Securing the SDLC Workflow with Prisma Cloud and a Shift-Left Approach

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

By Raj Annaladasu, Senior Cloud Security Engineer

 

Overview

 

In today’s fast-paced software development landscape, security must be integrated at every stage of the SDLC to proactively identify misconfigurations, vulnerabilities, secrets, and other risks, minimizing potential threats early in the process. This article demonstrates how Prisma Cloud seamlessly integrates into the entire SDLC (from early development in the IDE (Visual Studio Code), through version control (GitHub) and PR scanning, to CI/CD pipelines (GitHub Actions) and securing code post-commit). By adopting a shift-left approach, Prisma Cloud empowers developers to catch security risks early, ensuring robust, secure code without slowing down development.


Key Phases:
  1. Early Security Awareness: IDE Integration with Prisma Cloud in VS Code.

  2. Securing Version Control: PR/MR Scanning in GitHub.

  3. Continuous Security Validation: CI/CD Integration with GitHub Actions.

  4. Securing Code Post-Commit: Automated Fixes and Ongoing Monitoring with Prisma Cloud in the SDLC.

 

With Prisma Cloud’s seamless integration into core development tools, security is embedded directly into your workflow—catching misconfigurations, vulnerabilities, secrets, and other risks early, all while maintaining fast, agile development practices.

 

1. Early Security Awareness: IDE Integration with Prisma Cloud in VS Code

 

The journey to secure code begins with IDE (VS Code), where developers write and test their code. At this stage, Prisma Cloud integrates directly into VS Code to provide real-time security scanning and analysis.

 

Key Actions:

  • Static Code Analysis: Prisma Cloud scans the code for vulnerabilities, misconfigurations, and security risks directly within the VS Code IDE.

  • Real-Time Alerts: As developers write code, they receive immediate feedback on potential vulnerabilities, enabling quick remediation.

  • Seamless IDE Integration: Prisma Cloud integrates with VS Code, maintaining an uninterrupted development experience while ensuring that security is embedded from the very first line of code.

 

By identifying and addressing security issues early, developers can ensure the codebase is secure before committing changes.

Demonstration Workflow:

 

Install Prisma Cloud Extension:

  • Open VS Code and go to the Extensions view (Ctrl+Shift+X) - Windows, (Cmd+Shift+X) - Mac.

  • Search for Prisma Cloud and click Install.

 

unnamed.jpg

Figure 1: Prisma-Cloud-Extension_PaloAltoNetworks

 

Authenticating with Prisma Cloud:

 

 
unnamed.jpg

Figure 2: Configure-Plugin-Settings_PaloAltoNetworks 

 

Enforcement Rules:

  • Allows control over the severity of findings that developers should focus on, based on the code category.

  • Enable Enforcement Rules for soft-fail thresholds.

 

 
unnamed.jpg

Figure 3: Soft-Fail-Thresholds_PaloAltoNetworks

 

Explore the UI:

  • Navigation:  A tree structure displaying issues by security category (IaC misconfigurations, Secrets, Vulnerabilities (SCA), and Licenses). Each category expands to reveal folders containing specific issues detected during a scan.

  • Code editor: Allows you to review your codebase, and view a list of findings related to a resource (for IaC misconfigurations) or file, along with remediation options.

  • Problems Tool: Provides a detailed view of a selected issue, including information such as the code difference when available, and Remediation options.

 

 
unnamed.jpg

Figure 4: UI-Layout_PaloAltoNetworks

 

Scans:

  • Run Full Project Scan.

    • Click the Run full Scan button in the General Actions category to scan the entire project.

 

 
unnamed.jpg

Figure 5: General-Actions_PaloAltoNetworks

 

  • Real-Time Scanning

    • File-Specific Scan:- Simply opening or saving a file will trigger a scan for that particular file.

    • Status Bar – The status bar displays the message: "Prisma Cloud is scanning your files:/Users/rannaladasu/Documents/main.tf ".

 

 
unnamed.jpg

Figure 6: Status-Bar-Indicator_PaloAltoNetworks

 

Findings Management:

  • IaC Misconfigurations

    • Misconfiguration Indicators: A red mark next to a line number highlights an issue within a resource.

    • Issue Details: Hover over the mark to view the detected issue and its severity. If multiple issues are found, scroll to see all of them.

    • Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the misconfiguration.

    • Fixes: The fix modifies the configuration. The Problems Tool displays the code difference to be fixed (Fig: 8 ).

 

 
unnamed.jpg

Figure 7: fic-01-org-broccoli_PaloAltoNetworks

 

 
unnamed.jpg

Figure 8: fic-01-org-broccoli-fix_PaloAltoNetworks

 

SCA Vulnerabilities:

  • Vulnerability Indicators: A red mark next to a line number highlights a vulnerability in the package on that line.

    • Vulnerability List: If multiple vulnerabilities are found, a list will appear, showing detailed information when hovering over the marker, including CVE details, severity, vulnerable package, and remediation options.

    • Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the issue.

    • Remediation: Fix the detected CVE by upgrading the package to a version with a patch. (Fig: 10).

 

 
unnamed.jpg

Figure 9: Vulnerabilities_PaloAltoNetworks

 
unnamed.jpg

Figure 10: Vulnerabilities-fix_PaloAltoNetworks 

 

Secrets:

  • Secret Detection: A red mark next to a line number indicates a secret has been detected in the file.

  • Severity Information: The severity of the detected secret is displayed alongside the mark.

  • Detailed View: Click "Console" to open the Problems Tool for a more detailed view of the issue.

  • Remediation Options: Follow the policy guidelines.

 

 
unnamed.jpg

Figure 11: Secrets_PaloAltoNetworks

 

2. Securing Version Control: PR/MR Scanning in GitHub

 

Once code changes are committed to GitHub (with the repository named secure-shift-left), it enters the Pull Request (PR) or Merge Request (MR) phase. At this point, Prisma Cloud automatically scans the PR/MR submissions to detect vulnerabilities before merging the code into the main branch.

 

Key Actions:

  • Comprehensive Code Review: Prisma Cloud scans the changes in pull requests and merge requests, checking for security issues that might have been missed earlier.

  • Security Gatekeeping: Just like a quality assurance checkpoint, Prisma Cloud prevents insecure or flawed code from being merged into the main codebase. (Enforcement Rules)

  • Enforcing Secure Development Practices: Prisma Cloud helps reinforce a security-first mindset across the development team by ensuring that security checks are automated during the PR/MR process.

 

This step ensures that only secure code progresses into the shared codebase, minimizing risks in the project.

 

Demonstration Workflow:

  • Resource: aws_instance.fic-02-org-broccoli.

  • Misconfiguration Detected: Same IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2) (not fixed in the IDE).

  • Action: Prisma Cloud detects this misconfiguration during the PR scan in GitHub and blocks the merge to the main branch. The developer is prompted to fix the misconfiguration before merging the code.

 

Configure Branch Protection Rules:

  • Set up branch protection rules in GitHub to fail builds if a scan step fails.

 

 
unnamed.jpg

Figure 12: Prisma-Cloud-DevSecOps_PaloAltoNetworks

 

  • Set Severity Threshold - Enforcement Rules

    • To set the desired severity level (e.g., Critical, High), drag the Comments Bot threshold rule.  

    • The "hard-fail level" defines the threshold for failing a pull request (PR) scan conducted by Prisma Cloud. 

 

 
unnamed.jpg

Figure 13: Enforcement-Rules_PaloAltoNetworks

 

Trigger PR Scan:

  • When a pull request (PR) is created or updated, Prisma Cloud automatically scans. 

 

 
unnamed.jpg

Figure 14: Prisma-Cloud-analysis_PaloAltoNetworks

 

View PR Scan Results:

  • Errors found by the scan will be displayed as PR comments within the pull request.

 

unnamed.jpg
 

Figure 15: PR-comment_PaloAltoNetworks

 

  • Expand the PR comment to view details and remediation steps.

 

 
unnamed.jpg

Figure 16: How-to-fix_PaloAltoNetworks

 

  • If any findings or issues meet or exceed the defined threshold, the PR scan will fail. With branch protection rules enabled, the Prisma Cloud DevSecOps status check will fail, preventing the merge into the default branch. This serves as the first line of defense in a Shift-Left strategy, ensuring that security issues are identified and addressed before code is merged.

 

 
unnamed.jpg

Figure 17: First-line-of-defense_PaloAltoNetworks

 

View Results in Prisma Cloud Console:

  • In the Prisma Cloud Console, go to Projects > VCS Pull Requests tab to see a detailed view of the PR scan results.

  • Filters: Use filters to refine scan results based on specific criteria.

  • Findings: Findings are organized by resource. For each resource, the list of failed policies is displayed, providing a clear overview of any issues.

  • Resource Explorer: The Resource Explorer helps identify if a violation is linked as a dependency to other resources within the repository, aiding in comprehensive analysis and resolution.

 

 
unnamed.jpg

Figure 18: PR-scan-results_PaloAltoNetworks 

 

3. Continuous Security Validation: CI/CD with GitHub Actions

 

In the CI/CD pipeline powered by GitHub Actions, Prisma Cloud performs security scans at each stage of the automated build and deployment process. These scans help ensure that only secure code is deployed to production, following the shift-left philosophy of proactive security.

 

Key Actions:

  • Automated Security Validation: Every new code build triggered in GitHub Actions is automatically scanned for vulnerabilities, ensuring only secure code is deployed.

  • Preventing Vulnerable Code from Reaching Production: Prisma Cloud integrates into the CI/CD pipeline to enforce security policies that prevent insecure code from being deployed to production.

  • Pipeline Hardening: GitHub Actions configurations are hardened with security best practices, helping ensure that the pipeline itself remains secure from potential vulnerabilities or attacks.

 

By incorporating Prisma Cloud into the GitHub Actions workflow, security is continuously enforced, and vulnerabilities are caught early, preventing the deployment of insecure code.

 

Demonstration Workflow:

  • Resource: aws_instance.fic-org-broccoli.

  • Misconfiguration Detected: Same IMDSv1 vulnerability (not fixed in the PR).

  • Action: Prisma Cloud detects the issue during the CI/CD pipeline run. The deployment is blocked. 


Connect GitHub Actions:


 
unnamed.jpg

Figure 19: Job-config_PaloAltoNetworks+

 

 

Enable Enforcement Rules:

  • Configure Enforcement settings to block pipelines and PR merges based on severity levels.

  • By applying Enforcement rules, you ensure that your CI/CD pipeline is blocked, if critical issues are detected, while still allowing notifications for softer issues to ensure proactive security.

unnamed.jpg

Figure 20: Hard-Fail-Threshold_PaloAltoNetworks

 

Pipeline Blocking in GitHub Actions: Reinforcing the First Line of Defense in a Shift-Left Strategy

 

unnamed.jpg
Figure 21: GitHub-Actions-notifications_PaloAltoNetworks

 
unnamed.jpg

Figure 22: Pipeline-block_PaloAltoNetworks

 

View Results in Prisma Cloud Console:

  • In the Prisma Cloud Console, go to Projects > CI/CD Runs tab to see a detailed view of the PR scan results.

  • Filters: Use filters to refine scan results based on specific criteria.

  • Findings: Findings are organized by resource. For each resource, the list of failed policies is displayed, providing a clear overview of any issues.

  • Resource Explorer: The Resource Explorer helps identify if a violation is linked as a dependency to other resources within the repository, aiding in comprehensive analysis and resolution.

 

 
unnamed.jpg

Figure 23: Results-Link_PaloAltoNetworks 

 

 
unnamed.jpg

Figure 24: CI/CD-Runs_PaloAltoNetworks


4. Securing Code Post-Commit: Automated Fixes and Ongoing Monitoring with Prisma Cloud in the SDLC

 

Prisma Cloud automates security scans on the default branch of code repositories to detect vulnerabilities, misconfigurations, and compliance issues throughout the SDLC. With Auto Fix and automated Pull Request (PR) creation, Prisma Cloud streamlines the identification and resolution of security risks, reducing time and effort while ensuring code remains secure at every stage.

 

Demonstration Workflow:

  • Resources: aws_instance.fic-org-broccoli, aws_instance.fic-02-org-broccoli.

  • Misconfiguration Detected: Same  IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2) (not fixed in the PR).

  • Action: Prisma Cloud opens a pull request to apply the required fixes (e.g., setting http_endpoint = "required") to the affected resources. This ensures that misconfigurations are remediated, even after code is already live.

 

Access Scan Results in Prisma Cloud Projects:

  • Suggested fix: Prisma Cloud will often provide an automated fix recommendation for common issues.

 

unnamed.jpg

Figure 25: Default-branch_PaloAltoNetworks

Auto Fix with Prisma Cloud:

  • In the Resource Explorer, once you select the issue, the Auto Fix suggestion will be displayed if available.

  • Click Fix to add the issue to your Fix Cart.

 

 
unnamed.jpg

Figure 26: Fix-available_PaloAltoNetworks

unnamed.jpg

Figure 27: Fix-cart_PaloAltoNetworks

 

Submit the PR:

  • In the Fix Cart, review all the issues you want to fix. 

  • Once you're ready, click Submit to generate the PR.

 

 
unnamed.jpg

Figure 28: Fix-PR-submission_PaloAltoNetworks

 

  • A confirmation message will appear, indicating that the PR has been successfully created.

  • Click on the link in the success message to navigate to your Github console to view and merge the PR.

 

 
unnamed.jpg

Figure 29: Fix-PR-successfully-opened_PaloAltoNetworks

 

Review and Merge the PR:

  • Once the PR is created, developers or security teams can review the changes, test them, and merge them into the main codebase. 

  • Prisma Cloud ensures that the proposed fixes are aligned with security policies and best practices, helping to maintain a secure codebase.

 

 
unnamed.jpg

Figure 30: Prisma-Cloud-fix-config_PaloAltoNetworks

 
unnamed.jpg

Figure 31: Fix-Pending_PaloAltoNetworks

 

Handling Issues Without Auto-Fix Recommendations

 

When Prisma Cloud doesn't provide an auto-fix recommendation, you have two options for remediation:

  • Manual Fix: You can resolve the issue manually by reviewing the detailed information in the Resource Explorer.

  • Suppress: If the issue is non-critical or acceptable in your environment, you can suppress it.

 

 
unnamed.jpg

Figure 32: Manual-Fix_PaloAltoNetworks

 

Conclusion: Strengthening Security in the SDLC with Prisma Cloud

 

By integrating Prisma Cloud into the SDLC, developers can proactively detect and address security risks early in the development process, without slowing down the pace of software delivery. The demonstration showed how Prisma Cloud works across multiple stages of the SDLC, from IDE integration in VS Code, through version control (PR/MR) )and CI/CD pipelines, to post-commit default branch scanning and automated fixes.

 

  • Early Detection: Prisma Cloud's IDE integration ensures that misconfigurations—such as insecure AWS EC2 settings—along with vulnerabilities, secrets, and other risks, are detected and addressed early in the development process.

  • Pre-commit Security Checks: GitHub PR/MR scanning ensures that insecure code doesn't make it into the main branch, preventing security issues from reaching production.

  • CI/CD Pipeline Integration: Continuous security validation in CI/CD pipelines ensures that security checks are part of the deployment process.

  • Post-commit Monitoring and Automated Fixes: Prisma Cloud offers automated fixes through pull requests, ensuring that misconfigurations/vulnerabilities are continuously addressed even after deployment.

 

In conclusion, leveraging Prisma Cloud's integration into the SDLC enables organizations to maintain high security standards while ensuring the agility required for fast-paced development environments. With Prisma Cloud, security becomes an integral part of the development process, helping developers catch risks early and create secure code without disrupting their workflow.

 

References


[1] IMDSv1 enabled instead of IMDSv2 (Instance Metadata Service Version 2)

[2] Prerequisites

[3] Access Key, Secret Key

[4] Prisma URL 

[5] Enforcement Rules

[6] PR/MR Scanning in GitHub

[7] Filters

[8] Findings

[9Resource Explorer

[10] Configure Job

 

About the Author

 

Raj Annaladasu is a senior cloud security engineer specializing in Prisma Cloud, Next-Generation Firewalls, AWS, Azure, GCP, containers, and Kubernetes. Raj utilizes a collaborative and consultative approach to break down complex cybersecurity problems into solutions for global enterprise customers, leveraging his multi-industry knowledge to inspire success.

 

 

Rate this article:
  • 225 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎12-12-2024 12:21 PM
Updated by: