こんにちは！SREチームのkasaiです。 KINTOテクノロジーズ株式会社（以下、KTC）は、2025年7月11日（金）〜12日（土）にTOC有明で開催される「SRE NEXT 2025」にて、プラチナスポンサーとして協賛いたします！ KTCがSRE NEXTのスポンサーになるのは今回が初めてです。 弊社SREチームは昨年から再スタートを切りました。 SREを実践する難しさを日々感じつつも、サービスの信頼性を高めるための活動に取り組んでいます。みなさんも同じように試行錯誤を重ねているのではないかと思います。 そんなSREの方々が集まる場を支えられればと思い、スポンサーに立候補いたしました！ SRE NEXTとは 信頼性に関するプラクティスに深い関心を持つエンジニアのためのカンファレンスです。 同じくコミュニティベースのSRE勉強会である「SRE Lounge」のメンバーが中心となり運営・開催されます。 SRE NEXT 2025のテーマは「Talk NEXT」です。SRE NEXT 2023で掲げた価値観 Diversity、Interactivity、Empathyを大切にしつつ、SREの担う幅広い技術領域のトピックや組織、人材育成に対してディスカッションやコミュニケーションを通じて、新たな知見や発見を得られる場にします。 Home | SRE NEXT 2025 開催概要 開催日：2025年7月11日（金）・12日（土） 会場：TOC有明及びオンライン 公式サイト： https://sre-next.dev/2025/ スポンサーセッションあります！ DAY 2 (7/12) 13:00 - 13:20にTrack Bにて「ロールが細分化された組織でSREは何をするか？」というタイトルで長内がスポンサーセッションをする予定です。 細分化された組織の中においてロールが重なり合う中「自分たちは何をすべきか？」「SREとしての価値はどこにあるのか？」といった問いにSREチームがどのように向き合ってきたのかをお話しします。 詳細： https://sre-next.dev/2025/schedule/#slot081 ブース出展もします！ ブースでは簡単に答えられるアンケートを用意しています。 ご回答いただくとガチャガチャが回せて、オリジナルノベルティーが当たりますので、ぜひブースに遊びにきてください！ 当日はSREのメンバーもブースにいますので、SREについてTalkしましょう！

Introduction Hello, I am Nishida, a member of the payment platform development team at KINTO Technologies. In this article, I'd like to share how we used AWS SAM to build the backend for an internal payment operations system, which was also introduced earlier in this article . What is AWS SAM? First off, AWS SAM (Serverless Application Model) is a tool that makes it easy to build and deploy serverless services like Lambda and API Gateway. With AWS SAM, developers no longer need in-depth knowledge of infrastructure and can focus on building applications using a serverless architecture. Why We Chose AWS SAM Right after joining KINTO Technologies, I became involved in developing a payment operations system. Given the short development timeline of just 2 to 3 months, we needed to select backend technologies that supported rapid iteration Since it was an internal system with limited traffic, we decided to go with AWS SAM, leveraging my prior experience with it from a previous role. How to Use AWS SAM I'd like to use AWS SAM to build a REST API using API Gateway and Lambda in a serverless setup. Here's what the directory structure looks like: . ├── hello_world │ ├── __init__.py │ └── app.py └── template.yaml First, install AWS SAM from the official documentation . AWS SAM uses a file called a template to manage AWS resources. AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > sam-app Sample SAM Template for sam-app Resources: HelloWorldFunction: Type: AWS::Serverless::Function Properties: FunctionName: HelloWorldFunction CodeUri: hello_world/ Handler: app.lambda_handler Runtime: python3.9 Events: HelloWorld: Type: Api Properties: Path: /hello Method: get import json def lambda_handler(event, context): body = { "message": "hello world", } response = { "statusCode": 200, "body": json.dumps(body) } return response We deploy using the sam command. This time, I'll try deploying interactively using the --guided option. sam deploy --guided Enter the stack name, region, etc. Stack Name [sam-app]: # デプロイするスタック名を入力 AWS Region [ap-northeast-1]: # デプロイするリージョンを入力 #Shows you resources changes to be deployed and require a 'Y' to initiate deploy Confirm changes before deploy [y/N]: # 変更内容を確認するかを入力 #SAM needs permission to be able to create roles to connect to the resources in your template Allow SAM CLI IAM role creation [Y/n]: # SAM CLI が IAM ロールを作成するかを入力 #Preserves the state of previously provisioned resources when an operation fails Disable rollback [y/N]:　# ロールバックを無効にするかを入力 HelloWorldFunction may not have authorization defined, Is this okay? [y/N]: # Lambda に対する認可を設定するかを入力 Save arguments to configuration file [Y/n]: # 設定を保存するかを入力 SAM configuration file [samconfig.toml]: # 設定ファイルの名前を入力 SAM configuration environment [default]: # 環境名を入力 Once the deployment is complete, check the Lambda console to confirm that HelloWorldFunction has been created. You can also find the endpoint by selecting the API Gateway that triggers Lambda. Let's try sending a request using curl. curl https://xxxxxxxxxx.execute-api.ap-northeast-1.amazonaws.com/Prod/hello If the request is successful, you'll get a response like this: {"message": "hello world"} After Trying It Out As I had prior experience with AWS SAM, I was able to get the basic infrastructure up and running in just a day, which helped us stay on track with the development schedule. Once you're familiar with it, one of the best things about AWS SAM is how easy it makes building APIs in a serverless setup. In addition to API Gateway and Lambda, we also use AWS SAM to build EventBridge and SQS, which are used for periodic processing such as batch processing. The official documentation has also improved a lot, which I think has lowered the barrier to getting started. Conclusion In this article, I shared how we quickly built the backend for a payment operations system from scratch using AWS SAM. Since it's a tool provided by AWS, it has high compatibility, reduces the overhead of environment setup, and allows you to focus more on actual development. If you're interested, I highly recommend giving it a try.

Introduction Hello. My name is Shimamura , and I used to be a DevOps engineer in the Platform Group, but now I'm on the Operation Tool Manager team within the same gorup, where I'm responsible for Platform Engineering and tool-related development and operations. KINTO Technologies' Platform Group promotes IaC using Terraform. We define design patterns that are frequently used within the company and provide them as reference architectures, and each environment is built based on those patterns. For the sake of control, each environment from development to production is built upon ticket-based requests. Before building the development environment, we prepare a sandbox environment (AWS account) for the application department's verification. However, this is often built manually and there are many differences with the environment built by Platform Group. If a design pattern were available, the environment could be automatically built upon developer request, which would eliminate the waiting time between the request and the creation of the environment, and improve development efficiency. I think this kind of request-based automated building is a common requirement in DevOps, but it seems that Kubernetes is still the most commonly used application execution platform. KINTO Technologies uses Amazon ECS + Fargate as its application execution platform, so I would like to introduce this as a (probably) rare example of automated environment building for ECS. Background Challenges The system is not around when application developers need it (during verification/launch) As part of the DevOps activities, I researched AutoProvisioning (automated environment building) and felt that it was common, but it is not present within our company. There is a large difference between an environment built in a sandbox environment with a relatively high degree of freedom and an environment built according to the design patterns provided by Platform Group. IAM permissions and security Presence of common components such as VPC/Subnet/NAT Gateway etc. As a result, the communication costs becomes higher for both parties when requesting a build. Solution Why not create an automated building mechanism? Since this is a design pattern, there are some AWS services that may be missing, but it's tolerable and presumably they will be added manually. As a first step, it's worthwhile to automatically build an environment on AWS in about an hour so that you can check the operation of your application and prepare for CICD. Let's Make It Thankfully, Terraform is becoming more modular so we can build environments in a variety of patterns by simply writing a single file (locals.tf), so I think of the below as a base: Used in-house created modules (Must) Built with in-house design patterns as a base (Must) Made sure that DNS is automatically configured and communication is possible via HTTPS. It should be able to automatically generate locals.tf Prototyped the application to see if it can be structured and generated using Golang's HCLWrite After prototyping, I found that structuring was difficult, so I eventually gave up on automatic generation. I took care of it by replacing some parameters from the template file Since the process was about replacing, detailed settings for each component are not possible. The Final Result From the GUI on the CMDB select product design patterns When you select this and click Create New, the specified configuration will be built in the sandbox environment of the department associated with the product in 10 to 40 minutes (depending on the configuration). Overall Configuration Individual Explanation I separated the part that creates the Terraform code from the part that actually builds it in the sandbox environment so that they could be tested separately. Terraform Code Generation Parts ProvisioningSourceRepo Issue management GitHub Actions execution Terraform code for the created sandbox environment CIDR list for each sandbox environment ProvisioningAppRepo Template for design pattern Yaml (buildspec.yml) in CodeBuild Various ShellScripts running on CodeBuild InfraRepo TerraformModule AWS Environment Building Part S3 Source and Artifact in CodePipeline EventBridge CodePipeline Trigger CodePipeline/CodeBuild Actual construction environment Route53 (Dev) Delegate authority from the production DNS and use Route53 in the Dev environment Terratest (Apply) The Terratest sample looks like this. The test is nested so that if any of the Init, Plan, or Apply steps fail, the test will end. If the Apply step fails midway, Destroy what was applied up to that point. I think you will be able to write it more neatly if you have knowledge of Golang. package test import ( "github.com/gruntwork-io/terratest/modules/terraform" "testing" ) func TestTerraformInitPlanApply(t *testing.T) { t.Parallel() awsRegion := "ap-northeast-1" terraformOptions := &terraform.Options{ TerraformDir: "TerraformファイルがあるPATH" + data.uuid, EnvVars: map[string]string{ "AWS_DEFAULT_REGION": awsRegion, }, } // InitでErrorがなければPlan、PlanでErrorがなければApplyと // IFで入れ子構造の対応を実施(並列だとInitで失敗してもテストとしてすべて走る) if _, err := terraform.InitE(t, terraformOptions); err != nil { t.Error("Terraform Init Error.") } else { if _, err := terraform.PlanE(t, terraformOptions); err != nil { t.Error("Terraform Plan Error.") } else { if _, err := terraform.ApplyE(t, terraformOptions); err != nil { t.Error("Terraform Apply Error.") terraform.Destroy(t, terraformOptions) } else { // 正常終了 } } } } Elements Name Overview CMDB (in-house production) Configuration Management Database to manage databases Since rich functions were unnecessary, KINTO Technologies has developed an in-house CMDB. On top of that, we are creating a request form for automatic building. In addition, after being built, FQDN and other information are automatically registered in the CMDB. Terraform A product for coding various services, AWS among them. IaC. In-house design patterns and modules are created with Terraform. GitHub A version control system for storing source code. Build requests are logged by raising an Issue. Also, since Terraform code is required for deletion, etc., we also save each code for the sandbox environment. GitHubActions The CI/CD tool included in GitHub. At KINTO Technologies, we utilize GitHub Actions for tasks such as building and releasing applications In this case, we are using the issue filing as a trigger to determine whether to Create/Delete, select the necessary code group, compress it, and connect to AWS. CodePipeline/CodeBuild CICD-related tools provided by AWS. Using it to run Terraform code. We could run Terraform/Terratest on GitHubActions, but since we use GitHubActions daily for application builds, we chose to use this to avoid the impact on each product team due to usage limits, etc. Terratest A Go library for testing infrastructure code, etc. You can also test modules, but in this case we are using it to recover from failures in the middle of Terraform Apply. Click here for the official site Restrictions We target multiple sandbox environments (AWS accounts) associated with each development team, but only one can be created at a time (exclusive). Since CodePipeline/CodeBuild are running in the same environment due to DNS We also create parts that are not run in the application. It may seem like there is a lot of waste, but this is due to the build design pattern. It is built as a seamless line from FQDN to DB. You need to set the VPC, etc. in the Module beforehand. You need to build a set of common components such as VPC beforehand. What to Do if There Are No Modules KINTO Technologies has been working on design patterns for some time, so we have the advantage of being able to easily use Terraform to build everything from CloudFront to RDS. What can you do if you haven't progressed that far but still want to implement AutoProvisioning using ECS? I Thought About It Create up until the ECS Cluster in advance. ECS Service ECR Repository ALB TargetGroup ALB ListenerRule IAM Role Route53 I think it would be easier to prepare a Terraform file with the above, and then build it. TaskDefinition can be created if you have permission, so it's up to the user. Configuration Proposal I think CodePipeline/CodeBuild would be fine instead of GitHubActions, but when you consider the need to prepare a GUI like CodeCommit, wouldn't it be easier to just put it all together on GitHub? So, here is the configuration. I haven't used AWS Proton yet, so I haven't considered it. I think it would be possible to separate the Parameter parts such as locals.tf and create them using the sed command or Golang's HCL library. Once you have confirmed the build using Terratest, etc., add any FQDN to the ALB alias and match it with the ListenerRule. Next Steps Originally, we had hoped to offer it in advance to get feedback, but at present it hasn't been used much. We have provided a GUI for this purpose, and we plan to start by having a variety of people use it and receive feedback. However, I think there are many things we can do, such as increasing the number of compatible design patterns and simplifying the associated CICD settings. I would really like to introduce Kubernetes and then move on to AutoProvisioning, which has many applications. ｜・ω・`) Is that not possible? Impressions To be honest, I tried hard to automatically generate templates using Golang, but gave up because the HCL structure of our in-house design patterns was difficult to analyze and reconstruct. There was some talk internally about this being a reinvention of the console, but if we could get that far, I think we might be able to automate not only the sandbox environment but also the STG environment. For Platform Group, the environment can be created simply by tapping and selecting a few items on the GUI. It's really simple. To be honest, I wanted to reach that level, but I think it was good that I was able to take even the first step. In Kubernetes, I think it might be possible to create something similar by preparing a Helm chart as a template. I would like to consider alternative methods and try various things. Summary The Operation Tool Manager Team oversees and develops tools used internally throughout the organization. As I wrote in my previous O11y article , we organize the mechanisms and present them to application developers so that they can use them on a self-service basis, supporting the creation of value by these developers. A PlatformEngineering meet up was held a little while ago, and it's reassuring to know that this is in line with the direction we're moving forward in. The Operation Tool Manager team also has an in-house tool building department, allowing developers to quickly and intensively create value for their applications. Please feel free to contact us if you are interested in any of these activities or would like to hear from us. @ card

Introduction Hello! I'm Tanachu from the Security & Privacy Group at KINTO Technologies! I usually work on log monitoring and analysis using SIEM, building monitoring systems, and handling cloud security tasks as part of some projects in the SCoE group (here you can read about what's the SCoE group? ) . Here is my self-introduction. In this article, we share a report on our visit to the " Sysdig Kraken Hunter Workshop ," held on March 26, 2025, at the Collaboration Style event space near Nagoya Station. The Event Space Using Sysdig Secure at KINTO Technologies At KINTO Technologies, we mainly use Sysdig Secure for Cloud Security Posture Management (CSPM) and Cloud Detection and Response (CDR). I've put together more details in this blog, so feel free to take a look. A Day in the Life of a KTC Cloud Security Engineer What is the Sysdig Kraken Hunter Workshop? Sysdig is a company founded by Loris Degioanni, the co-developer of the well-known network capture tool, Wireshark. It offers security solutions for cloud and container environments, built around Falco , an open-source standard for cloud-native threat detection developed by Sysdig. We use Sysdig Secure to monitor cloud activities such as permission settings and account or resource creation in cloud environment. The Sysdig Kraken Hunter Workshop is a hands-on session where you run simulated attacks on a demo Amazon EKS environment. You go through a series of modules using Sysdig to practice detection, investigation, and response. If you pass the post-workshop exam, you'll earn a Kraken Hunter certification badge. In this blog, I'll walk you through three modules that stood out the most. Module 1: Simulated Attack and Event Investigation In this module, we carried out a simulated attack on a demo Amazon Elastic Kubernetes Service (Amazon EKS) environment and used Sysdig Secure to detect and investigate the event. First, following the provided documentation, we simulated a remote code execution (RCE) attack on the Amazon EKS demo environment. The simulated actions included: Reading, writing, and executing arbitrary files on the system Downloading files onto the system After running the simulated attack, we accessed the Sysdig Secure console via browser. By checking the status of the targeted resources, we could confirm that Sysdig had detected events related to the attack. Reference: sysdig-aws workshop-instructions-JP Digging deeper, we confirmed that Sysdig Secure had picked up the simulated attack in real time. Reference: sysdig-aws workshop-instructions-JP This hands-on flow let us try out a simulated attack and see exactly how Sysdig Secure handles detection and investigation through its console. By running the attack myself and going through the investigation process with Sysdig Secure, I felt like I got a solid understanding of what the tool is capable of. Module 2: Host and Container Vulnerability Management In this module, we explored Sysdig Secure's features for managing vulnerabilities in both hosts and containers. Since our own products use containers and follow a microservices architecture, this topic is especially relevant to us. Sysdig Secure offers several types of vulnerability scans: Runtime Vulnerability Scanning, Pipeline Vulnerability Scanning, and Registry Vulnerability Scanning. The Runtime Vulnerability Scan lists all containers that have run in your monitored environment in the past 15 minutes, along with all hosts/nodes that have the Sysdig Secure Agent installed. Resources are automatically sorted by severity based on the number and risk level of vulnerabilities, making it easy to spot what needs your attention first. Reference: sysdig-aws workshop-instructions-JP You can also click on any listed item to drill down and view vulnerability details. Reference: sysdig-aws workshop-instructions-JP Pipeline Vulnerability Scan checks container images for vulnerabilities before they're pushed to a registry or deployed to a runtime environment. Registry Vulnerability Scan targets images already stored in your container registry. This way, you can check for vulnerabilities at each phase of the container image lifecycle, from development to production. There are plenty of security tools out there for vulnerability management, but the Sysdig Secure console stood out to me for its sophisticated UI and intuitive usability. Module 3: Container Posture & Compliance Management In this module, we experienced how Sysdig Secure helps manage posture and compliance in cloud environments. As you may have probably seen or heard in the news, misconfigurations in the cloud are a major cause of security incidents. Since we build our products in a fully cloud-native setup, this isn't just others problem—it's something we take seriously. That's why this feature caught our attention. As a posture and compliance management feature, Sysdig Secure allows you to check if your environment complies with common standards like CIS, NIST, SOC 2, PCI DSS, and ISO 27001. Reference: sysdig-aws workshop-instructions-JP It also highlights non-compliant resources and shows you how to fix them. While it's hard to say whether the steps will be practical in every situation, having that guidance readily available does save workloads on researching fixes. As an admin, that's a huge plus. Reference: sysdig-aws workshop-instructions-JP Kraken Hunter Certification Exam The Kraken Hunter certification exam had about 30 to 40 questions on a dedicated web page. The questions covered topics from the workshop, so if you paid attention, you had a solid shot at passing. I struggled a bit with some of the finer details introduced at the start of the workshop, but I managed to pass the exam! Here's the certification badge awarded to those who pass: Kraken Hunter Certification Badge Using Sysdig Secure Going Forward We're exploring and pushing the following ways to get the most out of Sysdig Secure: CSPM: Creating custom policy rules in Rego based on our governance framework to ensure cloud security that aligns with our internal policies. CDR: Building custom rules using Falco to expand threat detection tailored to our environment. CWP: Testing and implementing Cloud Workload Protection (CWP) to secure our container workloads. Summary In the Sysdig Kraken Hunter workshop, we conducted a simulated attack against an Amazon EKS demo environment and got hands-on with Sysdig Secure—detection, investigation, response, and more. Since we've only used a limited set of Sysdig Secure's features at our company, most of what was introduced was new to us. While we fumbled a bit at first, it was a great chance to see what the tool is truly capable of. Joining the in-person workshop also gave us the chance to hear real stories from other companies—their challenges and efforts in the field. Big thanks to the organizers for making this happen. Conclusion Our Security and Privacy Group, along with the SCoE group who joined this workshop, are looking for new teammates. We welcome not only those with hands-on experience in cloud security but also those who may not have experience but have a keen interest in the field. Please feel free to contact us. For more information, please check here .

はじめに こんにちは！ 新車サブスク開発G、Osaka Tech Lab 所属の high-g（ @high_g_engineer ）です。 今回は、社内で立ち上げたフロントエンド勉強会について紹介します。 開催経緯 ある日、新車サブスク開発Gの上長との1on1で、 TSKaigi 2024のタイムテーブル を見せる機会がありました。 それを見た上長からは「幅広いテーマが扱われていて、非常にいい教材だね。これを使って、各部署のフロントエンドエンジニア同士で知見を共有し、横のつながりを作る勉強会があったらいいね」という前向きな提案をもらいました。 その言葉をきっかけに、参加意欲の高そうなフロントエンドエンジニアを募り、社内勉強会の企画がスタートしました。 勉強会の目的 この勉強会では、以下の3つを目的に掲げています。 学習 ：外部カンファレンスの発表内容やWeb標準仕様を共有、議論を通じて理解を深める 実践 ：学んだ内容を実際のプロダクトに適用する 共有 ：実践から得た知見や課題を参加者間で共有し、組織全体のナレッジとして蓄積する 単に知識を得て終わるのではなく、「実際に業務で使える状態になる」ことを目指した実践的な勉強会です。 週に1回、1時間の枠を確保し、読み合わせ・モブプログラミング・ハンズオンなど、内容に応じた形式で実施しています。 主なテーマと発展経緯 2024年9月30日から現在までに34回開催し、以下のような内容を取り組みました。 カンファレンスや技術イベントの知見共有（第1〜17回） まずは、勉強会を定着させるために、 TSKaigi 2024 や JSConf JP 2024 の発表内容を中心に、フロントエンド技術の最新動向を参加者で学習しました。 Prettierの未来を考える （第1回）：コードフォーマッターの今後の方向性 TypeScriptのパフォーマンス改善 （第2回）：実際の業務コードでの課題と照らし合わせ 全てをTypeScriptで統一したらこうなった！ （第3回）：フルスタック開発事例 TypeScript化の旅: Helpfeelが辿った試行錯誤と成功の道のり （第5回） TanStack Routerで型安全かつ効率的なルーティング （第7回） Storybook駆動開発 UI開発の再現性と効率化 （第9回） TypeScriptで型定義を信頼しすぎず「信頼境界線」を設置した話 （第10回） mizchiさんによる「LAPRAS 公開パフォーマンスチューニング」 （第12〜13回）：外部事例から学ぶパフォーマンス改善 Yahoo! JAPANトップページにおけるマイクロフロントエンド （第15回）：大規模組織での開発事例 JavaScript のモジュール解決の相互運用性 （第16回） You Don't Know Figma Yet - FigmaをJSでハックする （第17回） チーム間知見共有と相互理解（第18〜24回） 参加者が増えたことで、個人のスキル共有や各部署のフロントエンドチームの状況共有を実施しました。 これにより、今後の勉強会の方向性を検討するとともに、各チームのプロジェクトをコードベースで確認し、KINTOテクノロジーズ全体のフロントエンド課題を共有できました。 ここまでのふりかえり （第18回）：勉強会の方向性を議論 自己紹介 〜これまでのキャリアを添えて〜 （第19回）：メンバー間の相互理解促進 各チームのフロントエンド開発状況共有会 （第20〜24回）：5回シリーズで各チームの技術スタック、課題、取り組みを詳細に共有 Web標準の理解と実践（第25〜28回） ふりかえり会で、Web仕様を理解したいという声があったため、Baselineを全員で掘り下げながら理解する取り組みをしました。 https://web.dev/baseline?hl=ja Baselineの理解 （第25〜27回）：3回シリーズでWeb標準について体系的に学習 Baselineの振り返り＆次回以降やること議論 （第28回）：学習内容の整理と今後の方向性検討 実践的なパフォーマンス改善（第29回〜現在） mizchiさんの公開パフォーマンスチューニングの動画 を参考にし、実際のプロダクトのパフォーマンスチューニングを実践しました。 https://www.youtube.com/watch?v=j0MtGpJX81E FACTORYパフォーマンス改善 （第29〜30回）：2回シリーズで具体的な改善施策と結果を共有 TSKaigi 2025 登壇内容シェア会 （第31回）：社内メンバーの登壇内容を事前共有 KINTO ONE パフォーマンス改善 （第32〜34回）：3回シリーズでモブプログラミング形式により全員で実際の改善作業を実施、最も実践的な学習を実現 継続的な開催による成果 参加者数の拡大と定着 当初5名から始まった勉強会は、継続開催を通じて、コンスタントに10名以上が参加する勉強会へと成長しました。参加者は新車サブスク開発Gだけでなく、他のグループからも参加者が増えてきて、横の繋がりを実現できています。 初期メンバーの多くが現在も参加を続けており、新しく参加したメンバーも定着率が高いことから、勉強会が参加者にとって価値のある時間になっていることが伺えます。 組織的な技術力の段階的向上 普段、カンファレンスや技術イベントで得た知識は、個人視点での学習範囲にとどまりがちですが、各部署にいる異なる課題感を持ったフロントエンドエンジニアたちで同時に学ぶ事により、組織全体にメリットがあるだけでなく、個人では気づきにくい観点からの学びにもつながっています。 BaselineシリーズでWeb標準について体系的に学習した継続参加メンバーは、これまで「なんとなく」使っていた技術について仕様レベルで理解できるようになり、業務での技術選択においてもより根拠を持った判断ができるようになっています。 実践的な問題解決能力の獲得 直近の勉強会では、KINTO ONE や KINTO FACTORY などの実際のプロダクトを対象に、モブプログラミング形式でパフォーマンス改善に取り組みました。 勉強会で得た知見をそのままプロダクトに適用し、実際に手を動かして確認することで、パフォーマンスチューニングへの苦手意識を払拭。売上向上にもつながる、実践的かつ価値のある取り組みとなりました。 チーム間の技術的連携の深化 開発状況の共有会を通じて、これまで把握しきれていなかった他チームの技術的な取り組みや課題を知る機会が増えました。 その結果、類似した課題を持つチーム同士が勉強会後に個別で相談し合うケースも増加しています。 勉強会は、単なる学習の場にとどまらず、実際の業務課題を解決するためのハブとしても機能し始めています。 まとめ 社内のフロントエンドエンジニア同士の横のつながりを強化する目的で始まったこの勉強会は、外部カンファレンスの知見共有からスタートし、現在では実プロダクトを題材にしたパフォーマンス改善へと発展しています。 今後も継続開催を通じて、つながりを育みながら、組織全体の技術力向上に貢献する場を目指していきます。

Introduction Hello! My name is K, and I work as a designer at KINTO Technologies. I usually work mainly on UI/UX design for e-commerce sites, but sometimes I also have the opportunity to work on communication design. Back in November 2024, I was responsible for designing the logo that became the face of our internal event, the CHO All-Hands Meeting! Since this was a special opportunity, I would like to take this opportunity to casually introduce the behind-the-scenes aspects of the production and the points I paid particular attention to. What is a Logo? A logo is more than just decoration; it serves as the face of a brand or event. At a glance, people can recognize it and think, "Oh, that's the event!" or "Hey, I've seen this before!" It plays a big role in shaping the impression it leaves on them. Instead of just creating something because it seems cool, I ask myself, "What kind of vibe will this event have?" "What message is it trying to send?" "What impression do I want people to walk away with?" It was a good reminder of how important it is to design with intention. Defining the Concept: Understanding the Core of the Event First, I had a chat with the art director in charge of the event's overall artwork. As we clarified the event's purpose and key message, I started shaping the concept behind the logo. The concept of the CHO All-Hands Meeting event was "initiative" and "connection." A space where everyone proactively connects with their colleagues A place where we truly feel that our company encourages taking initiative An energetic, lively atmosphere with colleagues that fuels our motivation for the next challenge I wanted to capture all of that through a design that feels "free and fun," and had "an energetic vibe that brings people together." Exploring Design Directions The next phase was to find out what kind of visuals would fit the concept. How do I express "a design that feels free and fun," and "an energetic vibe that brings people together."? When I thought about this, one theme came to mind: "otaku culture x technology." The event draws lots of people from development and creative teams. For many of them, things like anime, games, mecha, and manga are not only familiar, but also genuinely exciting. By blending that with a futuristic tech vibe, I felt we could create a world that feels even more open, energetic, and full of positive momentum. Some visual elements we considered were: Elements of mecha, robots, and tokusatsu-inspired details : To bring in that mechanical, industrial edge. Manga and comic-style elements : To experiment with bold, energetic lettering and speech bubble shapes. Digital-style typography : To add a subtle futuristic vibe. I started by sketching out rough ideas by hand, letting the concepts flow freely from there. From Sketch to Digital Once the direction became clear from the sketches, I moved into Illustrator to start digitizing the design. Cleaned up the rough drafts and created the base shape. From there, made several variations, each with subtle tweaks in nuance. Discussed with the art director which design best embodies the concept. Of course, plenty of ideas didn't make the cut—but going through that trial-and-error process really reminded me how essential it is for creating great design. Polishing the Details Once the rough draft was locked in, it was time to move into the final phase. At this stage, I kept refining things, tweaking the details until everything felt just right. And, one of the key elements that really shapes the impression of a logo is the font. For example, rounded fonts can give off a soft, friendly vibe, while sharper fonts feel more sleek and polished. Even small differences like that can completely change the overall tone of the logo. This time, instead of relying on existing fonts, I created an original font. While keeping the event's core themes—autonomy and interaction—in mind, I made adjustments with a focus on the following points: Improve readability : Adjust letter width, proportions, and spacing to make the text easier to read and give the overall design a cohesive feel. Refine curves : Reduce the number of paths to create a smoother, more polished shapes. Harmony between kanji and katakana : Be mindful of consistent shapes so the characters would feel balanced when placed together. When compared to the original red guidelines, the final shape has changed significantly. This process really reminded me how even the smallest design choices, like font style and tiny shape tweaks, can greatly affect the impression a logo gives. Finalizing the Logo: Balancing Playfulness and Versatility And finally—the logo was complete! It strikes a nice balance between playful vibes and practical versatility, making it easy to use in all kinds of contexts. The mix of subculture and tech came through naturally in the design. By sticking to the shapes and fonts, the overall finish and quality really leveled up! Summary Logo design is something where even the tiniest details can totally change the impression it gives. This project reminded me how important it is to keep pushing until you hit that "This is it!" moment. This time, I think I managed to go beyond just making "something that looks cool." I created a design that really "captures the spirit of the event and works across different contexts." If this article sparks even a little inspiration or insight for someone out there, I'll be happy!

はじめに こんにちは、2025年4月入社の hiro です！ 本記事では、2025年4月入社のみなさまに、入社直後の感想をお伺いし、まとめてみました。 KINTO テクノロジーズ(以下、KTC)に興味のある方、そして、今回参加下さったメンバーへの振り返りとして有益なコンテンツになればいいなと思います！ Minami 自己紹介 7月より新たに発足するデータ戦略部に所属します 所属チームの体制は？ 分析、事業戦略/戦術の提案、施策の実行まで一貫して向き合うチームです とても優秀なアナリストやデータサイエンティスト、エンジニアの皆さんと一緒に事業成長に取り組めるので、いまから楽しみです KTCへ入社したときの第一印象？ギャップはあった？ 働き方やオフィスでの過ごし方など、自由度の高さに驚きました 落ち着いてる中に密かに熱い気持ちを持ってる方もいらっしゃるので、これからが楽しみです 現場の雰囲気はどんな感じ？ チームは比較的若く、仲良く明るい雰囲気です 新しい体制でチームの強みを発揮できるように頑張ります ブログを書くことになってどう思った？ 入社前に読んだので、KTCに入社される方の参考になったら良いなと思いました MAoさん ⇒ Minamiさんへの質問 国内国外問わず、おすすめの旅行先があったら教えてください！ 昨年行ったハワイのカウアイ島がすごく素敵でした！ H.N 自己紹介 業務システム開発部で販売店業務領域を主に担当しています。 最近は室町オフィス近辺の美味しいお店を探すのが趣味です。 所属チームの体制は？ 業務システム開発部の中でもNimbusチームに所属してまして、プロパー3人とパートナーさんで日々業務にあたっています。 KTCへ入社したときの第一印象？ギャップはあった？ 想像していたよりも社内イベントや食事会への参加機会が多くて、他部署の方と関われるきっかけ作りができそうなので良い意味のギャップでした！ 現場の雰囲気はどんな感じ？ 忙しい中でも困った事や不明点を聞きやすい雰囲気づくりをしてくださる先輩方が多く、日々キャッチアップするにあたって大変助かっています！ ブログを書くことになってどう思った？ テックブログも含めてこういった記事を書くことに慣れていないのですが、これを機会に楽しめるようになればいいなと思ってます！ Minami ⇒ H.Nへの質問 参加されて面白かった社内イベントを教えてください！ まだ社内イベントには参加できてませんが、以下の社内イベントに参加してみたいと思ってます！ KTCBeerBash 生成AI系の社内勉強会 部署やチームを横断して交流が深められそうなイベントがあれば！ K.S 自己紹介 my routeアプリのUI/UX改善を主に担当しています。趣味は家族でキャンプに行くことです。 所属チームの体制は？ 7月から新体制になる予定です。PDMと開発チーム一体となってアプリをよりよくしていきます。 KTCへ入社したときの第一印象？ギャップはあった？ 入社したタイミングで神保町オフィスがリニューアルされていてとにかくオフィスが綺麗です。さらに休憩スペースの椅子や机はアウトドアメーカーに統一されていてオシャレ！ 現場の雰囲気はどんな感じ？ my routeチームは皆さん優しく、困った事は全てサポートしてくれます。歓迎会も素晴らしかったです！ ブログを書くことになってどう思った？ 過去の先輩方の紹介ブログをよく読むようになり、さらに会社の事を知れて良い機会になりました。 H.Nさん ⇒ K.Sさんへの質問 家族でこれまで行った中でおすすめのキャンプ場や旅先があれば教えてください！ 都内から近場＆子供&ペット同伴が喜ぶ&高規格という点で TACO GLAMP 毛呂山町ゆずの里オートキャンプ場 みかぼ高原オートキャンプ場 です！他にも沢山あります。 ですが、ぶっちゃけ焚き火さえできれば何処でもOKですw ちる 自己紹介 はじめまして！　ちるです。　IT/IS部　コーポレートITグループに所属しています。　 これまではWEB系の開発エンジニアとしてのキャリアを積んできたのですが、KTCではコーポレートITとして社内情報システム、販売店様の情シス業務支援など組織を強くしていくためにエンジニアスキルを発揮できるよう日々奮闘しています！ 所属チームの体制は？ チームはInnovation Driveチームに所属しています！私を含め９名のチームでそれぞれのメンバーが得意領域で活躍しています！ チームの目標として「KTCのIT環境を最高のモノにする。」「KTCで生み出された価値を社外に届ける。」といった目標があり、社内だけにはとどまらず「KTCの価値を最大化し対外的な価値に繋げる技術者集団」を目標としているチームになります。 KTCへ入社したときの第一印象？ギャップはあった？ 第一印象は、元気な人が多いな！　でした 入社してすぐに社内イベントがあったり、定期的に開催されるビアバッシュがあったり交流が多い会社だなって思いました。 ギャップに関してはカジュアル面談や採用面接で色々とお話伺っていた内容がそのままだったので大きなギャップは特になかったです。ただ大企業のグループ会社なので、業務フローなどが固いイメージ、制約などが厳しいと勝手に想像していたのですが、そういった事は特になく、むしろスピード感がすごくて驚きました！ 現場の雰囲気はどんな感じ？ 所属チームのメンバーは拠点が別なこともあり、全員が揃うのはオンライン上がほとんどですが不思議なくらい距離感を感じないです。　困ったときの相談や質問もSlackやZoom等ですぐコミュニケーション取れるのでとても良い雰囲気で仕事できています。 障害発生時にみんなが「どうした？どうした？」って集まってくる感じや、チームMTGで相談すると意見交換が盛り上がって時間足りなくなることあったりと、とても活発なチームでよいな！と感じています。 ブログを書くことになってどう思った？ 入社前からテックブログは読んでいて書くことはわかっていたので、ついに来たか・・・と思いました笑 K.Sさん ⇒ ちるさんへの質問 名古屋オフィスから近くて美味しい定食屋さんあったら教えてください！ オフィス近くの柳橋中央市場内にある　天ぷらとワイン小島　揚げたての天ぷら定食おすすめです 名古屋にいらっしゃる際には是非一緒にいきましょ！ MAo 自己紹介 IT/IS部　コーポレートITグループに所属しています。主に視える化担当でBI作成しつつ、その前後の業務改善をしたりと現場に近い距離で業務しています。 所属チームの体制は？ Innovation Driveチームに所属しており10名ほどのチームです。 KTCへ入社したときの第一印象？ギャップはあった？ 周囲の人がすごく話しかけてくれる！！ 現場の雰囲気はどんな感じ？ それぞれの考えを持ち寄り、より良い解決策を考える雰囲気です。 ブログを書くことになってどう思った？ 何を書くのかドキドキしました。 ちるさん ⇒ MAoさんへの質問 最近のマイブーム教えて下さい！ 道路を走っている車を眺めながらお茶を飲むこと！「みんな、動いてるなぁ。私も頑張ろう！」と思えます。 さいごに みなさま、入社後の感想を教えてくださり、ありがとうございました！ KINTOテクノロジーズでは日々、新たなメンバーが増えています！ 今後もいろんな部署のいろんな方々の入社エントリが増えていきますので、楽しみにしていただけましたら幸いです。 そして、KINTO テクノロジーズでは、まだまださまざまな部署・職種で一緒に働ける仲間を募集しています！ 詳しくは こちら からご確認ください！

My name is Ryomm and I work at KINTO Technologies developing my route (iOS). Here are some things I've done to save CI credits: Introduction In our project, we use Bitrise as a CI tool. Last year, in addition to regular unit testing, we introduced snapshot testing and moved to SPM . Before we knew it, the time it took for each Bitrise CI run had ballooned to around 25 minutes, and in months when a lot of implementation was happening, we often ended up exceeding our budget. Bitrise becomes expensive if you exceed the contracted amount, so at the exchange rate at the time of writing, it costs about 400 yen for each excess CI run. That's expensive! For this reason, when credits were about to exceed the limit, a trend was created to limit PR merging to the bare minimum in order to avoid moving CI. In order to overcome this situation, we have been working on some credit saving techniques for our project. Reviewing the CLI Tool Setup By looking at the Bitrise Build results, you can see how long each step took. Bitrise Build Result Looking at this, we can see that it took 12 minutes in "Script Runner". This is the step where we set up swiftLint and LicensePlist. As I mentioned in my previous article , the libraries can be downloaded and used in a package created separately from the workspace in order to be executed in the Build Phase. Well, this certainly does take time, so I'll try to shorten it. Fortunately, the library we want to use here is compatible with the Build Tool Plugin, so we can skip this step by transferring it to that library. Since the settings such as license_plist.yml and .swiftlint.yml have already been made, all you need to do is add the package to the project's Package Dependencies and add the plugin to Run Build Tool Plug-ins in the target Build Phase. Build Phase settings Since the location of LicensePlist cannot be specified by outputPath when it is a plugin, you need to include it in BuildPhase so that the license file is moved under Settings.bundle as described in README . Also, the package needs to be included in the app itself, not just a package linked via Frameworks. This completely eliminated the "Script Runner" step, saving me 12 minutes... and cutting my credit costs in half!🎉 Bitrise Build Result Additionally, project configuration has been simplified and there is no longer any need to run separate shells for setup or version updates. In this case, everything was compatible with the Build Tool Plugin, so I changed the configuration, but I also tried nest as a different approach. This allows you to reduce CI time while still managing your existing CLI tools as separate packages. Replace the package for installing the CLI tool under the tools directory with nest. Project/ ├── Hoge.xcworkspace ├── Hoge.xcodeproj ├── Test/ │ └── ... ├── ... └── tools └── nextfile.yaml // ここを置き換える When you run nest bootstrap nestfile.yaml , you can see that the binary is installed in tools/.nest/bin , so set it to be executed in the Build Phase. Configuring swiftlint in the build phase This may be useful if the Build Tool Plugin is not supported. Review the Test In our project, all tests were packed into one test target, so all tests were always run. Furthermore, the snapshot tests were very heavy tests that took about an hour to run, so the method that compared them with a reference image was commented out on the CI so that it would not be executed. However, because asynchronous drawing processes such as waiting before comparison are executed, if the process fails, timeouts accumulate and you have to wait for a long time, which is also one of the factors that eats up credits. Therefore, I separated the snapshot tests that were not running on CI into a separate test target and tried to control the tests that were executed using TestPlan. First, create a test target for the long-running snapshot: Create a test target After configuring the targets using the existing test targets as reference, move the snapshot tests to the newly created target via Target Membership in the Compile Sources under Build Phases or in the File inspector for each test file. In this case, if the moved test file has a dependency on a test file in the original test target, it will not be able to be built, so you will need to separate the dependencies each time. * Change the target * Next, create a TestPlan. A TestPlan is a collection of tests to be run and their configuration. In this case, the tests you want to run can be specified on a test target basis. For this purpose we have created a separate test target. TestPlans can be linked to schemas, and in our app we have a one-to-one relationship between schemas and TestPlans. And in the TestPlan for the schema you want to use on CI, make sure you don't run snapshot tests. TestPlan settings When you actually run it, the execution time doesn't change significantly on CI unless there is a failure. However, the local testing experience has improved significantly. Snapshot tests used to be executed even when only the logic was changed, but now they can be prevented from being executed by simply unchecking the box, resulting in a significant reduction in time. We have decided not to run tests that were not originally run on CI in the first place, but we would like to make it possible to run snapshot tests as well after adjusting the balance with credit usage. Conclusion In addition to the steps introduced here, other measures that can shorten build times include fixing code that takes a long time to infer types and deleting unused assets. These efforts reduced the average time per CI run from about 22 minutes to about 12 minutes, resulting in a savings of about 45% in credits. This time, we focused on reducing the time before and after the build, which is something we can do immediately, but next time we would like to reduce the build time itself even more.

Introduction Nice to meet you. My name is Yena, and I’m working on Android app development at KINTO Technologies. My career began with Android development, and I have been involved in a wide range of areas, including smart TV apps, web backend and frontend development, and API development. While currently working on Android development, I also plan and run an in-house study group called "Droid Lab" to support the growth of both myself and my team. To share the technical content from the study group more broadly outside the team, we considered publishing the materials as a tech blog, but we faced the following challenges: Since the materials are mainly created in Confluence or PPT format, they need to be converted to Markdown format before being posted on a blog, which makes it impossible to publish them as is and requires significant effort. This conversion work was a significant burden, making it difficult to secure enough time to write blog articles, which led to delays in disseminating information as intended. To solve these challenges, we introduced a mechanism that leverages generative AI ChatGPT's Custom GPT to automatically convert source materials, such as those in Confluence and PPT formats, into Markdown format. We are currently running trial operations, and this mechanism is expected to bring benefits such as reducing the burden of conversion work and improving the efficiency of information sharing. Here, I will explain the creation procedure and settings of the GPT that we actually introduced. How To Create a GPT 1. Creating a GPT After logging in, click "Explore" on the top left. Select "Create GPT" from the My GPT category. Set a Name and profile picture in GPT Builder. DALL·E can also automatically generate an image that matches the name you created (the image below was generated by AI based on the name we created in DALL·E). Setting GPT details 1 Description Here is a brief one- or two-line description of what this GPT does. Example: This GPT automatically generates technical blog articles in Markdown format based on Droid Lab materials. The branch used for creating blog articles should follow this format: (branch name: sample/YYYY-MM-DD- ). 2 Instructions Here, you should describe in detail how GPT should behave, what kind of output it should generate, and any constraints. This is the core of the prompt. Below are the output rules that GPT should follow: Output the Markdown body text below YAML (*In our case, we have a fixed format, so we define it in YAML.) Heading -> ## Heading List -> - Item Inline code -> Code Code block -> Written in open/closed sets such as kotlin Image ->  ⚠️ Do not change the structure, style, or order of sentences. The output must always start with Markdown and be enclosed within a code block. If the internal API URL or a confidential name is included, clearly state "【Non-public information may be included】" and provide suggested corrections. Even if the output is long, do not stop midway and return the entire output in one go. 3 Conversation starters Register example sentences to show how users should use it. Example: Convert the Confluence memo into a technical blog in Markdown format. 4 Knowledge Specify supplementary materials (such as style guides, sample articles, etc.) to be uploaded to the GPT. Internal blog style guide e.g. samples of previously published articles * Be sure to confirm that no confidential information is included before uploading. 5 Capabilities Web Search Canvas DALL·E Code Interpreter -> The function can be turned on and off as needed! Setting GPT details After entering all the information, click the “Create” button in the upper right, and GPT creation will be completed . 2. Setting up GPT Here, I will explain the operating rules and constraints set for GPT. Below are the main functions we have set up to comply with our internal blog format and ensure proper Markdown conversion via GPT: Function Description ✍️ Conversion to Markdown format Converts the pasted text directly to Markdown syntax without changing the style or structure. 📄 Automatic addition of YAML meta information Automatically generates postId, title, and excerpt to match the company's blog format. 🧱 Preservation of syntax and unification of output format Outputs everything in a single code block to prevent Markdown syntax from being broken. 🔐 Security check function Detects internal APIs and internal code names, marks them as 【Possibly confidential information】 and suggests corrections. ⚠️ Output interruption prevention logic Outputs everything in one go, even for long text, without stopping midway to prevent syntax from being broken. ⚠️ Japanese/English check Detects variations in notation, typos, and unnatural expressions, and suggests corrections as necessary. 2-1. 🧠 Detailed specifications of GPT (prompt settings) This GPT functions as a professional tech blog writer and a Markdown converter tool. When a user pastes text from Confluence or an internal memo, it will be output according to the format below, without altering the original structure, order, or style. 1. YAML Meta Information Output Rules To publish it as a blog post, YAML meta information (such as title, date, and category) must be defined at the beginning. This GPT automatically generates a YAML header from the pasted text, according to the following rules: YAML must be output in a yaml code block in the prescribed format. The "title" and "excerpt" fields must be automatically completed by inferring and extracting them from the text. If there is no title, it must be output as 'Article title here' . If the article is very long, Markdown code block must be automatically split into multiple blocks, and output must continue until completion, without the need for the user to prompt by saying "continue.” Automatic Category Judgment Rules If your post contains the following keywords, automatically replace category with the corresponding one: Kotlin, Compose, MVVM, KMP -> "Android" GitHub, CI/CD, CodeBuild -> "DevOps" Lint, architecture, coding standards -> "Architecture" Confluence, Markdown, GPT -> "Tooling" Firebase, AWS, S3 -> "Cloud" Study group, internal sharing, knowledge -> "Team" AI, ChatGPT, Prompt, Natural Language Processing -> "Generative AI" If multiple categories apply, prioritize the category that appears most frequently . 💡 Below is an example of the YAML header format used for our internal blog (it may not be usable in external environments): [Example] --- postId: "<自動生成されたID>" title: "<記事タイトル>" excerpt: "<要約文>" coverTitle: "<表紙用の見出し>" coverImage: "<画像パス（社内ブログ用）>" date: "<ISO形式の日付>" category: "<カテゴリ名>" .... --- 2. Markdown Body Text Output Rules Markdown conversion rules: Heading -> ## Heading List -> - Item Inline code -> Code Code block -> Example: kotlin (※ Be sure to close after opening.) Image ->  ⚠️ Do not change sentence structure, order, or style. ⚠️ Output everything accurately up to the closing tag to avoid breaking the Markdown syntax. 3. Post-Output Automatic Check Function Put all the output (YAML + Markdown body text) in one code block ( Markdown ) . The output must begin with Markdown and end with the corresponding closing code block tag . Even if the text is long, the output must not stop midway, and the entire text must be returned in one go . 3-1. 🔐Security Check Check that the following items are not included: Internal API URL Internal library name Project code name If confidential information such as a customer ID is detected, mark it as “【Possible confidential information】” and present proposed revision for publication at the same time. Detection example (screenshot) 3-2.⚠️ Japanese/English Check Japanese typos, misused particles, awkward phrasing, and inconsistencies in sentence endings, among other issues. English spelling mistakes, grammatical errors, unnatural expressions, etc. If necessary, output the proposed revision under the heading “⚠️ Text check:” However, do not change the order, structure, or style of the sentence in any way; simply point out the mistakes . Detection example (screenshot) 4. Usage Demo 4-1. Execution Steps 💬 Step 1 : Enter the TEXT you want to convert 💬 Step 2 : Paste into custom GPT and send 💬 Step 3 : Output in Markdown format 5. Benefits Gained from the Implementation The implementation of this GPT has brought several benefits, including increased efficiency in Markdown conversion and improved quality of information sharing. Incidentally, ** this article has also been automatically converted to Markdown format using this GPT.** Item Before After Benefit Markdown conversion task 30 minutes to 2 hours or more Tens of seconds to several minutes Reduced workloads by more than 80% Format unification Individual differences exist Automatic, stable output Improved quality and readability Security verification Manual verification Automatic detection and marking Safe to publish Sentence verification Manual verification Automatic detection and marking Safe to publish Users Mainly those familiar with the Markdown format Members who are unfamiliar with the Markdown format can also use it Expanded scope of use 6. Summary We introduced this GPT to reduce the effort involved in Markdown conversion, aiming to make it easier to casually and widely share the knowledge gained at Droid Lab, both within the team and beyond. By leveraging generative AI, time-consuming conversion tasks have been streamlined, enabling us to share information more efficiently while maintaining confidence in both quality and security. Moving forward, we plan to improve usability by adding features like direct PowerPoint uploads and automatic meeting summaries. We aim for a future where knowledge sharing across the entire development team becomes even smoother! 🚀 Potential Applications Addition of Japanese-to-English conversion function Support for global communication and sharing with international members. Support for PPT uploads We are currently developing a system that will eliminate the need for manual copying and allow conversion simply by uploading files. Introduction of GPT for meeting summarization Optimization to automatically extract summaries and ToDos by simply pasting meeting logs and minutes

The other day, during a casual chat with a colleague, he suddenly said: "AI has come so far in the blink of an eye. I can't even imagine what it'll be like in five years." I'm not an AI expert, but it just so happens I've looked into it a little bit. And the answer to that question isn't as simple as saying "It'll get way better." The thing is, there are some deep-rooted challenges in how the technology actually works. I’m no expert, but here’s my take. I'd like to share what some of these challenges are, and what might help us get past them. Humans as the Bottleneck As you know, generative AI, including Large Language Models, needs a whole lot of data to learn. And by "a whole lot," I mean enormous . That data is collected from publicly available sources through web crawling and scraping, as well as from books, code repositories, and so on. And the key is that all of that content is created by humans . But we humans just aren't fast enough. We can't produce new data at the rate AI is consuming it now. According to a paper by Pablo Villalobos from the research institute Epoch AI , if current trends continue, we could run out of high-quality, publicly available human-generated text data sometime between 2026 and 2032 . In other words, "scaling up with more data" may not work anymore beyond that point. Simply because there isn't enough new human-generated content left to feed these models. Forecasting Human-Generated Public Text and Data Consumption in LLMs Reusing data (a technique called multi-epoch learning ) has some effect, but it's not a fundamental solution. To make matters worse, a lot of the data currently proliferating is of poor quality. For example, spam, social media comments, extremely biased information, misinformation, even illegal content. Also, it's worth pointing out that in languages less commonly used than English, the pace at which human-generated content accumulates is naturally much slower. Therefore, in such languages, the gap between the amount of data created by humans and the data needs of AI could become an even bigger problem. So, what should we do about it? Here are a few of the proposed solutions: Using synthetic data (i.e., data generated by AI itself) for training While this can be effective in some areas, it also comes with a risk of "model collapse." I'll get into the details in the next section. Utilizing non-public data This means using proprietary data held by companies for AI training. This obviously raises serious legal and ethical questions. In fact, some companies, such as the New York Times , have already banned AI vendors from scraping their content. Improving model efficiency Instead of just making models bigger, the idea is to train them to learn smarter . Actually, we're starting to see signs of this shift. When using tools like ChatGPT, we can see something like "reasoning" where the model links multiple steps logically, rather than just recalling memorized information. Inbreeding in Generative Models As mentioned earlier, one way to increase the amount of training data is to generate more of it. But this comes with its own risks. In this paper , Zakhar Shumaylov from the University of Cambridge investigates the question: "What happens when we train a next-generation model on data generated by past AI models, rather than by humans?" The authors point to a dangerous feedback loop called model collapse . When AI-generated data is used over and over again for training, the model gradually drifts away from the original distribution of real-world data. As a result, its outputs become more generic, monotonous, and distorted. In particular, rare and subtle features are more likely to get lost. This mainly happens for two reasons: Statistical errors build up over generations, due to a limited sample Functional errors emerge because the model can't perfectly reproduce complex data distributions Visual images of model collapse Interestingly, keeping just 10% of the original human-generated data can help reduce model collapse to some extent. However, it cannot be completely prevented . Unless we make a deliberate effort to preserve real, human-generated data, AI models will increasingly end up trapped in a narrow, self-reinforcing worldview. It's effectively digital inbreeding . Furthermore, Gabrielle Stein from East Carolina University explored whether this issue could be avoided by using "cross-model learning," in which AIs exchange and learn from each other's data. The conclusion? It didn't really make much of a difference . In her study, she trained models on different proportions of human data: 100%, 75%, 50%, 25%, and 0%. The results showed the following trends: As the proportion of synthetic data increased, linguistic diversity steadily declined No "tipping point" was observed where performance suddenly collapsed at a specific percentage Even a small amount of human data helped slow the rate of degradation She suggests that to avoid early-stage model collapse, at least half of the training data should reliably come from confirmed human-written content. Considering that much of the data we see online is generated by AI, and that most AI training data is scraped from the Internet, it paints a somewhat bleak picture for the future of AI. As AI-generated content increasingly makes its way into training data, the risk of causing model collapse in the future keeps growing. Still, there are some fresh, innovative approaches are emerging that could lead to a breakthrough. What Comes Next? To address the challenges I've covered so far, a few relatively new approaches have started to emerge. While they're not permanent solutions, they might be able to delay the collapse caused by inbreeding and data shortages for a while. One example already mentioned is AI reasoning . This refers to behavior in models like ChatGPT, where the model goes through multiple steps of internal reasoning and judgment before producing a final answer. Another promising method is called Retrieval-Augmented Generation (RAG) . Put simply, this approach lets AI models generate responses not just from their training data, but also by pulling in external documents . For example, feeding a PDF into an LLM or letting it search the Internet before answering a question would fall into this category. That said, as you can probably guess, this doesn't solve the underlying problem of a lack of data . After all, the amount of new, reliable information we can feed into a model is still limited. So, what are promising approaches that haven't been fully realized yet? One example is the trend toward synthetic reality and embodied agents . This is a completely different approach to AI development. Instead of learning passively from static datasets, the idea is to place AI agents in dynamic virtual environments where they act, explore, and adapt to achieve goals. The data obtained is self-generated , produced through experiencing results, testing hypotheses, and planning strategies. It's contextual, diverse, grounded in interaction, and extremely high in quality. This method enables sustainable and self-renewing learning in environments with near-infinite variation. Regardless of the exhaustion of human-written text, it helps avoid the trap of AI being stuck in its own output. ...However, we're not there yet. Sure, we've been successful at offloading all sorts of boring tasks onto AI. But for now, it looks like we still have a fair amount of work to do ourselves. Thanks for reading!

In 2025, as AI continues to evolve rapidly, being able to effectively use AI has become a key skill for engineers. However, to do so, it is essential to understand prompts appropriately (how to give instructions), requiring experience and knowledge. As the first step in coding with AI, I will introduce you to development utilizing TDD (test-driven development) and AI, which is the theme of this article. Benefits of TDD × AI ✅ Drastically reduced implementation cost! Engineers “only need to write tests” Other than writing tests, they do not need to give complex instructions or prompts. After that, AI automatically generates code. ✅ Development speed skyrockets! Dramatic reduction in detailed back-and-forth communication AI can instantly generate code at each step of TDD, significantly accelerating development efficiency and improving consistency across the codebase. ✅ Exceptional code quality! AI output can be controlled with proper testing Proper testing ensures control over AI generative code. The result is code with fewer bugs. What is TDD? Here is a brief explanation of TDD (Test-Driven Development), which is a fundamental premise. https://www.amazon.co.jp/dp/4274217884 "TDD (Test-Driven Development)" is a methodology proposed by Kent Beck in his book👆 over 20 years ago. By repeating the simple cycle shown in the diagram above — first, write a test, then implement code to pass the test, and finally, refactor — you can produce high-quality, maintainable code. Since testing serves as the starting point for implementation, development can proceed while ensuring a testable structure. Practice TDD :::message This is performed using the Agent mode of GitHub Copilot in VSCode. ::: https://code.visualstudio.com/docs/copilot/copilot-edits#_use-agent-mode-preview With this method, an engineer writes tests and generative AI handles implementation and refactoring, enabling efficient, high-quality development. This time, I will explain the flow of TDD × AI using password validation as an example. Let's start with character count validation . :::message alert It is important to proceed in small steps, without filling in all the specifications from the beginning! ::: Step 1: Creating a Character Count Validation Test Prepare a target password validation class and test files. You can leave both files empty at this stage. Once the files are created, you might be tempted to immediately write the password validation class. But since we’re using TDD, we’ll start by writing tests. @Test("パスワードの文字数が8文字以上16文字以下でバリデーションが成功すること") func testPasswordLengthValidation() async throws { let sut = PasswordValidator() let validPasswordShort = "Valid123" let validPasswordLong = "ValidPassword123" let invalidPasswordShort = "Short01" let invalidPasswordLong = "ThisPasswordIsWay" #expect(sut.validate(validPasswordShort) == true) #expect(sut.validate(validPasswordLong) == true) #expect(sut.validate(invalidPasswordShort) == false) #expect(sut.validate(invalidPasswordLong) == false) } Since the PasswordValidator class and validate method aren't implemented yet, you’ll naturally get an error Next, input a prompt to the AI and ask it to implement.  Then, after a few tens of seconds, the AI generates an implementation. struct PasswordValidator { // パスワードの長さの制約を定数として定義 private let minimumPasswordLength = 8 private let maximumPasswordLength = 16 /// パスワードが有効かどうかを検証します /// - Parameter password: 検証するパスワード /// - Returns: パスワードが有効な場合はtrue、そうでない場合はfalse func validate(_ password: String) -> Bool { let passwordLength = password.count return passwordLength >= minimumPasswordLength && passwordLength <= maximumPasswordLength } } Next, let's add a feature to validate the mix of numbers, letters, and symbols. Step 2: Adding Validation of Numbers, Letters, and Symbols @Test("パスワードの文字列の中に数字、文字、記号が含まれている場合にバリデーションが成功すること") func testPasswordCharacterValidation() async throws { let sut = PasswordValidator() let validPassword = "ValidPassword12!" let invalidPasswordNoNumber = "InvalidPassword!" let invalidPasswordNoCharacter = "1234567890!" let invalidPasswordNoSymbol = "InvalidPassword1" #expect(sut.validate(validPassword) == true) #expect(sut.validate(invalidPasswordNoNumber) == false) #expect(sut.validate(invalidPasswordNoCharacter) == false) #expect(sut.validate(invalidPasswordNoSymbol) == false) } At this stage, an error will occur, but don't worry about it; just provide the test case to the AI and let it generate the implementation.. struct PasswordValidator { // パスワードの長さの制約を定数として定義 private let minimumPasswordLength = 8 private let maximumPasswordLength = 16 /// パスワードが有効かどうかを検証します /// - Parameter password: 検証するパスワード /// - Returns: パスワードが有効な場合はtrue、そうでない場合はfalse func validate(_ password: String) -> Bool { let passwordLength = password.count guard passwordLength >= minimumPasswordLength && passwordLength <= maximumPasswordLength else { return false } let hasNumber = password.rangeOfCharacter(from: .decimalDigits) != nil let hasLetter = password.rangeOfCharacter(from: .letters) != nil let hasSymbol = password.rangeOfCharacter(from: .symbols) != nil || password.rangeOfCharacter(from: .punctuationCharacters) != nil return hasNumber && hasLetter && hasSymbol } } Up to this point, we completed the implementation in under 10 minutes . In traditional coding, you need to explicitly define various conditions and specifications in the prompt, but with this method, you simply ask AI to implement something that meets the test conditions . Since all the implementation details have been written in the test, there is almost no need for complex prompt instructions. To Further Streamline Communication with AI If you write implementation rules and constraints in advance in "copilot-instructions.md," there's no need to provide detailed instructions to the AI each time. 日本語で返答してください。 ### コーディングルール - テストはswift-testingを使用してください。 - 実装には基本的にマジックナンバーは使わないこと - DRYの原則に則って実装してください - KISSの原則に則って実装してください - YAGNIの原則に則って実装してください To Become an Engineer Who Thrives in the Age of AI AI is not omnipotent. But that’s no reason to give up! It is important to calmly determine what "AI is good at" and what "humans should handle." With “TDD × AI,” let's understand the coding habits of AI and reach new levels of speed and quality in development!🚀

Introduction Hello. My name is Shiode, and I do payment-related backend development in the Toyota Woven City Payment Solution Development Group. As mentioned in my previous article , our group uses Kotlin for development, with Ktor as our web framework and Exposed as the ORM. We also adopt Clean Architecture in our code architecture. Initially, we used Kotlin's Result type for error handling, but as the number of developers increased, we started seeing a mix of Result and throw used in code. Mixing throw into code that uses Result defeats the purpose of expressing error handling through types, as it still requires try-catch blocks. Since Kotlin doesn't have Java's checked exceptions, it's easy to forget to call a try-catch block, which can lead to unhandled errors. To improve this situation, we discussed within the team and decided to standardize our error handling using Kotlin's Result type. In this article, I'll walk you through how our group writes error handling in practice. This article does not include the following. Explanation of Clean Architecture Explanation of Ktor and Exposed Comparison between kotlin-result and Kotlin's official Result type Application Directory Structure Before getting into the main topic, I will explain the directory structure of the application in this group. Below is the well-known diagram of Clean Architecture along with our group's directory structure. As we've adopted Clean Architecture, our application's directory structure is generally organized in line with its principles. (Source: The Clean Code Blog ) App Route/ ├── domain ├── usecase/ │ ├── inputport │ └── interactor └── adapter/ ├── web/ │ └── controller └── gateway/ ├── db └── etc The correspondence between our directory structure and the Clean Architecture diagram is as follows: domain directory: entities usecase directory: Use Cases adapter/web/controller directory: Controllers adapter/gateway directory: Gateways The terminology doesn't match exactly, but basically the domain directory sits at the core, the usecase directory surrounds it, and everything under adapter forms the outermost layer. Therefore, the allowed direction of dependency is as follows: usecase -> domain Everything under adapter -> usecase or domain This direction of dependency makes it possible to develop business logic without being affected by factors such as web frameworks or database types. Error Handling Policy Basically, our error handling is based on the following policies: Use Result type instead of throw in case of processing failure When a function returns a Result type, do not use throw When returning an exception, use a custom-defined exception type In the next section, I'll go over each of these policies in more detail, with code examples. Use the Result type When a Function May Fail Since Kotlin doesn't have checked exceptions like Java, there's no mechanism to force the caller to handle errors. By using the Result type, you can explicitly indicate that an error may be returned to the caller, reducing the chances of error handling being missed. However, in cases like Result<Unit> , where the return value isn't used, error handling cannot be enforced unless a custom lint rule is defined. But as of now, we haven't defined one yet. Code Examples Below is a simple code example. When defining a function that performs division, it typically results in an error if the denominator is zero. If a function might fail, specify Result as its return type. In this example, Result<Int> is specified. fun divide(numerator: Int, denominator: Int) : Result<Int> { if (denominator == 0) { return Result.failure(ZeroDenominatorException()) } return Result.success(numerator/denominator) } When Returning an Exception as a Result Type, Wrap the Exception in a Custom-defined Exception Repositories are defined as interfaces in the domain layer, with their implementations residing in the adapter layer. If a use case layer calls a repository function and handles errors, and the adapter layer returns a third-party library exception as is, then the use case layer must be aware of that third-party exception. In that case, the use case layer becomes dependent on the adapter layer. Here's what that looks like in a diagram:  Interface-based Dependency and Exception-based Dependency (bad example) To avoid this, we always make sure to wrap any exception returned via Result in a custom-defined exception. One tricky point when applying Clean Architecture is deciding which layer exceptions belong to, but I personally think it should be in the domain layer. Our group uses a shared set of custom exceptions across multiple services, so we've extracted them into a separate domain library. Another tricky point with Kotlin's official Result type is that it doesn't allow you to specify the exception type, which means you can't enforce returning only custom exceptions. In cases like this, it may be worth considering the use of kotlin-result . However, we chose not to adopt it in order to avoid introducing third-party types into the domain code. Code Examples Let's say the following interface is defined in the domain layer. data class Entity(val id: String) interface EntityRepository { fun getEntityById(id: String): Result<Entity> } Now, consider a case where a third-party library exposes a method like the one shown below, and it's used as-is. fun thirdPartyMethod(id: String): Entity { throw ThirdPartyException() } Bad Example If the implementation in the adapter layer returns the exception from the third-party library directly. As shown below, this causes it to leak into the caller such as UseCase . class EntityRepositoryImpl : EntityRepository { override fun getEntityById(id: String): Result<Entity> { return kotlin.runCatching { thirdPartyMethod(id) } // This returns the third party exception } } Good Example To prevent third-party exceptions from leaking to the caller, wrap them in a custom-defined exception. class EntityRepositoryImpl : EntityRepository { override fun getEntityById(id: String): Result<Entity> { return kotlin.runCatching { thirdPartyMethod(id) }.onFailure { cause -> // wrap with our own exception CustomUnexpectedException(cause) } } } Avoid Using throw in Functions that Return Result If a function returns a Result type or throws an exception, the caller must handle both. Even if the function author thinks a particular exception doesn't need to be handled by the caller, there may be cases where the caller wants to handle it. For this reason, we have standardized on using the Result type and avoid throwing exceptions explicitly. In some cases such as database connection errors, it might seem acceptable to throw an exception from the adapter layer and let it propagate directly to the API response, since recovery at the use case level is impossible. However, for issues like failure to update the database, we may still want to log inconsistencies with third-party SaaS. In that case, if we scope out using throw, there's a risk that alerts won't be triggered appropriately. We believe it's up to the caller to decide whether error handling is necessary, so even if the function author considers it unnecessary, the exception is returned using a Result. Code Examples Let's take the save function of a repository as an example. The save function receives the entity class and returns the result as a Result<Entity> . Examples of what not to do As shown below, assume that a connection error was thrown, while other errors are returned using the Result type. class EntityRepository(val db: Database) { fun saveEntity(entity: Entity): Result<Entity> { try { db.connect() db.save(entity) } catch (e: ConnectionException) { // return result instead throw OurConnectionException(e) } catch (e: throwable) { return Result.failure(OurUnexpectedException(e)) } return Result.success(entity) } } Now, suppose the use case layer wants to take some kind of action if an error occurs during the save operation. In this case, you must use runCatching (which internally uses try-catch to convert to Result type). class UseCase(val repo: EntityRepository) { fun createNewEntity(): Result<Entity> { val entity = Entity.new() return runCatching { // need this runCatching in order to catch an exception repo.saveEntity(entity).getOrThrow() }.onFailure { // some error handling here } } } Good Example In the good example, all exceptions are wrapped in a custom-defined exception and returned using the Result type. This allows the caller to remove runCatching , simplifying the code. class EntityRepository(val db: Database) { fun saveEntity(entity: Entity): Result<Entity> { try { db.connect() db.save(entity) } catch (e: ConnectionException) { return Result.failure(OurConnectionException(e)) } catch (e: Exception) { return Result.failure(OurUnexpectedException(e)) } return Result.success(entity) } } class UseCase(val repo: EntityRepository) { fun createNewEntity(): Result<Entity> { val entity = Entity.new() return repo.saveEntity(entity).onFailure { // some error handling here } } } Useful Custom Function for Using the Result Type andThen When using a Result type, there are often times when you want to use that value of a successful Result to return a different Result type. For example, updating the status of a specific entity might look like this: fun UseCaseImpl.updataStatus(id: Id) : Result<Entity> { val entity = repository.fetchEntityById(id).getOrElse { return Result.failure(it) } val updatedEntity = entity.updateStatus().getOrElse { return Result.failure(it) } return repository.save(updatedEntity) } In such cases, writing code becomes easier when the operations can be connected by a method chain. While the kotlin-result provides the andThen function for this purpose, Kotlin's official Result type does not. Therefore, our group defined and uses the following method: inline fun <T, R> Result<T>.andThen(transform: (T) -> Result<R>): Result<R> { if (this.isSuccess) { return transform(getOrThrow()) } return Result.failure(exceptionOrNull()!!) } By using this, the previous example can be rewritten as shown below. The result is a bit cleaner, with less repetitive code. fun UseCaseImpl.updataStatus(id: Id) : Result<Entity> { return repository.fetchEntityById(id).andThen { entity -> entity.updateStatus() }.andThen { updatedEntity -> repository.save(updatedEntity) } } doInTransaction for Exposed Our group uses Exposed as the ORMapper. With Exposed, all database operations must be written within the lambda scope called transaction . If an exception is thrown within this transaction scope, it automatically performs a rollback. Since using the Result type avoids throwing exceptions, we created a function that performs a rollback automatically when the Result indicates failure. fun <T> doInTransaction(db: Database? = null, f: () -> Result<T>): Result<T> { return transaction(db) { f().onFailure { rollback() }.onSuccess { commit() } } } Applying this to the previous example of UseCaseImpl , it can be used as follows. fun UseCaseImpl.updataStatus(id: Id) : Result<Entity> { return doInTransaction { repository.fetchEntityByIdForUpdate(id).andThen { entity -> entity.updateStatus() }.andThen { updatedEntity -> repository.save(updatedEntity) } } } respondResult for Ktor Our group uses Ktor as the web framework. A function called respondResult was created to allow Result types from use cases to be returned directly as HTTP responses. suspend inline fun <reified T : Any> ApplicationCall.respondResult(code: HttpStatusCode, result: Result<T?>) { result.onSuccess { when (it) { null, is Unit -> respond(code) else -> respond(code, it) } }.onFailure { // defined below respondError(it) } } suspend fun ApplicationCall.respondError(error: Throwable) { val response = error.toErrorResponse() val json = serializer.adapter(response.javaClass).toJson(response) logger.error(json, error) respondText( text = json, contentType = ContentType.Application.Json, status = e.errType.toHttpStatusCode(), ) } Although it's simple, using this function eliminates the need to call Result.getOrThrow , making the code a bit cleaner. fun Route.route(useCase: UseCase) { val result = useCase.run() call.respondResult(HttpStatusCode.OK, result.map {it.toViewModel()} ) } By the way, respondError is a function that returns an error response from the throwable. We use this function to handle exceptions thrown in the Ktor pipeline and return appropriate responses. We've also created a custom Ktor plugin to handle exceptions. val ErrorHandler = createApplicationPlugin("ErrorHandler") { on(CallFailed) { call, cause -> call.respondError(cause) } } Conclusion I introduced how our group handles errors, along with some helpful custom functions for the Result type. From what I've seen in various tech blogs, many companies seem to use kotlin-result , while there's relatively little information out there on using Kotlin's official Result type. We've found Kotlin's official Result type to be sufficient for error handling, so we encourage you to give it a try!

Hello! My name is Mayu, and I work as a designer in the Creative Office at KINTO Technologies. I usually focus on UI/UX design for apps, but this time, I was in charge of creating novelty items to distribute at a company event. In this article, I'll share a behind-the-scenes look at the process, from planning to design. I hope this will offer some helpful insights for those involved in novelty production. Novelty Selection The theme is "something that gives a sense of unity" For this event, we aimed to create a novelty item that fosters a sense of unity. We developed ideas based on the following conditions: Creates opportunities to communicate with people you don't usually interact with. Strengthens a sense of unity. Promotes innovation. Appeals to all, regardless of age or gender. Meets the needs of multiple people. Easy for anyone to use immediately. Budget: a few hundred to around a thousand yen per person. Offers lasting value. After considering various ideas, we ultimately decided to produce a " Magnetic Card Stand " and an " Original Name Card ". Reasons for choosing the "Magnetic Card Stand" and "Name Card" Magnetic Card Stand: Placing it on the desk makes it easier to naturally engage with others, promoting communication. Featuring the KINTO Technologies logo and car shape helps foster attachment to the company and boost motivation. Its simple design makes it easy for anyone to use in daily situations. Name Card: Creating name cards with each employee's name makes it easier to approach one another even on first meetings, promoting communication across the company. The cut-off KTC lettering design visually expresses a sense of unity throughout the organization. The cards can be used as name tags during the event and placed on desks afterward for continued use. Production of Magnetic Card Stand **1. Contractor Selection and Request ** We commissioned the production of the magnetic card stand to the original goods specialty website " MOKU ." The deciding factor was MOKU's high level of customization, which made it possible to create original magnetic card stands simply by submitting design data. 2. Prototyping We created a simple paper prototype to check the size and usability. We then placed it on an actual desk to evaluate visibility and practicality. **3. Design of Magnetic Card Stand ** Using Adobe Illustrator, we created a design with the logo positioned on a specified template. The result is a simple design that highlights the KINTO Technologies logo. 4. Design of Instruction Manual To ensure ease of use, we created an original instruction manual. Here too, we used Adobe Illustrator and produced the design data based on the specified template. 5. Data Submission and Delivery The design data was submitted, and delivery was completed in about three weeks! (Order quantity: 500 pieces) Production of Name Card 1. Create a Name Card Design Using Figma, we created an original design featuring names, division, and custom Slack emojis. We made a prototype to ensure it fit properly with the magnetic card stand. The key feature is this half-cut KTC lettering . KTC stands for "KINTO Technologies." The small squares represent employees, symbolizing the idea that "each individual comes together to form KTC." With a simple, stylish black-based design, it also brings out the essence of a tech company. 2. Automatic Data Generation Creating data manually for everyone would have been overwhelming, so we enlisted our in-house engineers to help automatically generate the data in HTML. We built a system that imports employee information from a CSV file and automatically populates it into a template. 3. Printing and Cutting Printed the materials using the office printer and cut them all by hand. It was tough, but it saved a lot of money! lol Project Results and Learnings After distributing the giveaways, we received a lot of encouraging feedback from employees, such as: "It's easier to start conversations now!" "The design is so cute!" "The Slack icon makes it feel even more personal!" The giveaways helped foster a sense of unity, and the project was incredibly rewarding for me as well. This experience also reinforced the importance of not just designing something attractive, but thinking carefully about how it will actually be used. I believe we were able to showcase the true power of purpose-driven design. Finally I hope to apply what I've learned from this project to future design work. If you thought, "KINTO Technologies sounds like a fun place!" please check out our recruitment page ! Looking forward to hearing from you! Thank you for reading!

EncryptedSharedPreferencesからTink + DataStoreに置き換えた話 こんにちは。Toyota Woven City Payment 開発グループの大杉です。 私たちのチームでは、 Woven by Toyota の Toyota Woven City で使用される決済システムの開発をしており、バックエンドからWebフロントエンド、そして、モバイルアプリケーションまで決済関連の機能を幅広く担当しています。 今回は公式にDeprecatedになってしまったEncryptedSharedPreferencesを実装していたAndroidアプリの置き換えをした話をまとめました。 はじめに EncryptedSharedPreferencesがv1.1.0-alpha07からDeprecatedになり、 Android KeyStoreへの置き換えが公式から推奨 されました。  EncryptedSharedPreferencesの代替技術調査 EncryptedSharedPreferencesがDeprecatedとなったことで、永続化手段と暗号化技術の調査を始めました。 永続化手段の選定 私たちのアプリにおけるユースケースでは、設定データの保存にEncryptedSharedPreferencesを使用していただけであったので、SharedPreferencesを使用するだけでも十分ではありました。 ですが、せっかくの置き換えタイミングであったので公式推奨に則り、永続化手段として DataStore を採用しました。 暗号ライブラリの選定 こちらも前述の公式推奨の通り、 Android KeyStore を使用する方針で進めていこうとしたのですが、APIレベルによって機能の制約があるだけでなく、セキュリティレベルの高い実装(StrongBox)を使用するにはデバイスのスペックも関係するため、単純にプログラミングするだけでは想定したセキュリティレベルを担保できない可能性もありました。 今回のアプリは、MDMで管理されたデバイス上で動作する前提であり、StrongBoxにも対応しているデバイスを元々選定していたため、この制約については問題になりませんでした。 また、暗号ライブラリ調査の中で、 Tink というGoogleが提供している暗号ライブラリの存在を知りました。 Tinkのリポジトリ を見ると、マスターキーの保存にAndroid KeyStoreを利用されていることがわかります。 メンテナンスの容易さやパフォーマンスの観点でAndroid KeyStoreとTinkを比較するため、サンプル実装を行いました。 暗号ライブラリの実装比較 Android KeyStoreのStrongBoxとTEEを使用した場合とTinkを使用した場合のサンプルコードを以下にまとめています。 両者とも基本的な実装はそこまで苦労せず着手できたと感じました。 一方で、Android KeyStoreは 暗号アルゴリズムによってAndroid KeyStoreの鍵発行設定を変える必要がある 初期化ベクトル(IV)の管理が開発者依存になる 実装サンプルが少ない Tinkはこの辺りをうまくラップしてくれている良さがあります。 Android KeyStoreを使用した暗号・復号処理の実装例 class AndroidKeyStoreClient( private val useStrongKeyBox: Boolean = false ) { private val keyStoreAlias = "key_store_alias" private val KEY_STORE_PROVIDER = "AndroidKeyStore" private val keyStore by lazy { KeyStore.getInstance(KEY_STORE_PROVIDER).apply { load(null) } } private val cipher by lazy { Cipher.getInstance("AES/GCM/NoPadding") } private fun generateSecretKey(): SecretKey { val keyStore = keyStore.getEntry(keyStoreAlias, null) if (keyStore != null) { return (keyStore as KeyStore.SecretKeyEntry).secretKey } return KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEY_STORE_PROVIDER) .apply { init( KeyGenParameterSpec.Builder( keyStoreAlias, KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT ).setBlockModes(KeyProperties.BLOCK_MODE_GCM) .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE) .setIsStrongBoxBacked(useStrongKeyBox) .setKeySize(256) .build() ) }.generateKey() } fun encrypt(inputByteArray: ByteArray): Result<String> { return runCatching { val secretKey = generateSecretKey().getOrThrow() cipher.init(Cipher.ENCRYPT_MODE, secretKey) val encryptedData = cipher.doFinal(inputByteArray) cipher.iv.joinToString("|") + ":iv:" + encryptedData.joinToString("|") } } fun decrypt(inputEncryptedString: String): Result<ByteArray> { return runCatching { val (ivString, encryptedString) = inputEncryptedString.split(":iv:", limit = 2) val iv = ivString.split("|").map { it.toByte() }.toByteArray() val encryptedData = encryptedString.split("|").map { it.toByte() }.toByteArray() val secretKey = generateSecretKey() val gcmParameterSpec = GCMParameterSpec(128, iv) cipher.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec) cipher.doFinal(encryptedData) } } } Tinkを使用した暗号・復号処理の実装例 class TinkClient( context: Context ) { val keysetName = "key_set" val prefFileName = "pref_file" val packageName = context.packageName var aead: Aead init { AeadConfig.register() aead = buildAead(context) } private fun buildAead(context: Context): Aead { return AndroidKeysetManager.Builder() .withKeyTemplate(KeyTemplates.get("AES256_GCM")) .withSharedPref( context, "$packageName.$keysetName", "$packageName.$prefFileName" ) .withMasterKeyUri("android-keystore://tink_master_key") .build() .keysetHandle .getPrimitive(RegistryConfiguration.get(), Aead::class.java) } fun encrypt(inputByteArray: ByteArray): Result<String> { return runCatching { val encrypted = aead.encrypt(inputByteArray, null) Base64.getEncoder().encodeToString(encrypted) } } fun decrypt(inputEncryptedString: String): Result<ByteArray> { return runCatching { val encrypted = Base64.getDecoder().decode(inputEncryptedString) aead.decrypt(encrypted, null) } } } 暗号ライブラリのパフォーマンス検証 Android KeyStoreとTinkの暗号化処理時間のベンチマークを計測しました。 Android KeyStoreについては、 StrongBox と TEE の2つの実行基盤を利用したケースで評価しています。 テストコードでは、共通の暗号化アルゴリズム(AES_GCM)を設定し、10KBのデータを繰り返し暗号化する処理を Microbenchmark を使用して計測しました。Microbenchmarkを使用することで、Google Pixel Tabletの実機上でかつUIスレッド以外のスレッドを利用して計測を行っています。 テストコードは以下です。 import androidx.benchmark.junit4.BenchmarkRule import androidx.benchmark.junit4.measureRepeated import androidx.test.ext.junit.runners.AndroidJUnit4 import androidx.test.platform.app.InstrumentationRegistry import org.junit.Rule import org.junit.Test import org.junit.runner.RunWith @RunWith(AndroidJUnit4::class) class ExampleBenchmark { @get:Rule val benchmarkRule = BenchmarkRule() @Test fun benchmarkTinkEncrypt() { val context = InstrumentationRegistry.getInstrumentation().context val client = TinkClient(context) val plainText = ByteArray(1024 * 10) benchmarkRule.measureRepeated { client.encrypt(plainText).getOrThrow() } } @Test fun benchmarkStrongBoxEncrypt() { val context = InstrumentationRegistry.getInstrumentation().context val client = AndroidKeyStoreClient(context, true) val plainText = ByteArray(1024 * 10) benchmarkRule.measureRepeated { client.encrypt(plainText).getOrThrow() } } @Test fun benchmarkTeeEncrypt() { val context = InstrumentationRegistry.getInstrumentation().context val client = AndroidKeyStoreClient(context, false) val plainText = ByteArray(1024 * 10) benchmarkRule.measureRepeated { client.encrypt(plainText).getOrThrow() } } } 以下に計測結果をまとめました。 暗号化基盤 平均処暗号理時間 (ms) アロケーション数 Android KeyStore (StrongBox) 209 4646 Android KeyStore (TEE) 7.07 4786 Tink 0.573 38 Android KeyStore (StrongBox)およびAndroid KeyStore (TEE)ではハードウェアへのアクセスが発生するため、ソフトウェア側で暗号化処理を行っているTinkと比べてかなり処理に時間がかかっていることがわかります。 今回採用したデバイスはAndroidの中でも比較的スペックが高いものですが、特にAndroid KeyStore (StrongBox)を採用する場合は、UXの検討が必要になりそうです。 備考 ちなみに、実際にAndroid KeyStoreの鍵生成で適用されている実行基盤は以下のコードから判別できます。 val secretKey = generateSecretKey() val kf = SecretKeyFactory.getInstance(KeyProperties.KEY_ALGORITHM_AES, KEY_STORE_PROVIDER) val ki = kf.getKeySpec(secretKey, KeyInfo::class.java) as KeyInfo val securityLevelString = when (ki.securityLevel) { KeyProperties.SECURITY_LEVEL_STRONGBOX -> "STRONGBOX" KeyProperties.SECURITY_LEVEL_TRUSTED_ENVIRONMENT -> "TEE" KeyProperties.SECURITY_LEVEL_SOFTWARE -> "SOFTWARE" else -> "UNKNOWN" } Log.d("KeyStoreSecurityLevel", "Security Level: ${ki.securityLevel}") まとめ EncryptedSharedPreferencesがDeprecatedとなったため、移植先の技術選定を行いました。 公式推奨に則り、永続化手段としてDataStoreを採用しました。 暗号化技術に関してはAndroid KeyStoreとTinkの比較検証を行い、Tinkの方が鍵の発行や暗号化処理が抽象化されていて利用しやすく、また、処理速度も優れていることがわかり、セキュリティ要件としても十分であるためTinkを採用することにしました。 Android KeyStoreを採用する場合は、動作環境のデバイススペックも考慮した実装が求められるため、セキュリティ要件とのバランスを考慮する必要がありそうです。

はじめに こんにちは、KINTO テクノロジーズ Security CoE グループの多田です。普段は大阪のオフィスで勤務しています。我々のグループでは、マルチクラウド環境の「ガードレール監視とカイゼン活動をリアルタイムで実施する」をミッションに、クラウドセキュリティに関する多くのことにチャレンジしています。メンバが日々、どのような活動を実施しているかは、 こちらのブログ にもまとめていますので、ぜひご覧ください。 背景 世間の LLM ( 大規模言語モデル ) アプリケーション開発の流れに乗り、当社のプロダクトチームでは、多くの LLM アプリケーションを開発しており、PoC やプロダクトレディの状態に進展しています。一方で、クラウドセキュリティを監視するグループとしては、これらのアプリケーションのセキュリティについても適切な対策を講じる必要があります。 当社の LLM アプリケーションは、主に AWS、Google Cloud、Azure 上で開発されており、クラウドベンダーが提供する生成 AI サービスを活用して構築されることが多い状況です。当グループでは Cloud Security Posture Management ( CSPM ) の監視および運用を行っています。しかし、現時点では、生成 AI 関連サービスに特化した CSPM のコントロールは提供されていないのが現状です。例えば、AWS の場合、AWS Foundational Security Best Practices ( FSBP ) や Center for Internet Security ( CIS ) では、生成 AI サービスに関する直接的なコントロールが提供されていません。 そこで当グループでは、各クラウドベンダーの生成 AI サービスを利用して LLM アプリケーションを開発する際に遵守すべきガイドラインを策定しました。このガイドラインには、クラウドベンダーが提供する生成 AI 関連サービスの利用推奨や設定方法についても記載しています。言い換えれば、ガイドラインに記載した設定方法は、CSPM として監視すべきコントロールとなります。さらに、コントロールを Rego 言語 で実装し、AWS Bedrock の CSPM として運用を行っています。 タイトルにある、 AI-SPM は、AI Security Posture Management の略で、「 AI や機械学習 ( ML ) 、生成 AI モデルなどの AI 関連資産のセキュリティリスクやコンプライアンスリスクを可視化・管理・軽減するためのソリューション」というような定義がされているようなので、今回の取組みについても、あえて、AI-SPM という名前にしてみました。 LLM アプリケーションで遵守すべきセキュリティガイドライン ガイドラインを作成するにあたっては、 OWASP Top 10 for LLM Applications 2025 を参考にしました。おそらく、LLM アプリケーションのセキュリティを語るうえでは、最早、鉄板ともいうべき資料かと思います。この OWASP の資料では、LLM アプリケーションでよく見られる最も重大な脆弱性 Top 10 がリストされており、「概要」「脆弱性の例」「防御や軽減策」「攻撃シナリオ」などが記載されています。これらの内容を基に、各クラウドサービスで LLM アプリケーションを開発する場合、利用するサービス、機能の選定やベストプラクティスについて検討を行いました。 Top 10 の最初に記載のあるリスクは「 LLM01：Prompt Injection 」です。 このリスクは、 悪意ある入力によって LLM の振る舞いが意図せず操作され、情報漏洩や不正な動作を引き起こすリスク です。このリスクの予防・緩和策としては、 LLM への入力の検証・フィルタリング が有効となります。 そして、この予防・緩和策をクラウドサービス上で実装する場合にどうすべきかというと、AWS であれば、 Amazon Bedrock Guardrails に Prompt Attack をフィルタする機能があるので、この機能を有効化することが対策となります。あとは、CSPM のコントロールとして、この機能が有効化されているかどうかをチェックすることで、可視化とカイゼンが実施できるようになります。 以下に、Top 10 の中の代表的なリスクと AWS サービスでの「予防・緩和策」と「 CSPM コントロールとしての実装」をまとめますので参考にしてください。 Top 10 リスク概要 予防・緩和策 AWSでの実装 CSPM コントロールの実装 LLM01: Prompt Injection 悪意ある入力 ( プロンプト ) によって LLM の振る舞いが意図せず操作され、情報漏洩や不正な動作を引き起こすリスク モデル動作の制約、入力・出力の検証、フィルタリング、権限制御、人間の承認導入など Amazon Bedrock Guardrails の content filters「Prompt attacks」を利用する Amazon Bedrock Guardrails の Prompt attacks Configure prompt attacks filter を有効化 し、 Block アクション かつ 閾値が HIGH に設定されていることを確認する LLM02: Sensitive Information Disclosure モデルの応答や挙動から、個人情報や機密データなどのセンシティブな情報が漏洩するリスク 出力の検証・フィルタ、学習データの管理、アクセス制御 Amazon Bedrock Guardrails の「sensitive information filters」を利用する Amazon Bedrock Guardrails Sensitive information filters が Output で 有効化 されていることを確認する LLM06: Excessive Agency LLM やそのエージェントに過剰な自律性や権限を与えることで、意図しない行動や操作が発生するリスク 最小権限の徹底、人間の承認、権限監査 Amazon Bedrock Builder tools の「Agent」を利用する Amazon Bedrock Builder tools の Agents を利用する場合は、 Guardrail details が 関連付けられている ことを確認する LLM09: Misinformation LLM が誤情報やバイアスを含む出力を生成し、ユーザーや社会に悪影響を及ぼすリスク 多様かつ信頼性のあるデータで学習、ファクトチェック、出典表示 Amazon Bedrock Guardrails の「contextual grounding check」を利用する Amazon Bedrock Guardrail の contextual grounding check が 有効化 されていることを確認する LLM10: Unbounded Consumption LLM のリソース消費が制御されず、DoS やコスト増大、サービス停止などを招くリスク、リクエストや計算資源の無制限利用が原因 リソース制限、クォータ設定、利用状況の監視 Amazon Bedrock 「Model invocation logging」を利用する Amazon Bedrock の Model invocation logging が 有効 になっていることを確認する 上記の内容については、5 月に実施した共催イベント Cloud Security Night #2 で登壇していますので、 こちらの資料 も参考していただければと思います。 Rego による CSPM コントロールの実装 CSPM のコントロールの定義はできたので、コントロールの内容をチェックする仕組みを開発していきます。当グループでは、CSPM の運用に、AWS であれば、Security Hub、Google Cloud であれば、 Sysdig 、Azure であれば Defender for Cloud を利用しています。もちろん、統合したツールを使う方が良いのでしょうが、コンソールをゴリゴリ使うというよりは、それぞれ、API 等を通じて、CSPM のアラート状況を確認し、必要に応じてSlack 通知するなどしていますので、ツールが統合されてないことに不自由は感じていません。 LLM アプリケーションの CSPM コントロールについては、Sysdig の CSPM 機能で利用されている Rego で開発することにしました。Rego を採用した理由は、OSS であることと CSPM のようなクラウドインフラの設定の判定ロジックを記載するのであれば、それほど学習コストも必要なく開発できると思ったからです。 以下が LLM01：Prompt Injection コントロールを Rego で実装したものになります。やってることは、 risky == true ( リスクあり ) をデフォルト値に設定し、Bedrock Guardrails の設定 ContentPolicy.Filters の値が Type == PROMPT_ATTACK と InputStrength==HIGH であれば、 Prompt attack が有効化され、閾値が High に設定されているとして、 risky == false とし、リスクなしと判断しています。 default risky := true risky := false if { some filter in input.ContentPolicy.Filters lower(filter.Type) == "prompt_attack" lower(filter.InputStrength) == "high" } この Rego を Sysdig のカスタムコントロールとして、Sysdig にデプロイする必要があります。詳細なカスタムコントロールの作成方法やデプロイ手順については、Sysdig 公式ブログで紹介されていますので、 こちら を参考にしてください。我々もこちらを参考にすることで開発を進めました。本ブログに記載していませんが、カスタムコントロールを作成するにあたっての多くのノウハウも貯まりました。 カスタムコントロールは、Sysdig に terraform としてデプロイする必要があります。以下が最終的に作成したカスタムコントロールの main.tf になります。 terraform { required_providers { sysdig = { source = "sysdiglabs/sysdig" version = ">=0.5" } } } variable "sysdig_secure_api_token" { description = "Sysdig Secure API Token" type = string } provider "sysdig" { sysdig_secure_url="https://app.us4.sysdig.com" sysdig_secure_api_token = var.sysdig_secure_api_token } resource "sysdig_secure_posture_control" "configure_prompt_attack_strength_for_amazon_bedrock_guardrails" { name = "Configure Prompt Attack Strength for Amazon Bedrock Guardrails" description = "Ensure that prompt attack strength is set to HIGH for your Amazon Bedrock guardrails. Setting prompt attack strength to HIGH in guardrails helps protect against malicious inputs designed to bypass safety measures and generate harmful content." resource_kind = "AWS_BEDROCK_GUARDRAIL" severity = "High" rego = <<-EOF package sysdig import future.keywords.if import future.keywords.in default risky := true risky := false if { some filter in input.ContentPolicy.Filters lower(filter.Type) == "prompt_attack" lower(filter.InputStrength) == "high" } EOF remediation_details = <<-EOF ## Remediation Impact This control will help you ensure that your Amazon Bedrock guardrails are configured with high prompt attack strength, which is crucial for protecting against malicious inputs designed to bypass safety measures and generate harmful content. ## Remediation Steps 1. Navigate to the [Amazon Bedrock console](https://console.aws.amazon.com/bedrock/home). 2. Select the guardrail you want to modify. 3. In the guardrail settings, locate the "Content Policy" section. 4. Ensure that the "Prompt Attack" filter is set to "High" for the "Input Strength". 5. Save the changes to the guardrail configuration. 6. Repeat this process for any other guardrails in your AWS environment. ## Remediate Using Command Line You can use the AWS CLI to update the guardrail configuration. Run the following command to set the prompt attack strength to HIGH for a specific guardrail: ```bash aws bedrock update-guardrail --guardrail-id <guardrail-id> --content-policy '{"Filters": [{"Type": "prompt_attack", "InputStrength": "high"}]}' ``` Replace `<guardrail-id>` with the ID of your guardrail. Repeat this command for other guardrails in your AWS environment. ## Additional Information For more information on configuring Amazon Bedrock guardrails, refer to the [Amazon Bedrock documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html). ## Contact Information Slack Channel: #security-coe-group EOF } 実は当初、Sysdig は、CSPM の対象リソースとして Amazon Bedrock をサポートしていませんでした。Sysdig に相談したところ、ものすごい速さで対応いただき、今回の取組みに繋がりました。機能的な部分の満足度もありますが、この辺りのスピード感は、Sysdig ユーザとして非常に心強いです。 あとは、同じ要領で、 LLM アプリケーションで遵守すべきセキュリティガイドライン に記載したコントロールをいくつか Rego で実装し、Sysdig にデプロイしています。 Sysdig による AI-SPM 運用 デプロイしたいくつかのカスタムコントロールは、カスタムポリシーとして定義し、AWS Bedrock リソースを可視化しています。可視化の結果、問題があれば、カイゼンするという運用になります。当社の場合、当グループからプロダクト開発グループに対して、カイゼン依頼を行いますが、その時に、カイゼン方法と合わせて、カイゼン依頼をするようにしています。 下の画面は、Sysdig コンソール画面で、 LLM01：Prompt Injection の CSPM コントロールを確認している画面となります。コントロール名は、 Configure Prompt Attack Strength for Amazon Bedrock Guardrails です。名前は、それっぽく、こちらで付けています。状況としては、AWS Bedrock Guardrail のリソースが 3 つ存在し、1 つが Failling 、残り 2 つが Passing していることを示しています。 上記画面をドリルダウンすることで、カイゼンの影響やカイゼン方法などを参照することができます。こちらの内容も main.tf に記載した内容が反映されています。 ただ、実際の運用では、Sysdig コンソール画面にアクセスすることはそれほどなく、アラートの確認等はSysdig API を経由して確認するようにしています。 まとめ 今回は、LLM アプリケーションのセキュリティ対策として、Amazon Bedrock の 設定のチェックロジックを Rego で開発し、Sysdig で運用する方法についてご紹介しました。ガイドラインでは、Amazon Bedrock だけでなく、Azure AI Foundry や Google Cloud Vertex AI も整理しているため、今後は、同様に Rego の開発、Sysdig による運用を進めていきます。 また、従来の CSPM に加え、AI-SPM では、クラウドインフラ全体のセキュリティに留まらず、AI 固有の課題やデータ資産の保護など、従来の CSPM ではカバーしきれない領域にも取り組む必要があります。AI 技術は急速に進化しており、最近では MCP や A2A などの新しい概念が登場しています。これらの進展に対応したセキュリティ対策を推進していくことも重要です。 今後も新しい技術や課題に追随しながら、AI アプリケーションのセキュリティを強化する取り組みを続けていきます。 さいごに Security CoE グループでは、一緒に働いてくれる仲間を募集しています。クラウドセキュリティの実務経験がある方も、経験はないけれど興味がある方も大歓迎です。お気軽にお問い合わせください。 詳しくは、 こちらをご確認ください。

こんにちは。KINTOテクノロジーズのクリエイティブ室でデザイナーをしている桃井（ @momoitter ）です。 この記事では、Midjourney v7に新たに搭載された「Omni-Reference」機能を使って、オリジナルキャラクター「しぇるぱ」の見た目を統一したプロセスをご紹介します。 この記事はこんな方におすすめです Midjourney v7のOmni-Referenceについて詳しく知りたい キャラクターの一貫性を保った画像生成に挑戦したい AIツールで高クオリティなビジュアル制作をしたい 実際のプロンプトや生成画像も交えながら、Omni-Referenceの活用ポイントや調整のコツを解説していきます。 Omni-Referenceとは？ 2025年5月、Midjourney v7に「Omni-Reference」という待望の機能が登場しました。 これは、特定の画像を参照しながら一貫性のあるビジュアルを維持しつつ、新しい画像を生成できる機能です。 これまでv7では難しかった「キャラクター性の維持」が可能になり、人物だけでなく物体や乗り物にも対応しています。 また、「Omni Strength（ow）」というパラメータによって、どの程度参照画像に忠実に生成するかを数値で調整できます。 「しぇるぱ」について しぇるぱとは？ 2024年11月、KINTOテクノロジーズの社内イベント「超本部会」のオープニングムービーに、AIで生成されたキャラクター「しぇるぱ」が登場しました。 その後、エンジニア向けのイベントや人事採用イベントなどで、KINTOテクノロジーズを説明するナビゲーター的存在として活躍しています。 誕生のエピソードはこちら https://blog.kinto-technologies.com/posts/2025-03-07-creating_a_mascot_with_generative_AI/ なぜ見た目を統一したかったのか？ しぇるぱの誕生以降、画像生成AIや動画生成AIは急速に進化しました。 その結果、当初のビジュアルはやや古さを感じさせるものになってしまいました。 ちょうどその少し後に、Midjourney v7やRunway Gen-4がリリースされ、生成クオリティが飛躍的に向上。「しぇるぱ」のビジュアルもこのタイミングでアップデートすることにしました。 アップデートの過程はこちら https://blog.kinto-technologies.com/posts/2025-06-06-ai-character-movie-making/ ただし、v7の表現力は非常に高い一方で、リリース当時は同じキャラクターの見た目を一貫して再現する機能がなく、生成するたびに微妙に顔が異なるという課題がありました。 しかもアップデートによりクオリティが上がった分、初期のしぇるぱが持っていた「キャラクターとしての親しみやすさ」が薄れてしまうという副作用も。 そんな中、2025年5月、Midjourney v7に「Omni-Reference」という新機能が追加されました。 私はこの機能を使って、元の見た目を活かしながら、v7らしい美しさとリアルさを兼ね備えた「進化したしぇるぱ」の再構築に挑戦しました。 いざ実践！ ChatGPTに相談 まずはChatGPTにこう相談しました。 「Midjourney v7のOmni-Referenceに添付の画像をアップして、このピンク髪の女性のキャラクターの見た目を固定しながら、クリーンな背景を付けた正面向きの画像をMidjourneyで生成したいです。Midjourney用のプロンプトを教えてください。」 そうすると、このようなプロンプトが返ってきました。 upper body portrait of a female virtual operator in a clean futuristic interior, facing camera directly, symmetrical composition, looking straight ahead, centered, gentle expression, slightly relaxed face, subtle smile, brightly illuminated face, soft front lighting, high key lighting on the face, studio-style lighting setup, clear and vivid facial features, softly lit background, minimalistic sci-fi control room, white and silver tones, crisp details Omni-Referenceの使い方 Step1：画像をドラッグ＆ドロップ 参照させたい画像を、Midjourneyのプロンプト入力欄へドラッグすると、画面上部のバーに「Omni-Reference」が表示されるので、そこにドロップ。 Step2：Omni Strength（ow）の調整 「Omni Strength」では、一貫性の強度（=元画像への忠実度）を調整できます。数値はowというパラメータで指定します。 Step3：生成開始 ChatGPTから取得したプロンプトを入力して、生成スタート！ 「ow」値による変化 owが低い（例：100〜200） → 元画像とはあまり似ないが、Midjourney特有の繊細で美しい描写が得られる owが高い（例：800〜1000）→ 元画像には似るが、引っ張られすぎてMidjourneyらしさが失われてしまう。 ow100 ow200 ow400 ow600 ow800 ow1000 最適なバランスを探して 試行錯誤の末、「しぇるぱ」アップデートにはow 200〜400が最適という結論に。 このあたりの数値だと、元の面影を保ちつつもMidjourneyらしさのある美しい描写が可能でした。 ある瞬間、「これだ！」と思える1枚が現れました。 元のしぇるぱの面影を残しつつ、Midjourneyらしい美しさと繊細さもある理想のビジュアルです。 シーン展開と世界観づくり 決定画像をベースに、Omni-Referenceで構図や背景を展開していきました。 ChatGPTにも再度相談し、シーンのアイデアやMidjourney用のプロンプトを取得。 しっかりしたベースがあると、それに沿った世界観の展開もスムーズでした。 こうしてアップデートした「しぇるぱ」の新しい見た目は、会社紹介動画の冒頭にも使われています。 https://www.youtube.com/watch?v=8Df_0StDAiw 応用：社内の他コンテンツにも展開 さらに先日の社内勉強会の登壇資料でも、しぇるぱを活用。 Omni-Referenceのおかげで「似てる・似てない」を気にする手間が省け、資料やイベントビジュアルなどにもスムーズに導入できるようになりました。 実践でわかったコツ Omni-Referenceは非常に強力な機能ですが、その分「参照が強すぎる」こともあります。 服装まで自由にしたい → 顔のみの画像を添付 髪型も変えたい → 目元中心など、必要最低限の情報だけにする このように参照範囲を調整することで、顔の一貫性を保ちつつも、Midjourneyらしい自由な表現の恩恵を受けることができます。 まとめ：誰でも「しぇるぱ」を作れる時代へ Omni-Referenceの登場によって、キャラクターのビジュアルを一貫して保ちながら高クオリティなシーン展開ができるという制作環境が整いました。 これはつまり、「しぇるぱ」のような存在を、誰でも再現できる時代が来たということ。 私ひとりの中に閉じこめておくのはもったいない。 だからこそ、これからは社内の皆の創造性でしぇるぱを育てていけたらと思っています。 表現を拡張し、「しぇるぱ」をもっと羽ばたかせていきたい。 AI技術の進化とともに、「しぇるぱ」も進化を続けていきます。

こんにちは。KINTOテクノロジーズのクリエイティブ室でデザイナーをしている桃井（ @momoitter ）です。 この記事では、Midjourney v7に新たに搭載された「Omni-Reference」機能を使って、オリジナルキャラクターの見た目を統一したプロセスをご紹介します。 この記事はこんな方におすすめです Midjourney v7のOmni-Referenceについて詳しく知りたい キャラクターの一貫性を保った画像生成に挑戦したい AIツールで高クオリティなビジュアル制作をしたい 実際のプロンプトや生成画像も交えながら、Omni-Referenceの活用ポイントや調整のコツを解説していきます。 Omni-Referenceとは？ 2025年5月、Midjourney v7に「Omni-Reference」という待望の機能が登場しました。 これは、特定の画像を参照しながら一貫性のあるビジュアルを維持しつつ、新しい画像を生成できる機能です。 これまでv7では難しかった「キャラクター性の維持」が可能になり、人物だけでなく物体や乗り物にも対応しています。 また、「Omni Strength（ow）」というパラメータによって、どの程度参照画像に忠実に生成するかを数値で調整できます。 「社内向け生成AIツール」について 社内向け生成AIツールとは？ 2024年11月、KINTOテクノロジーズの社内イベント「超本部会」のオープニングムービーに、AIで生成されたキャラクターが登場しました。 その後、エンジニア向けのイベントや人事採用イベントなどで、KINTOテクノロジーズを説明するナビゲーター的存在として活躍しています。 誕生のエピソードはこちら https://blog.kinto-technologies.com/posts/2025-03-07-creating_a_mascot_with_generative_AI/ なぜ見た目を統一したかったのか？ キャラクターの誕生以降、画像生成AIや動画生成AIは急速に進化しました。 その結果、当初のビジュアルはやや古さを感じさせるものになってしまいました。 ちょうどその少し後に、Midjourney v7やRunway Gen-4がリリースされ、生成クオリティが飛躍的に向上。オリジナルキャラクターのビジュアルもこのタイミングでアップデートすることにしました。 アップデートの過程はこちら https://blog.kinto-technologies.com/posts/2025-06-06-ai-character-movie-making/ ただし、v7の表現力は非常に高い一方で、リリース当時は同じキャラクターの見た目を一貫して再現する機能がなく、生成するたびに微妙に顔が異なるという課題がありました。 しかもアップデートによりクオリティが上がった分、初期のオリジナルキャラクターが持っていた「キャラクターとしての親しみやすさ」が薄れてしまうという副作用も。 そんな中、2025年5月、Midjourney v7に「Omni-Reference」という新機能が追加されました。 私はこの機能を使って、元の見た目を活かしながら、v7らしい美しさとリアルさを兼ね備えた「進化したキャラクター」の再構築に挑戦しました。 いざ実践！ ChatGPTに相談 まずはChatGPTにこう相談しました。 「Midjourney v7のOmni-Referenceに添付の画像をアップして、このピンク髪の女性のキャラクターの見た目を固定しながら、クリーンな背景を付けた正面向きの画像をMidjourneyで生成したいです。Midjourney用のプロンプトを教えてください。」 そうすると、このようなプロンプトが返ってきました。 upper body portrait of a female virtual operator in a clean futuristic interior, facing camera directly, symmetrical composition, looking straight ahead, centered, gentle expression, slightly relaxed face, subtle smile, brightly illuminated face, soft front lighting, high key lighting on the face, studio-style lighting setup, clear and vivid facial features, softly lit background, minimalistic sci-fi control room, white and silver tones, crisp details Omni-Referenceの使い方 Step1：画像をドラッグ＆ドロップ 参照させたい画像を、Midjourneyのプロンプト入力欄へドラッグすると、画面上部のバーに「Omni-Reference」が表示されるので、そこにドロップ。 Step2：Omni Strength（ow）の調整 「Omni Strength」では、一貫性の強度（=元画像への忠実度）を調整できます。数値はowというパラメータで指定します。 Step3：生成開始 ChatGPTから取得したプロンプトを入力して、生成スタート！ 「ow」値による変化 owが低い（例：100〜200） → 元画像とはあまり似ないが、Midjourney特有の繊細で美しい描写が得られる owが高い（例：800〜1000）→ 元画像には似るが、引っ張られすぎてMidjourneyらしさが失われてしまう。 ow100 ow200 ow400 ow600 ow800 ow1000 最適なバランスを探して 試行錯誤の末、アップデートにはow 200〜400が最適という結論に。 このあたりの数値だと、元の面影を保ちつつもMidjourneyらしさのある美しい描写が可能でした。 ある瞬間、「これだ！」と思える1枚が現れました。 元のキャラクターの面影を残しつつ、Midjourneyらしい美しさと繊細さもある理想のビジュアルです。 シーン展開と世界観づくり 決定画像をベースに、Omni-Referenceで構図や背景を展開していきました。 ChatGPTにも再度相談し、シーンのアイデアやMidjourney用のプロンプトを取得。 しっかりしたベースがあると、それに沿った世界観の展開もスムーズでした。 こうしてアップデートした新しい見た目は、会社紹介動画の冒頭にも使われています。 https://www.youtube.com/watch?v=8Df_0StDAiw 応用：社内の他コンテンツにも展開 さらに先日の社内勉強会の登壇資料でも、オリジナルキャラクターを活用。 Omni-Referenceのおかげで「似てる・似てない」を気にする手間が省け、資料やイベントビジュアルなどにもスムーズに導入できるようになりました。 実践でわかったコツ Omni-Referenceは非常に強力な機能ですが、その分「参照が強すぎる」こともあります。 服装まで自由にしたい → 顔のみの画像を添付 髪型も変えたい → 目元中心など、必要最低限の情報だけにする このように参照範囲を調整することで、顔の一貫性を保ちつつも、Midjourneyらしい自由な表現の恩恵を受けることができます。 まとめ：誰でもオリジナルキャラクターを作れる時代へ Omni-Referenceの登場によって、キャラクターのビジュアルを一貫して保ちながら高クオリティなシーン展開ができるという制作環境が整いました。 これはつまり、オリジナルキャラクターのような存在を、誰でも再現できる時代が来たということ。 私ひとりの中に閉じこめておくのはもったいない。 だからこそ、これからは社内の皆の創造性でキャラクターを育てていけたらと思っています。 表現を拡張し、オリジナルキャラクターをもっと羽ばたかせていきたい。 AI技術の進化とともに、進化を続けていきます。

Presentation Report by Oka (okapi) On February 20, 2025, I had the chance to speak at the " Appium Meetup Tokyo ." Here are the slides I presented: Guidelines and Practices for Efficient App Automation( https://speakerdeck.com/kintotechdev/xiao-lu-de-naapurizi-dong-hua-notamenogaidoraintoshi-jian-fang-fa ). Feel free to take a look! Background of Appium Meetup Tokyo Our newly developed apps have been showing a higher bug rate compared to our web services (sometimes nearly 10 times higher) ↓ Since the testing workload was so heavy, automating app testing became a must. ↓ Automation work started with Appium. ↓ Finding good places to learn about Appium wasn't easy. ↓ Then, Why not just host our own events? And that led me to this talk! Things I Paid Attention to in the Presentation Our company has many development engineers who are familiar with QA processes, which makes collaboration smoother and helps us work together more effectively to improve quality. To emphasize this point, I mainly talked about how our QA and development teams collaborate to build apps that are easy to automate ." I also made sure the slides were easy to follow, even for those new to Appium, which led to a lively Q&A with 14 questions, 7 online and 7 offline! Sample Questions Here's a step-by-step guide to logging in to the KINTO Kantan Moushikomi App (KINTO Easy Application App). Q1. When working with development and QA, how do you assign IDs on pages with many similar elements? For example, on the screen you showed in your slides a layout with multiple car models displayed. How do you handle such cases? A1. An ID is assigned per object and screen name, making sure each one is unique. On pages with multiple car models, we assign IDs according to the specifications document the development team uses for car information. Q2. Do you define separate IDs for iOS and Android? A2. For the IDs used in Appium, we always set a shared ID that works across both iOS and Android. Reflections on the Presentation Although this was my first time presenting externally, practicing beforehand at an internal joint study session really helped me feel fully prepared and deliver the talk smoothly. For anyone new to public speaking like we were, I definitely recommend starting by practicing with people around you or inside your company first. Here's a photo from my practice session. ↓ Looking Ahead Since there are very few places to learn about Appium in Japan, we're planning to keep sharing our insights and experiences through "Appium Meetup Tokyo" ( https://autifyjapan.connpass.com/event/342867/ ) to help build a supportive community! Presentation Report by Pann Nu Wai This time I'd like to share about my Appium efforts. Background of Appium Meetup Tokyo Hi, I'm Pann Nu Wai, primarily working on in-house test automation. To help expand the use of Appium, I've been involved in various initiatives, one of which was giving a talk at an internal study session. I took this opportunity to share how our team is advancing test automation. After refining the content based on the joint study session, I was able to present it at Appium Meetup Tokyo. Things I Paid Attention to in the Presentation I explained the four steps that our team took to use Appium to automate mobile app testing. The documentation is designed so that even non-automation engineers can understand the source code simply by reading the test specifications, covering everything from spec writing to test performance. Reflections on the Presentation As a non-native Japanese speaker, pronunciation was a challenge. But after practicing many times, the talk went smoothly. I also got great feedback and had a truly rewarding experience. Here's a photo from my practice session. ↓ Looking Ahead I also hope to continue sharing Appium-related insights beyond our company. By communicating our internal efforts to the public, I hope to exchange knowledge and experience with more people and help advance the field of test automation. I'll keep working to improve my presentation content for future sessions to provide even more value. I appreciate your continued support! Conclusion This article is a report on our presentations at Appium Meetup Tokyo. I've also written one on the first event ( https://blog.kinto-technologies.com/posts/2025-02-20-Appium-Meetup-Tokyo-開催レポート/ ) — feel free to check it out as well!

「こんな世界観の映像、作ってみたいな…」 そう思ったとき、皆さんならどうしますか？ 私は迷わず、ChatGPTに丸投げしました。 こんにちは。KINTOテクノロジーズのクリエイティブ室でデザイナーをしている桃井（ @momoitter ）です。 この記事では、ChatGPT、Midjourney、RunwayなどのAIツールを駆使して、「しぇるぱ」というピンク髪のバーチャルキャラクターの映像を、ほぼ会話だけで形にしていった過程をまとめています。 専門的なスキルや時間がなくても、「こんな映像を作ってみたい」というアイデアさえあれば大丈夫。 AIと一緒に、そのイメージを少しずつかたちにしていくプロセスを体験してみたい方に向けて書きました。 まずは完成した映像をご覧ください。 https://www.youtube.com/watch?v=GH9CdNqTyHQ きっかけは、1体のキャラクターの“リニューアル” この「しぇるぱ」というキャラクターは、もともと2024年11月の社内イベント「超本部会」のために誕生したものでした。 制作過程はこちらの記事をご覧ください。 https://blog.kinto-technologies.com/posts/2025-03-07-creating_a_mascot_with_generative_AI/ 当時としては最先端のAI技術を使い、社内でも注目を集めたキャラクターでした。 ……が、あれからわずか4ヶ月。画像生成AIや動画生成AIはさらに進化し、当時「すごい！」と思っていた表現が、いま見ると少し古く感じてしまうように。 そこで、「せっかくなら最新の技術で、このキャラの世界をアップグレードしよう」と思い立ち、ChatGPTと一緒に再構築を始めることにしました。 Step1 世界観の共有と画像生成 まず最初に行ったのは、キャラクターとその世界観の共有です。 もともと生成していた「しぇるぱ」の画像をChatGPTにアップロードし、こう伝えました。 このキャラクターは少し前の画像生成AI技術で作られたため、見た目をアップデートしたいです。 彼女には「バーチャルオペレーター」という設定があります。 その設定をもとに世界観を膨らませ、Midjourney v7で表現できるようなシーンのバリエーションとプロンプトを提案してください。 Midjourneyを選んだ理由は、v7にアップデートされて以降、キャラクター描写の精度や質感が大きく向上したと感じていたからです。 今回のように、既存キャラの見た目をアップグレードしたい場面にぴったりだと思いました。 するとすぐに、「その世界観なら、こういうシーンはどうでしょう？」といった具体的なシチュエーション案と、それに対応するプロンプトが次々と返ってきました。 まるで映像監督とのブレストをしているような感覚です。 試しにそのプロンプトをMidjourneyに入力してみたところ、 自分の想像をはるかに超えるビジュアルが次々と生成され、その表現力に驚かされました。 この映像を作り始めた当初は、Midjourney v7に「Omni-Reference」のようなキャラクターの一貫性を保つ機能がまだ搭載されていませんでした。 そのため、「ピンク髪のショートヘア」という分かりやすい特徴を意識的にプロンプトへ含めることで、「一貫性があるように見せる」工夫をしていました。 もしイメージと違うものが出てきても、 「もう少し顔に寄って」「背景を明るくクリーンな雰囲気に」などとChatGPTに伝えるだけで、再調整されたプロンプトを即座に出力してくれます。 Step2 画像から動画生成へ 気に入った画像が生成できたら、次はそれをChatGPTに添付し、以下のように依頼します。 この画像は提案していただいた〇〇のシーンのプロンプトをMidjourneyで生成した画像です。 この画像をRunwayのGen-4のキーフレーム機能のファーストフレームとして設定し、動画を生成したいです。 よりこのシーンが魅力的になるような、動きを加えたプロンプトを生成してください。 ChatGPTは画像の内容を読み取った上で、その魅力を最大化するRunway用プロンプトを作成してくれます。 Runwayを使った理由は、バージョンがGen-4へと進化したことによって、Midjourneyの高精細なビジュアルの魅力を損なわずに動画化できると感じたからです。 Runway Gen-4のimage to videoにMidjourneyで生成した画像をアップ。 ChatGPTが出力したプロンプトを貼り付けると、画像の世界観を最大限に引き出す高クオリティな映像が生成されました。 キャラクターやカメラの動きのイメージが違った場合も、 ChatGPTに「生成された動画はこうなっていたので、ここをこう変えてほしい」と伝えるだけで、プロンプトを再提案してくれます。 Step3 BGM選定もChatGPTと一緒に 映像のBGMを探すときも、ChatGPTが大活躍。 この世界観に合うBGMをAdobe Stockでどのようなキーワードで探せばいいですか？ と聞くと、「futuristic」「sci-fi」「cyberpunk」など、雰囲気に合ったワードをいくつも提案してくれました。 Step4 編集して完成 生成した動画とBGMをPremiere Proでつなぎ合わせ、構成・長さ・テンポ感を調整します。 シーンの切り替えにフェードイン・アウトを加えたり、音の入り方に緩急をつけたりすることで、映像全体の完成度がグッと高まります。 Midjourneyで作成した静止画と、Runwayで生まれた滑らかな動きが合わさることで、 静止画だけでは伝わりきらなかった「息づかい」や「空気感」が加わり、しぇるぱの世界観が一段とリアルに感じられるイメージビデオが完成しました。 https://www.youtube.com/watch?v=GH9CdNqTyHQ AIと一緒に、想像をかたちにするということ 今回のプロセスで一番感じたのは、 自分の頭の中の曖昧なイメージを、ChatGPTがどんどん「言語化＆具現化」してくれること。 Midjourneyでも、Runwayでも、「ちょっと違う」「もっとこう」と伝えるだけで、理想の表現に近づいていく実感がありました。 AIと一緒に進めることで、創造の幅が大きく広がることを実感できるはずです。 ぜひ一度、体験してみてください。

Self-Introduction My name is Morino, and I work at KINTO Technologies, mainly in product security and security governance. I'm a fan of RB Omiya Ardija and Chiikawa. For the past 10 years, I've been involved in cybersecurity and information security. Prior to that, I spent many years as a web application engineer, focusing on the development and operation of web performance measurement systems and front-end platforms for e-commerce sites. In this article, I’d like to share our Kaizen efforts related to the Vulnerability Disclosure Program (VDP). What is the Vulnerability Disclosure Program (VDP)? The VDP is a system that enables companies and organizations to receive vulnerability reports from external security researchers and white hat hackers. Public awareness grew in October 2023 when Rakuten Group placed a "security.txt" on a public server and launched its VDP. Reference: Rakuten places text on public server — "security.txt" to help improve security (in Japanese) What is security.txt? Published as RFC 9116 in April 2022, security.txt: A File Format to Aid in Security Vulnerability Disclosure helps standardize how companies and organizations share vulnerability reporting information, making it easier for security researchers to report issues. We also published our own security.txt in November 2023. Reactions After Installing security.txt Most inquiries were about whether we offer rewards (we don't), and many reports didn't clearly indicate whether they actually involved vulnerabilities in KINTO/KTC. A White Hat Hacker Reported a Vulnerability! In August 2024, we received a report about a vulnerability in our service. After reviewing the report within our team, we confirmed the issue was real and asked the development team to fix it. Kaizen for Our VDP Although we recognized the value of the VDP, we identified several issues. As a result, we started using the VDP service offered by IssueHunt in November 2024. Clarify VDP guidelines, including whether a bounty is offered Specify which web services and applications are covered Provide a report template As of March 7, 2025, we've received six reports; two of which involved vulnerabilities that required action and have been fixed. Honestly, I'm surprised at the results, which exceeded my expectations. Our company is featured as a case study on the IssueHunt website. Please have a look if you're interested. A fresh perspective on boosting security! VDP success story in the car subscription industry (in Japanese) Our Contribution to the P3NFEST Bug Bounty 2025 Winter As mentioned above, we do not currently offer a rewards program. However, to evaluate the effectiveness of incentive-based systems and to support students working to secure the future of the internet we’ve decided to contribute some of our services to a student-focused bug bounty program hosted by IssueHunt. The following services are eligible for bug bounties: KINTO Technologies Corporate Site KINTO Tech Blog (this website) The event runs from Monday, February 17, 2025 to Monday, March 31, 2025. For more information, please visit the event page. We welcome students to take on the challenge. P3NFEST Bug Bounty 2025 Winter