ãŒãž) ãããäžåºŠãã§ãã¯ããŠãããªã·ãŒã«æºæ ããŠããããšã確èªããŸãã
- æ¥çã«åå ¥ãããšããç§ãã¡ã¯ç£æ¥ç°å¢ã§äœãèµ·ãã£ãŠããããç£èŠããŸããé倧ãªè匱æ§ãçŸããããçŸããªãããç£èŠããŸãã
åçåæ - DAST
åçåæããŒã«ã¯ããããŸã§ã«èª¬æãããŠãããã®ãšã¯æ ¹æ¬çã«ç°ãªããŸãã ããã¯ãã¢ããªã±ãŒã·ã§ã³ã§ã®ãŠãŒã¶ãŒã®äœæ¥ã®äžçš®ã®æš¡å£ã§ãã ããã Web ã¢ããªã±ãŒã·ã§ã³ã®å Žåãã¯ã©ã€ã¢ã³ãã®äœæ¥ãã·ãã¥ã¬ãŒãããŠãªã¯ãšã¹ããéä¿¡ããåé¢ã®ãã¿ã³ãã¯ãªãã¯ããåŒçšç¬Šãæ¬åŒ§ãããŸããŸãªãšã³ã³ãŒãã£ã³ã°ã®æåãªã©ã®äººå·¥ããŒã¿ããã©ãŒã ããéä¿¡ããŠãã¢ããªã±ãŒã·ã§ã³ãã©ã®ããã«æ©èœããåŠçããããã確èªããŸããå€éšããŒã¿ã
åãã·ã¹ãã ã䜿çšããŠããªãŒãã³ãœãŒã¹ã®ãã³ãã¬ãŒãã®è匱æ§ããã§ãã¯ã§ããŸãã DAST ã¯ãã©ã®ãªãŒãã³ãœãŒã¹ã䜿çšãããŠããããç¥ããªããããåçŽã«ãæªæã®ããããã¿ãŒã³ãã¹ããŒãããµãŒããŒã®å¿çãåæããŸãã
- ã¯ããããã«ã¯éã·ãªã¢ã«åã®åé¡ããããŸãããããã«ã¯ãããŸããã
ããã«ã¯å€§ããªãªã¹ã¯ã䌎ããŸãããã¹ã¿ãŒãäœæ¥ããã®ãšåããã³ãã§ãã®ã»ãã¥ãªã㣠ãã¹ããå®æœãããšãäžå¿«ãªããšãèµ·ããå¯èœæ§ããããŸãã
- ã¢ããªã±ãŒã·ã§ã³ãµãŒããŒãããã¯ãŒã¯ã®è² è·ãé«ãã
- çµ±åã¯ãããŸããã
- åæãããã¢ããªã±ãŒã·ã§ã³ã®èšå®ãå€æŽããæ©èœã
- å¿ èŠãªãã¯ãããžãŒã®ãµããŒãã¯ãããŸããã
- ã»ããã¢ãããé£ããã
ã€ãã« AppScan ãç«ã¡äžãããšããç§ãã¡ã¯ããç¶æ³ã«é¥ããŸãããã¢ããªã±ãŒã·ã§ã³ã«ã¢ã¯ã»ã¹ããã®ã«é·ãæéãè²»ããã3 ã€ã®ã¢ã«ãŠã³ããååŸããŠæºè¶³ããŸãããæåŸã«ãã¹ãŠã確èªããŸãã ç§ãã¡ã¯ã¹ãã£ã³ãéå§ããŸãããAppScan ãæåã«è¡ã£ãã®ã¯ã管çããã«ã«ç§»åãããã¹ãŠã®ãã¿ã³ã貫éããããŒã¿ã®ååãå€æŽããŠããããã®ãµãŒããŒãå®å
šã«åŒ·å¶çµäºããããšã§ããã
- ã¿ããªãåè«ã§ããïŒ ç§ãã¡ã¯ããªãã«ã¢ã«ãŠã³ããäžããããªãã¯ã¹ã¿ã³ããç«ã¡äžããŸããïŒ
èãããããªã¹ã¯ãèæ ®ããŠãã ããã çæ³çã«ã¯ãæ å ±ã»ãã¥ãªãã£ããã¹ãããããã®å¥ã®ã¹ã¿ã³ããæºåããå°ãªããšãäœããã®æ¹æ³ã§ä»ã®ç°å¢ããéé¢ããæ¡ä»¶ä»ãã§ç®¡çããã«ã (ã§ããã°æåã¢ãŒãã§) ãã§ãã¯ããŸãã ããã¯ãããã¬ãŒã·ã§ã³ãã¹ãã§ãããçŸæç¹ã§ã¯èæ ®ãããŠããªãæ®ãã®äœæ¥ã®å²åã§ãã
ãããè² è·ãã¹ãã®é¡äŒŒç©ãšããŠäœ¿çšã§ããããšãèæ ®ãã䟡å€ããããŸãã æåã®æ®µéã§ã¯ã10 ïœ 15 ã¹ã¬ããã®åçã¹ãã£ããŒããªã³ã«ããŠäœãèµ·ãããã確èªã§ããŸãããå®è·µã§ãããããã«ãéåžžã¯äœãè¯ãããšã¯ãããŸããã
ç§ãã¡ãé垞䜿çšããããã€ãã®ãªãœãŒã¹ã
泚ç®ã«å€ãã
ããã»ã¹ã®çµ±å
çµ±åã¯éåžžã«ããŸãããããŠç°¡åã«è¡ãããŸãã ã€ã³ã¹ããŒã«ãæåãããã¹ãã£ã³ãéå§ããŸã ã¹ã¿ã³ãçšã®ã¢ããªã±ãŒã·ã§ã³ãã çµ±åãã¹ããæåããåŸã®ã¹ãã£ã³.
çµ±åãæ©èœããªãå ŽåããŸãã¯ã¹ã¿ããã¢ãã¯é¢æ°ãããå Žåãããã¯ç¡æå³ã§åœ¹ã«ç«ã¡ãŸãããã©ã®ãããªãã¿ãŒã³ãéä¿¡ããŠãããµãŒããŒã¯åãããã«å¿çããŸãã
- çæ³çã«ã¯ãç¬ç«ãããã¹ãã¹ã¿ã³ãã§ãã
- ãã¹ãããåã«ããã°ã€ã³ ã·ãŒã±ã³ã¹ãæžãçããŸãã
- 管çã·ã¹ãã ã®ãã¹ãã¯æåã®ã¿ã§ãã
ããã»ã¹
äžè¬çãªããã»ã¹ãšãç¹ã«åããŒã«ã®åäœã«ã€ããŠå°ãäžè¬åããŸããã ãã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ã¯ç°ãªããŸããXNUMX ã€ã¯åçåæã§ããå¹æçã«æ©èœãããã XNUMX ã€ã¯éçåæã§ããå¹æçã«æ©èœããXNUMX ã€ç®ã¯ãªãŒãã³ãœãŒã¹åæããããã¬ãŒã·ã§ã³ãã¹ãããŸãã¯ãŸã£ããå¥ã®ãã® (ããšãã°ãã€ãã³ããªã©) ã§ããå¹æçã«æ©èœããŸãã
ãã¹ãŠã®ããã»ã¹ã«ã¯å¶åŸ¡ãå¿ èŠã§ãã
ããã»ã¹ãã©ã®ããã«æ©èœããã©ããæ¹åã§ããããç解ããã«ã¯ãå®çšŒåã¡ããªã¯ã¹ãããŒã«ããã®ã¡ããªã¯ã¹ãæ¬ é¥ãã©ãã«ãŒããã®ã¡ããªã¯ã¹ãªã©ãå ¥æã§ãããã¹ãŠã®ãã®ããã¡ããªã¯ã¹ãåéããå¿ èŠããããŸãã
ã©ã®æ å ±ã圹ã«ç«ã¡ãŸãã ã©ãã§ãã®ããŒã«ãŸãã¯ãã®ããŒã«ã䜿çšããã®ãé©åããç¹ã«ããã»ã¹ãæ»ãéšåã¯ã©ããªã®ãããããŸããŸãªè§åºŠããèŠãå¿ èŠããããŸãã éçºã®å¿çæéã調ã¹ãŠãæéã«åºã¥ããŠããã»ã¹ã®ã©ããæ¹åãã¹ããã確èªããããšã¯äŸ¡å€ããããããããŸããã ããŒã¿ãå€ãã»ã©ããããã¬ãã«ããåããã»ã¹ã®è©³çŽ°ãŸã§ãããå€ãã®ã»ã¯ã·ã§ã³ãæ§ç¯ã§ããŸãã
ãã¹ãŠã®éçã¢ãã©ã€ã¶ãŒãšåçã¢ãã©ã€ã¶ãŒã«ã¯ç¬èªã® APIãç¬èªã®èµ·åæ¹æ³ãååããããããã¹ã±ãžã¥ãŒã©ãŒãåããŠãããã®ãšã¹ã±ãžã¥ãŒã©ãŒãåããŠããªããã®ããããŸããç§ãã¡ã¯ããŒã«ãäœæããŠããŸãã AppSec ãªãŒã±ã¹ãã¬ãŒã¿ãŒããã«ããã補åããããã»ã¹å
šäœãžã®åäžã®ãšã³ã㪠ãã€ã³ããäœæããããã XNUMX ã€ã®ãã€ã³ããã管çã§ããŸãã
ãããŒãžã£ãŒãéçºè ãã»ãã¥ãªã㣠ãšã³ãžãã¢ã¯ XNUMX ã€ã®ãšã³ã㪠ãã€ã³ãã䜿çšããŠãå®è¡äžã®å 容ã®ç¢ºèªãã¹ãã£ã³ã®èšå®ãšå®è¡ãã¹ãã£ã³çµæã®åä¿¡ãèŠä»¶ã®éä¿¡ãè¡ãããšãã§ããŸãã ç§ãã¡ã¯ããŒããŒã¯ãŒã¯ããè±åŽããéçºã§äœ¿çšããããã¹ãŠã®ãã®ã人éã«ãããã®ã«å€æããããšããŠããŸããã¹ããŒã¿ã¹ãã¡ããªã¯ã¹ãå«ã Confluence äžã®ããŒãžãJira ãããŸããŸãªæ¬ é¥ãã©ãã«ãŒã®æ¬ é¥ãCI ã®åæ/éåæããã»ã¹ãžã®çµ±åãªã©ã§ãã /CDã
äž»èŠãªåãçµã¿
ããŒã«ãã¡ã€ã³ã§ã¯ãããŸããã ãŸãããã»ã¹ãããèããŠãããããŒã«ãå®è£ ããŸãã ããŒã«ã¯åªããŠããŸããé«äŸ¡ãªã®ã§ãããã»ã¹ããå§ããŠãéçºãšã»ãã¥ãªãã£ã®éã®ã³ãã¥ãã±ãŒã·ã§ã³ãšç解ãæ§ç¯ã§ããŸãã å®å šæ§ã®èŠ³ç¹ããã¯ããã¹ãŠããåæ¢ãããå¿ èŠã¯ãããŸããããéçºã®èŠ³ç¹ãããé«ã¡ã¬è¶ ã¯ãªãã£ã«ã«ãªãã®ãããã°ãåé¡ããç®ãèããã«æé€ããå¿ èŠããããŸãã
補åã®å質 - å ±éã®ç®æš ã»ãã¥ãªãã£ãšéçºã®äž¡æ¹ã ç§ãã¡ãè¡ãããšã¯ XNUMX ã€ããããã¹ãŠãæ£ããæ©èœãã颚è©ãªã¹ã¯ãçµæžçæ倱ããªãããšã確èªããããšã§ãã ãã®ãããåœç€Ÿã¯ã³ãã¥ãã±ãŒã·ã§ã³ãæ¹åãã補åã®å質ãåäžãããããã« DevSecOpsãSecDevOps ã¢ãããŒããæšé²ããŠããŸãã
ãã§ã«æã£ãŠãããã®ããå§ãã: èŠä»¶ãã¢ãŒããã¯ãã£ãéšåãã§ãã¯ããã¬ãŒãã³ã°ãã¬ã€ãã©ã€ã³ã ãã¹ãŠã®ãã©ã¯ãã£ã¹ããã¹ãŠã®ãããžã§ã¯ãã«ããã«é©çšããå¿ èŠã¯ãããŸããã ç¹°ãè¿ã移åããã åäžã®åºæºã¯ãããŸãã - å®éš ããŸããŸãªã¢ãããŒãã解決çãè©ŠããŠãã ããã
æ å ±ã»ãã¥ãªãã£æ¬ é¥ãšæ©èœæ¬ é¥ã®éã«ã¯çå·ããããŸã.
ãã¹ãŠãèªååããããã¯åããŸãã åããªããã®ã¯äœã§ãåãããèªååããŸãããã äœããæäœæ¥ã§è¡ãå Žåãããã¯ããã»ã¹ã®è¯ãéšåã§ã¯ãããŸããã ãããããããèŠçŽããŠèªååãã䟡å€ããããŸãã
ISããŒã ã®èŠæš¡ãå°ããå Žå - ã»ãã¥ãªãã£ãã£ã³ããªã³ã䜿çšãã.
ããããç§ã話ããå 容ã¯ããªãã«ã¯åãããããªãã¯èªåãªãã®äœããæãã€ãã§ããã - ããã¯è¯ãããšã§ãã ããã ããã»ã¹ã®èŠä»¶ã«åºã¥ããŠããŒã«ãéžæããã ãã®ããŒã«ã¯æªããŠããã®ããŒã«ã¯è¯ããšããã³ãã¥ããã£ã®æèŠãæ°ã«ããªãã§ãã ããã ãããããããªãã®è£œåã§ã¯ãã®éãåœãŠã¯ãŸãã§ãããã
ããŒã«ã®èŠä»¶ã
- äœã¬ãã«ã®èª€æ€ç¥ã
- é©åãªåææéã
- 䜿ããããã
- çµ±åã®å¯çšæ§ã
- 補åéçºããŒãããããç解ããã
- ããŒã«ãã«ã¹ã¿ãã€ãºããå¯èœæ§ã
ãŠãŒãªã®ã¬ããŒãã¯ãDevOpsConf 2018 ã§æé«ã®ã¬ããŒãã® 27 ã€ã«éžã°ããŸãããããã«èå³æ·±ãã¢ã€ãã¢ãå®éã®äºäŸãç¥ãã«ã¯ã28 æ XNUMX æ¥ãš XNUMX æ¥ã«ã¹ã³ã«ã³ãã«æ¥ãŠãã ããã
DevOpsConf å ã§ãã§ã¹ãã£ãã«RIT++ ã ããã«è¯ãããšã«ãèªåã®çµéšãå ±æããæºåãã§ããŠããå Žåã¯ãç³è«æžãæåºãã ã¬ããŒãã¯21æXNUMXæ¥ãŸã§ã
åºæïŒ habr.com