The adoption of infrastructure as code (IaC) is spreading among companies both on-premise and in the cloud. Terraform, Cloud Formation Templates, Docker files, Helm charts and many other IaC file types now exist and the age old question remains, “how do we make sure our product is as secure as possible before it’s shipped to production?”. The concept of “Shift Left Security” became the answer to this question – the implementation of the Shift Left Solution can place ease on everyone’s workload.
Shift Left Security places a focus on catching compliance and vulnerability issues during the initial development stages of a project thus preventing the scenario of a security measure being missed in development. Palo Alto Networks believes in this concept and we strive to provide our customers with the best tools possible in order to improve security at this and every step of the product life cycle. To support this security measure, Prisma Cloud recently introduced “Supply Chain Security” (Cloud Code Security - CCS) as an additional security pillar.
What is supply chain security?
The goal of supply chain security is to allow the user to identify, analyze and mitigate the risks inherent in working with languages and tools provided by 3rd parties. In this case the Cloud/platform providers offer open source resources such as IaC to help facilitate the customer’s needs.
How important is it?
According to the “Palo Alto Networks Unit 42 2H 2021 Cloud Threat Report”, roughly 99% of kubernetes helm charts contain misconfigurations and 91% of container images contain at least one critical or high severity vulnerability. Seems like it's pretty important to consider. The graphic below is just one example of the process a bad actor might choose to exploit your IaC to manipulate your infrastructure:
Supply Chain Security Breakdown
In Prisma Cloud Enterprise Edition, “Supply Chain Security” is a capability of Prisma Cloud Code Security that comes in the form of the supply chain graph. The supply chain graph offers a real-time auto-discovery of potentially misconfigured infrastructure and application files, sorted into a neat data model that you can use to prioritize and search. Let’s take a look at how Supply Chain Security can help your developers produce the most secure infrastructure possible.
For example, you just configured one of your IaC repositories to be scanned by the Prisma Cloud Code Security module. You chose some out-of-the-box security policies and even added a few custom policies to adhere to. The code security scans have run and you are starting to go through the list of misconfigurations spread throughout your IaC files. There could be several or just a few misconfigurations, but you might wonder “how do these misconfigurations impact my environment and what other resources are related and impacted?”.
The supply chain graph in the product can help you make those connections by applying a new data model to the existing code security scanner findings. All of the passed and failed policies and vulnerabilities found by the scanner are connected in the graph to show how different resources are connected and dependent on one another. You could think of the graph as a code centric view of your infrastructure and applications that combines all of the scanned and gathered data to identify potential vulnerabilities within your IaC.
In the imagebelow, you can see a high level overview of the supply chain graph in Prisma Cloud.The four main components of the supply chain graph (shownfrom left to right) are the Organization (seen highlighted in the image above), the git repository, the IaC files and the resources to be provisioned by those IaC files.
The number seen on the IaC files and resources in the image below, tell you how many misconfigurations or vulnerabilities were discovered. In this example, you can see that the “tf12.tf” IaC file has 82 total issues spread across the 4 resources declared by that file.
The supply chain graph lets you drill down into those resources to see attributes of the resource, related resources (other IaC files and resources that are connected and dependent on one another) and resource history (showing a history of issues and misconfigurations related to the resource). You can see an example of this information highlighted in the image below:
With this information, you can see what resources have potential misconfigurations, vulnerabilities or exposed secrets and the potential area of impact on other resources. Identifying issues is half the battle, but knowing what issues exist ahead of time makes remediation a whole lot easier.
You are now one step closer to making informed decisions about the security of your environment and you are getting it taken care of weeks before it might become an emergency at 5pm on a Thursday. The developers, system administrators, network team, security team and management will all be glad that your organization adopted another Shift Left security tool to help ensure security measures are a regular practice, rather than a source of concern.
Prisma Cloud Supply Chain Security can help your organization lower time to remediation, decrease high severity events, simplify compliance and minimize the attack surface surrounding your infrastructure as code in a few simple steps. To help ease measuring security data, the product even provides a graph style visual model in addition to the information offered up by Prisma Cloud Code Security– making it easier to navigate the files that make up your IaC and the potential issues identified therein. Best of all, it helps your organization place preventive security measures, before escalation to a real security threat crisis.
If you are interested in learning more about Prisma Cloud Code Security and Supply Chain Security, check out these links: