In the rush to boost cadences to deploy ever faster, DevOps teams must also confront unexpected security risks. The issue is most pronounced when proper care is not taken to implement security policies and monitoring when development speed is emphasized over security.
One solution is to embed security processes and checks at the beginning of the production cycle, by automating them in such a way that deployment speeds are not mitigated. This is done mainly through automation and policies and the use of the right tools and plugins to accomplish both. At the same time, post-deployment vulnerabilities can still occur, of course, including CVEs or other issues, thus underscoring the needs to both automate and improve security monitoring.
The tools and updates Palo Alto Networks introduced this week to its Prisma Cloud Native security platform can serve as a potential solution for security code at the very beginning of the production cycle (the shift left) and for the entire deployment and operations cycle of applications, the company says.
Palo Alto Networks hopes to help mitigate these risks inherent in today’s “fail fast, fail often” environment in a number of ways. This includes “jointly scanning infrastructure and application code is critical for efficient DevOps in the days of Kubernetes and Multicloud, as the interface between application and infrastructure is a fantastic source for hackers to swoop in and spoil the day,” Torsten Volk, an analyst for Enterprise Management Associates (EMA), said.
“Manually, verifying infrastructure code is tricky and very labor-intensive as you would need to consider the ins and outs of each potential deployment platform,” Volk said.
Specific tools and plugins Palo Alto Networks plans to add or update in late April to help DevOps teams boost shift-left, as well as post-deployment security capabilities, include:
- Infrastructure as Code (IaC) scanning: Scans IaC templates with out of the box and customizable policies for insecure configurations.
- Central CI/CD policy management: Sets policies to govern continuous integration (CI) and continuous delivery (CD) workflows directly from the Prisma Cloud dashboard for cloud native security and consolidating cloud risk management.
- Amazon Machine Image (AMI) scanning: Scans for security issues in AMIs before they’re deployed, while providing visibility into the security posture of cloud applications.
- Automatic serverless protection for AWS Lambda: Protects AWS Lambda functions, by automating serverless applications protection.
These updates to Cloud Native Security Platform (CNSP) as described in the release below are important to DevOps were largely designed to help “DevOps teams that might not own security the way the security teams do,” John Morello, vice president of product management, container and serverless security at Palo Alto Networks, said.
“Many developers and DevOps engineers want to ship quality code and avoid major security issues wherever possible,” Morello said. With its latest release of Prisma Cloud, Palo Alto Networks is expanding its support for IaC scanning — integrated with leading IDEs, GitHub and CI tools — to give “DevOps teams more visibility into the security posture of their cloud infrastructure resources as part of their regular deployment workflows,” Morello said. “These capabilities expand all of our existing coverage for scanning hosts, container images, and functions,” Morello said.
Specific to hosts, Palo Alto Networks is expanding Prisma Cloud’s capabilities to scan Amazon Machine Images as it would any container registry or serverless repo. “This provides DevOps and security teams with added visibility into the security posture of their AMIs, both before deployment and in production,” Morello said. “The new capability for AMIs extends our existing host vulnerability management, compliance and runtime security solution.”
Palo Alto Networks is also expanding its capabilities for CI/CD policy enablement into its console to help streamline the process for security teams to implement policies governing DevOps workflows without having to configure a Jenkins plugin or CI script, Morello said. “This should allow developers and DevOps teams the ability to ship more easily and see the security status of their code without having to configure the security policies inside their tooling,”
Users can also use the Prisma Cloud console or the API to automatically deploy Defender through a Lambda Layer. It does this with “without having developers or DevOps teams implement this code as part of their function or deployment workflows,”
“For serverless on AWS Lambda, we’re taking additional security burdens off of DevOps teams,” Morello said. “This allows security teams to easily protect functions without placing unwanted requirements and steps in DevOps’ way.”
Automatic serverless protection for Lambda helps to solve a critical pain point when it comes to consistently monitoring and protecting serverless code through “instrumentation,” Volk said. “Without auto instrumentation the door is always open for developers desperate to make a deadline to simply forget the instrumentation wrapper and so create a blind spot that may live in the shadow for a long time, just to rear its ugly head when it’s the most convenient,” Volk said.
As mentioned above, a central CI/CD policy management addresses the main reason frequent application releases are completed more frequently — and securely, Volk said. “The security and compliance cost overhead that comes with each one of them,” Volk said. “Centralizing CI/CD policy reporting and enforcement in one dashboard is tricky as there are many domain-specific technologies and business requirements to consider, but if Palo Alto Networks can pull this off, this is a significant step toward being able to continuously release software without the usual pre-release frenzy.”
Palo Alto Networks is a sponsor of The New Stack.
Feature image via Pixabay.