The Main Goal: Secure the Application Workload
“There is a problem with the cybersecurity industry,” said Ory Segal, Chief Technology Officer of Prisma Cloud, Palo Alto Networks (PAN), at the company’s Ignite conference in Las Vegas late last year. “And that’s the short attention span that we have. New technologies sway us from our main goal. Our main goal is to secure the applications. If you think about it, our customers are building applications. They’re not in the business of building clouds. So selling them cloud security is not what we should be doing. We should be selling them application security.”
Customers secure applications, but there’s a looming issue that developers face., namely insecure software supply chains with vulnerable third-party dependencies. The application security environment looks more like a network with an API-centric architecture and multiple layers needing protection.
“If we looked at applications back at the end of the 90s, the beginning of the 2000s, we had the physical infrastructure, we had the network, the app and the data layer,” Segal said. “And applications look really simple. We have the web servers, web backend, database, That’s pretty much it. It was very easy to secure these applications. You would place a wire from the perimeter or firewall and that’s pretty much it.”
Today, there are thousands of application security point tools. The PAN goal is to help customers consolidate into an end-to-end approach, which PAN calls code-to-cloud. The objective: offer a platform to secure cloud native architectures built on microservices dependent on multiple APIs.
Segal said that attackers know how to traverse the applications to access the data. They will start through the application layer, a web form, for example, that stores the file in the cloud. An API call will get sent from the application layer to the workload, which will execute its logic and pull the file from the storage bucket, allowing the leaking of information.
Inspect the Packets
Point tools provide microscopic views, looking at every point in the chain. There might be a tool for the API calls or a tool in front of the web application firewall (WAF).
There are two alternative approaches to point tool approaches, Segal said. A service provider may take the plumbing approach and pull data from different vendors to create overlay insight.
“I think it has more cons than pros from a security vendor perspective,” Segal said. Mostly because you have to rely on signals from others, their quality, their format, you have to continue updating the way you consume the data. It is easier to develop.”
PAN follows the “one ring” approach, Segal said. It allows PAN to control the platform and the underlying analysis. In turn, that provides better security as the vendor owns the signals, in this case, PAN.
“Yes, it’s harder, because you have to have the technology and the knowledge and the know-how to build all these analysis centers,” Segal said. “But the benefits you’re getting from that as a security vendor are tremendous.”
“Prisma cloud is the platform that helps to secure cloud native applications,” Segal said. “It’s not a cloud security platform. I know the name is misleading. It is a cloud native application protection platform, and it provides different modules from the left to the right — from detecting vulnerabilities, secrets, infrastructures, code problems, all the way to the right where we provide the web API security module that prevents attacks against APIs.”
Scott Moser, chief information security officer at Sabre Technologies, a long-time software provider for the travel industry, said onstage at the conference that already integrated security tools are better for Sabre than working across multiple tools and their respective APIs.
“I’d rather have my team using the security tools than spending their time integrating those security tools,” Mosier said.
Segal said the tools teams use often vary for application security, depending on the layer in the application stack. There is further complexity with the dynamic nature of CI/CD environments and the constant addition of new tools. The process is so fast that code may take just minutes to go from repository to production.
PAN’s acquisition of Cider Security illustrates the company’s shift-left approach. Cider is a platform for software supply chain security. The Cider Security service gives a developer views into the infrastructure and tools that developers use in CI/CD to determine the risks they pose. Code is not the focal aspect for Cider; it knows the myriad of tools developers use.
A choice of tools for CI/CD offers attackers ample opportunities to attack. With all the tools come risks to the code. Developers need more visibility into the tool configurations. Cider Security mitigates these kinds of risks. It serves as an overarching element that integrates with the customer’s solutions.
By default, the entire CI/CD workflow is programmable, which provides Cider a way to give PAN integrations for platforms such as Jenkins, GitLab or GitHub. By offering deeper integrations, PAN provides the ability to manage complexities when dealing with engineers.
The Cider technology still needs to integrate into Prisma Cloud.
The platform approach to application security is gaining moment, said Fernando Montenegro, a senior principal analyst with Omdia out of the Toronto area. He said PAN competes with the likes of Trend Micro, CheckPoint, and Rapid7. Competition is increasing from companies such as Sysdig, Lacework, Snyk, Orca, and others, for example, that offer continuous delivery tools that integrate with security tooling.
Montenegro said there are some nuances to consider, such as can a customer get by with an offering from an existing vendor that they use for CI/CD or some other aspect of application security.
In a Twitter thread, I asked people about CI/CD security, its complexity, and how to secure it. Here’s a look at what people had to say.
I am researching CI/CD security and it just seems so complex, considering the different languages and frameworks people use. Does anyone have any approaches they are following or work by that looks at the issue from a platform perspective to examine all the layers?
— Alexander (@alexwilliams) January 3, 2023