Protecting Your Delivery Pipeline: Extensive CI/CD Security with Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter

By Jonathan Bregman, Senior Product Marketing Manager

 

 

With the rise in attacks on continuous integration and continuous delivery (CI/CD) environments, it’s no surprise that the U.S. Government recently released guidance to help organizations understand their risks and defend their pipelines. CI/CD pipelines are critical to cloud-native software development and host highly sensitive data and credentials. But they often exist outside the purview of traditional AppSec teams.

 

To help AppSec practitioners secure their pipelines, we’re excited to announce CI/CD Security by Prisma Cloud.

 

With graph-based CI/CD security in the industry’s most comprehensive code-to-cloud cloud-native application protection platform (CNAPP), Prisma Cloud gives you:

 

  • Unmatched visibility into your engineering ecosystem
  • Protection from the OWASP Top 10 CI/CD Risks
  • Pipeline Posture Management
  • Attack Path Analysis via the Cloud Application Graph™

 

Let’s dive into the details.

 

Unmatched Visibility into the Engineering Ecosystem

 

As developers commit code to source control, most organizations have deployed various types of code scanners to detect misconfigurations in templates, vulnerabilities in open-source packages, exposed secrets and other issues. The best tools provide granular fix guidance directly for developers, but given the diversity of code and supporting scanners, AppSec teams are left with a fragmented view of risk spread across multiple siloed tools.

 

What’s more, most organizations lack visibility into developers contributing to trusted artifact registries, which technologies and frameworks are in use, and how to export a software bill of materials (SBOM) of the environment.

 

Prisma Cloud’s new Application Security dashboard unifies visibility across the engineering ecosystem. From a single pane, AppSec teams gain visibility across code repositories, contributors, technologies used and pipelines connected, along with specific code risks. By understanding which repositories and pipelines connect to production, teams can easily prioritize risk with full infrastructure context.

 

word-image-299088-1.jpg
Figure 1: The Application Security dashboard provides a centralized view of your entire engineering ecosystem_Palo-Alto-Networks

 

Defending Against the OWASP Top 10 CI/CD Risks

 

]Attacks that seek to breach delivery pipelines are far too common, and up until recently no industry-recognized framework was available. To provide guidance on attack vectors and best practices to mitigate them, Prisma Cloud’s world-class AppSec researchers developed and published a formally recognized industry benchmark — the OWASP Top 10 CI/CD Security Risks project.

 

Organizations can benefit from the project at any stage in their CI/CD security journey. For example, it’s easy for teams to use the project’s guidance to help identify misconfigurations for version control systems (VCS) and CI/CD pipelines. Those misconfigurations could easily lead to code tampering, credential theft and ultimately a runtime breach.

 

 
word-image-299088-2.jpg
Figure 2: The OWASP Top 10 CI/CD Security Risks_Palo-Alto-Networks

 

 

Pipeline Posture Management

 

To embrace DevSecOps, it’s essential to observe the posture of your delivery pipeline, ensure it’s protected against the Top 10 CI/CD risks and then report your findings to leadership. Prisma Cloud’s new dashboard provides continuous visibility across the critical pipeline issues with added context like system risks and both the number and frequency of events to accurately measure and alert on criticality.

 
CI_CD security.png
Figure 3: Prisma Cloud provides continuous pipeline posture management against the OWASP Top 10 CI/CD Risks_Palo-Alto-Networks

 

Attack Path Analysis via the Cloud Application Graph™

 

The power that graph databases bring to contextualizing security insights can’t be overstated. The ability to correlate multiple risk signals simultaneously to map an attacker's pathway to a breach is critical to delivering high fidelity alerts for AppSec teams. The Prisma Cloud Application Graph™ provides a dynamic visualization of your engineering ecosystem that allows you to better understand and analyze the environment and relationships between all artifacts from code to deployment.

 

By effectively modeling every asset, you can map attack paths. This is critical as you protect your delivery pipelines from today’s sophisticated attacks. For example, cross-platform misconfigurations like poisoned pipeline execution (PPE) are only discoverable with graph-based analysis, which is why Prisma Cloud’s CI/CD Security is built off of the world’s first Application Graph.

 
Cloud Application Graph (1).png

Figure 4: The Prisma Cloud Application Graph™ helps customers uncover breach paths_Palo-Alto-Networks

 

CI/CD Security and AppSec: Looking to the Future

 

In this modern threat landscape, protecting the delivery pipeline is more important than ever. Going forward, security and risk leaders must prioritize hardening CI/CD systems and processes as they begin to rearchitect their AppSec programs to account for the evolving threat landscape.

 

Since its inception, Prisma Cloud has been at the forefront of delivering solutions for the most pressing cloud security challenges. With the industry’s only code-to-cloud CNAPP, customers can now protect their delivery pipeline with graph-based CI/CD security.

 

If you want to learn which attack vectors you should prioritize at the start of your CI/CD security journey, read this technical guide on the Top 10 CI/CD Security Risks.

  • 3184 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels