By Carlos Martins Jr., Customer Success Engineer
With the introduction of CBDR (Code, Build, Deploy, Run) Implementation Plans on LiveCommunity, Palo Alto Networks is enhancing how we look at Prisma Cloud in our customers' environments. Prisma Cloud touches every part of your app and infrastructure lifecycle, so knowing what the product does and when is essential. For example, shift-left security helps detect issues and misconfigurations earlier in the app dev lifecycle. In addition, visibility enables you to avoid technical debt and other problems in the product lifecycle.
As a part of this shift in perspective with CBDR, we are soon introducing new customer success sessions to help our premium customers find as much value as possible with Prisma Cloud. One of the premium sessions, “Visibility in the Code & Build Lifecycle,” discusses Prisma Cloud's features to assist you in your product lifecycle's code and build phases. Let’s look at some topics covered in this session.
VCS/CI/IDE/CLI Scans with Code Security
Prisma Cloud offers the new Code Security framework, which scans your IaC files, container images, and more. There are several ways to use the Code Security scanning features, such as scanning your VCS directly, using CI integration for scans and IDE or CLI-based scans for developers.
These three integration methods will cover the most critical areas of concern in a software development lifecycle:
IDE and CLI integrations are ideal for a shift-left approach to security, bringing the knowledge of security professionals directly to the development process and significantly reducing avoidable mistakes.
CI integration will ensure that any code passing through a CI/CD pipeline undergoes another round of scans. The scan ensures nothing is missing or changed when the developer makes their first pass with the IDE or CLI tool. The CLI tool can also be leveraged in the CI process if necessary.
You can scan the code at rest in a repository. In addition, code security scans regularly check the code base to ensure you can address any emerging threats or configuration mistakes after developers are reassigned to other projects or tasks.
Code Security Projects
The Projects section of Code Security will be the landing page for anyone using the platform to remediate issues in IaC.
Here are the scan results for the integrated repositories, CLI, and CI scans. This page serves as the main source of results, drift detection, and contextual information relating to resources covered by the scan. The results also include tags, configuration details, and a history of issues found with the resource.
Projects also provide the ability to suppress and automatically fix select issues with the press of a button. This action sends all necessary information about the proposed changes directly to the integrated VCS, where the code base resides.
Code Security IaC Tag and Trace + Drift Detection
Code Security offers the ability to automatically add tags to cloud infrastructure via your integrated code repositories and use drift detection to track and remediate any changes made to your cloud infrastructure. Using tags and drift detection can improve traceability and compliance in your cloud environments. Additionally, you can fix the drift via another IaC deployment to overwrite the drift or by merging the change into your VCS via the pull request feature in the UI.
Tagging also offers the ability to create custom tags that can be applied to specific repositories and tracing tags that enable drift detection. They will display as merge requests in your VCS after a scan. This can save you a lot of time tagging and ensuring that every tag is in its proper place.
Code Security Supply Chain
The Code Security Supply Chain offers a different perspective by giving customers a visual representation of the code base that can help facilitate discussions between teams about the attack surfaces and the overall impact of the scan results. This is shown in the form of the “Supply Chain Graph.”
This graph is handy for visualizing the package dependencies in your code base to give you an idea of how vulnerable your packages and libraries might be. It can help a developer to identify possible supply chain attacks due to risks associated with the dependent packages, such as attack vectors, open source licenses and vulnerabilities.
In addition, it allows you to drill down into each package for more information about the vulnerability and the possible fixes available. This page also allows you to generate an SBOM (Software Bill Of Materials) for sharing results with stakeholders in CSV or CycloneDX format.
Code Security Development Pipelines help with visibility into pull requests and code reviews that provide issue and vulnerability concentration in repositories over time. The data this feature displays can be helpful for a manager or security analyst who needs a high-level view of the IaC's overall health. This feature gives you a global view of all the scan results performed on the repository with insights based on pull requests (PR) and merge requests (MR).
In addition, Prisma Cloud analyzes the number of Git users and weekly commit status to give you a “trend line” of the repository, which helps identify critical issues in an active repository. You can also see insights for scans performed on all branches integrated on CI/CD, pull requests (PR) and merge requests (MR) in a VCS. These insights are structured to give you access to the latest information first.
Image Analysis Sandbox in CWP
Using the Image Analysis Sandbox feature in Prisma Cloud Compute, you can test container images to ensure they are safe and free from malicious images and suspicious findings. In addition, you can leverage the Image Analysis Sandbox to analyze your container images on demand or as part of your CI/CD process.
Every report will provide information about the container image. This can include the SHA-256 hash representing the image ID in Prisma Cloud, the OS the container runs on and any other scan results for this image.
Because Prisma Cloud is designed with the software lifecycle in mind, your organization can benefit from combining all of these features with one solution. The ability to scan code packages and containers for license issues and vulnerabilities, IaC misconfigurations, exposed passwords and much more, keeps your data safe with the ease of a centralized command center.
About the Author