Category
セキュリティエンジニアになるには — 公式フレームワークで描くスキルマップ・資格・セキュアコーディングの実践ガイド
セキュリティエンジニアは『攻める側(ホワイトハッカー)』とは出発点が違い、主戦場は“安全なシステムを作って・運用して・守る”ことにあります。本クラスタは、個人の体験談ではなく公的な一次情報——NISTのNICE Framework(職種の7カテゴリ)とCSF 2.0(守りの6機能)、IPAのITSS+とデジタルスキル標準、経済産業省のサイバーセキュリティ経営ガイドライン——を地図に、目指す職種の定め方、未経験から積むスキルマップ、国家資格『登録セキスペ』を含む資格戦略、そして中核技能であるセキュアコーディング(NIST SSDF・OWASP ASVSに沿った信頼境界の検証・認可のサーバー強制・出力エンコード・秘密情報管理・CIへの自動強制)までを体系化します。一人×生成AIで経済産業大臣賞のB2B SaaSや本番二重課金0件の決済基盤を作ってきた知見を根拠に、『速く作る力と安全に作る力は同じコインの裏表』という立場で、学ぶ個人にも、人材を育てるか外部委託かを迷う企業にも役立つ判断材料を、公式ドキュメントに忠実な実コードで提供します。
6 articles in total
Foundational guide
Foundational guide (start here)
How to become a security engineer [2026 complete roadmap]: a skill map, certifications, and the fastest route from no experience, drawn with official frameworks
A complete roadmap to becoming a security engineer. With primary sources — the NIST NICE Framework, CSF 2.0, IPA ITSS+, and METI guidelines — as the map, it systematically explains, with real code: the big picture of the role, a skill map to build from no experience, a certification strategy including Japan's national 'Registered Security Specialist,' and differentiation in the AI era.
Related practical articles
- セキュリティインシデント対応CSIRTNISTセキュリティエンジニア
Incident-response practical guide [2026 edition]: CSIRT, Runbooks, and automated containment aligned with NIST SP 800-61 Rev.3 (CSF 2.0)
A practical guide to designing security incident response (IR) at production quality. Centered on the new framework of NIST SP 800-61 Rev.3 (the CSF 2.0 Community Profile) revamped in 2025, it explains the CSIRT structure, severity triage, idempotent containment Runbooks, blameless postmortems, and SOAR automation, with real code faithful to official information.
10 min read - セキュリティ暗号パスワードハッシュArgon2セキュリティエンジニア
A practical applied-cryptography guide [2026 edition]: using password hashing (Argon2id), encryption (AES-GCM), and key management correctly
A practical guide for app developers to 'use cryptography correctly.' Faithful to official sources, it explains, in type-safe code: the difference between hashing, encryption, and encoding; Argon2id password hashing with OWASP-recommended parameters; the latest NIST 800-63B-4 password policy; authenticated encryption with AES-256-GCM; and key management and rotation.
10 min read - セキュリティセキュアコーディングNIST SSDFOWASP ASVSDevSecOps
Practical secure-coding guide [2026 edition]: become an engineer who 'builds safely' with NIST SSDF and OWASP ASVS
A complete guide to practicing secure coding by 'mechanism,' not 'willpower.' With NIST's official framework SSDF (SP 800-218) and OWASP ASVS 5.0 as a map, it explains validation at the trust boundary, server-enforced authorization, output encoding, secret management, and dependency measures with real code, and finally shows how to auto-enforce these in CI.
13 min read - セキュリティログ設計検知エンジニアリングSigmaセキュリティエンジニア
A practical guide to security logging and detection engineering [2026 edition]: building a state where you 'can notice' with Sigma, MITRE ATT&CK, and SIEM
A practical guide to log design and detection engineering that solves 'you can't protect what you can't detect.' With real code: 'what to record and what not to,' per OWASP; type-safe structured logs and secret masking; vendor-neutral detection rules with Sigma; mapping to MITRE ATT&CK; and Detection as Code.
9 min read - セキュリティ脅威モデリングSTRIDEセキュア設計セキュリティエンジニア
A practical threat-modeling guide [2026 edition]: crushing vulnerabilities at the 'design stage' with STRIDE and data flow diagrams
A practical guide to threat modeling for building security into the design stage. It explains, with real code faithful to official information: the Threat Modeling Manifesto's four questions, STRIDE's six categories, how to draw a data flow diagram and trust boundaries, and how to manage threats 'as code' and continuously verify them in CI.
10 min read