Q&A with Palo Alto Networks: Securing the Modern Engineering Ecosystem
In the last decade, the engineering ecosystem has evolved significantly, developers are using more languages and frameworks with minimal technical or procedural barriers. This shift comes as organizations race to ship software faster to deliver higher quality applications, better customer experiences and remain competitive. In fact, 77% of organizations are deploying new or updated code to production weekly and 38% are committing new code daily.
This shift has put a tremendous strain on application security teams. There are new opportunities and attack paths for adversaries, as well as completely new challenges for security teams which must adapt to the evolving risk landscape and ensure a frictionless experience for application developers. In this Q&A, Jonathan Bregman of Palo Alto Networks addresses the challenges of securing the modern engineering ecosystem, how attackers are taking advantage of this expanded attack surface and the approaches organizations can take to adapt effectively to the new reality.
Q: Describe how an application is built today compared to 5–10 years ago.
Bregman: Today, developers have essentially unlimited freedom. Their success is measured by the amount of new code and applications built and deployed. Just about every tool, language and framework is at their disposal. From imported code libraries, third-party systems and plugins, developers are building applications faster than ever before. Compared to 10 years ago, when a developer would push new application code once or twice every month, some application teams are pushing code once or twice a day.
Q: What are some of the challenges with securing the modern engineering ecosystem?
Bregman: Because developers are building with a “whatever it takes” mindset, applications consist of countless third-party tools, open source code and frameworks that all have their own inherent risks. The average application consists of 75% open source components that can be full of vulnerabilities so one of the top challenges is visibility. Where we see a lot of organizations struggle is having an accurate and comprehensive understanding of what is in the environment, how and where it’s being used, if it’s vulnerable and, if so, how critical it is. Many customers rely on siloed security tools to reach this understanding, but stitching together multiple point tools can lead to inaccuracies and blind spots.
The emergence of AI will also generate more challenges for security teams as developers increasingly turn to AI to write code. Right now, there are anywhere from 10 to 100 developers for every security professional. With AI, the pace of application development will widen this gap, putting even more strain on security teams to ensure new code isn’t opening the organization up to risk.
Q: How have attackers taken advantage of this new attack surface?
Bregman: Bad actors are quickly recognizing the engineering ecosystem as a threat vector that is both easy to target and ripe for exploitation — often to significant and lucrative results. The infamous Solar Winds attack occurred because a build system was exploited, and malware was spread to 18,000 clients. In another recent example, cybercriminals successfully infiltrated and disrupted CircleCI, a leading CI/CD platform storing highly confidential client secrets and tokens. These incidents underscore how a single unsecured element in an engineering environment can result in detrimental consequences at scale.
Q: Do you think we’ll see more attacks on the software supply chain/engineering ecosystem?
Bregman: Attackers are always looking for the path of least resistance and with how novel and complex the modern engineering ecosystem is, it would be safe to assume that we’ll see more and more attacks. Organizations are still in the early stages of cloud native development, where speed is prioritized over security. Attackers understand this and that applications are the “crown jewels” of the organization.
AI is also a factor. Just as organizations are using AI to detect and stop threats, adversaries are leveraging AI to scale attacks. The modern engineering ecosystem provides attackers with the perfect testing ground.
Q: Is there a recommended approach or are there best practices you advise customers to take?
Bregman: This new reality and rising attacks require us to think differently about application security, the overarching security umbrella over the engineering ecosystem. At its core, effective AppSec in modern organizations is about maintaining engineering velocity without compromising on risk management. At Palo Alto Networks, we advise customers on the following application security program for the modern engineering ecosystem, which can be broken down into three disciplines:
Security in the Pipeline (SIP)
SIP aims to prevent security flaws and misconfigurations in code from reaching production environments. Common tools are Infrastructure as Code security, software composition analysis (SCA), static application security testing (SAST)/dynamic application security testing (DAST), etc. This ensures new issues aren’t introduced into the codebase and that existing issues are gradually fixed.
Security of the Pipeline (SOP)
SOP focuses on the security posture of each individual system within the software delivery chain from code to deployment as well as the interconnectivity between these systems. In SOP, rather than focusing on the code and artifacts flowing through the software delivery chain, as we do in SIP, the focus is on the security controls and measures around the delivery chain itself.
Security around the Pipeline (SAP)
SAP is designed to ensure the integrity of the software delivery chain and apply the appropriate controls to prevent anyone, both humans and applications, from bypassing it. The reality is that achieving optimal SIP and SOP is only partially effective if an attacker can push code directly to production or deploy a malicious container directly to Kubernetes. To achieve effective SAP, we must be able to answer two main questions:
- Is everything that is running in production originating from the software delivery chain? Did everything undergo all the appropriate checks and controls?
- Are all the appropriate visibility and posture controls in place to ensure that the software delivery chain cannot be bypassed?
Q: How do you anticipate AI playing a role?
Bregman: As I’ve mentioned, AI will have a profound impact on the modern engineering ecosystem and how it is protected. The velocity of cloud applications is vastly outpacing the speed at which security teams can secure them and the emergence of AI will only speed up development. Adversaries will also use AI to scale and automate attack frequency. I see a tremendous opportunity for security teams to harness the power of AI to effectively detect, prioritize and remediate risks in the application development life cycle and broader software supply chain.