Kubernetes / Security / Tools

Palo Alto Networks Single Panel Provides Umbrella Security

9 Mar 2022 10:45am, by

Palo Alto Networks ostensibly became the first security provider to offer a complete set of security tools and platforms that DevOps teams would need under a single umbrella after it purchased Bridgecrew last year. Today, available in both Prisma Cloud and Bridgecrew by Prisma Cloud comes a major release called Prisma Supply Chain Security that was designed to cover the entire DevOps spectrum, from development to deployment.

In addition to providing Palo Alto Networks’ Prisma Cloud security offerings with Bridgecrew’s complete shift-left security capabilities integrated, Supply Chain Security offers all of this through a single console. The developers and operations team members have shared access and control to check and correct security for all stages of application code.

“With this edition, everything is under one umbrella: infrastructure and application security, including the security of your entire delivery pipeline,” Barak Schoster Goihman, senior director, chief architect at Palo Alto Networks, told The New Stack.

Shifting Left

The shift-left aspect of what Bridgecrew has offered before this release, and before Palo Alto Networks’ acquisition of the company, is a major aspect of Supply Chain Network. Based on open source Chekov, which serves to analyze and manage infrastructure as code, the Bridgecrew capabilities extend to automating policy control. Developers can take advantage of this capability within the framework of Supply Chain Security to help ensure code with vulnerabilities from open source does not get integrated into applications that see production. Supply Chain Security was designed to vet the code in an automated way that the developer can use as soon as they create code to make sure libraries do not violate policy (hence, the IaC component of Bridecrew’s tool). This capability can help developers save time and avoid headaches associated with otherwise having to redo code that fails security checks further up the production pipeline.

“The developer can introduce misconfigurations without realizing it, and it will come up for the security team to have to tackle later when they find it in runtime, so they’d have to prioritize it among their other work, and then they’d have to go back and talk about rework projects for the developers,” Melinda Marks, analyst, for Enterprise Strategy Group (ESG), told The New Stack. “Instead, with BridgeCrew, the developers are testing and fixing things themselves. Since they’re empowered to fix things, they’re working more efficiently.”

The shift-left functionality also helps to mitigate vulnerabilities that later serve as gateways for devastating attacks once the software is deployed.  “Securing the delivery pipeline from the outset can save you from attacks like the ones that we’ve seen in the SolarWinds attack where untrusted code was pushed to production,” Goihman said.

Operational Security

In addition to the Bridgecrew IaC capabilities, Supply Chain Security also combines security features applicable to security on an operational level, such as what Prisma Cloud’s Cloud Security Posture Management (CSPM) solution offers. “You have a really good tie-in between Bridgecrew and Prisma Cloud, for example,” Marks said.

Supply Chain Security’s mapping functionality serves to provide the graphical interface designed to break down the silos between developer, operations and security teams. With it, those who have access are able to have visibility into application, infrastructure, network and CI/CD security. The single console displays all files, resources and pipeline components of code from development to deployment. The system automates identifying areas of an application or supply chain that are vulnerable to attack, while the visualization provides a quick view into the posture of an application and a visual to assist in threat modeling, according to Palo Alto Networks documentation.

Other features Prisma Supply Chain Security offers that the company communicated include:
● Auto-discovery: Code assets are extracted and modeled using existing cloud code security scanners.
● Graph visualization: Provides an inventory of key application and infrastructure asset dependencies to understand weaknesses across the attack surface.
● Supply chain code fix: Vulnerable dependencies or misconfigured IaC resources can be remediated using a single consolidated pull request.
● Code repository scanning: Identify and fix vulnerabilities in open source packages in application code.
● Branch protection rules: Extends policy-as-code to harden VCS and CI/CD configurations (via Checkov) to help prevent code tampering attacks.

“Supply Chain Security takes you through every step of the development lifecycle, CI/CD and all other components and processes of a software supply chain,” Goihman said. “It  is the first step to understanding the threat surface and focusing on security efforts.”