Palo Alto Networks adds new CI/CD security module to Prisma Cloud

Palo Alto Networks has announced the addition of a new continuous integration/continuous delivery (CI/CD) security module to Prisma Cloud, its cloud native application protection platform (CNAPP). The module is the eleventh that the cybersecurity vendor has added to Prisma Cloud and is based on the integration of application security (AppSec) firm Cider Security, which it acquired in December 2022.

The new integration is designed to secure the CI/CD environment and protect against open-source vulnerabilities with software composition analysis, optimizing security and risk prevention throughout the software delivery pipeline, Palo Alto Networks said. Its capabilities span visibility, control, risk management, and breach detection, the vendor added.

The release comes in the wake of new guidance from the US Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) on the importance of securing the CI/CD pipeline. Meanwhile, more than a third (36.9%) of UK organizations believe inadequate software supply chain security is the biggest cloud native security risk to their business, according to a recent Aqua Security study. This indicates an increase of 18.6% compared with a similar survey from the previous year.

CI/CD environments attractive attack targets for malicious actors

CI/CD is a development process for building and testing code changes that helps organizations maintain a consistent code base for their applications while integrating code changes. CI/CD pipelines are often implemented in commercial cloud environments because of the cloud's role in IT modernization efforts, and organizations regularly leverage CI/CD-focused tools and services to streamline software development and manage applications/clouds' programmable infrastructure. CI/CD environments are therefore attractive targets for malicious cyber actors who seek to compromise information by introducing malicious code into CI/CD applications, gaining access to intellectual property/trade secrets through code theft, or causing denial of service effects against applications.

CI/CD security module enhances engineering ecosystem visibility, leverages OWASP risk intel

Prisma Cloud's new CI/CD security module introduces an AppSec dashboard that unifies visibility across the engineering ecosystem, Palo Alto wrote in a blog. The dashboard normalizes signals across code scanners to provide a centralized view of risk and a trending view to help monitor security performance across development teams, it added. "AppSec teams gain visibility across code repositories, contributors, technologies used, and pipelines connected along with specific code risks," according to the vendor.

The new offering also provides guidance on attack vectors and best practices to mitigate them via a formally recognized industry benchmark - the OWASP Top 10 CI/CD Risks project, Palo Alto said. "Organizations can benefit from the project at any stage in their CI/CD security journey. For example, it's easy for teams to use the project's guidance to help identify misconfigurations for version control systems (VCS) and CI/CD pipelines. Those misconfigurations could easily lead to code tampering, credential theft and ultimately a runtime breach."

Module enables graph visualizations to identify breach, attack pathways

The new module enables dynamic graph visualizations of the engineering ecosystem to identify potential breach and attack pathways too, something that is key to delivering high fidelity alerts for AppSec teams, Pao Alto said. "This is critical as you protect your delivery pipelines from today's sophisticated attacks. For example, cross-platform misconfigurations like poisoned pipeline execution (PPE) are only discoverable with graph-based analysis, which is why Prisma Cloud's CI/CD Security is built off of the world's first application graph."

The only way to prevent insecure code from reaching production is to scan every code artifact, dependency, and ensure the delivery pipeline is effectively protected, said Daniel Krivelevich, CTO of Application Security, Prisma Cloud at Palo Alto Networks. "Integrating Cider's technology with Prisma Cloud strengthens the platform's ability to help secure organizations' entire engineering ecosystem, ensuring only what is intended is pushed to production."

Software delivery process critical component of organizations' security postures

Safeguarding the integrity of the software delivery process is one of the most critical components of an organization's security posture, Jessica Cregg, information technology operations engineer at CybSafe, tells CSO. "Secure configuration can be a challenging task. CI/CD pipelines can quickly scale in terms of complexity. Once you start assigning wildcard permissions or admin access by default, it can be tough to walk back that policy, and that's before we even begin to look at improper segregation or secret leak."

The additional problem with pipeline attacks is that teams can quickly learn to trust the automation we embed to the degree where we almost treat the entire operation like a black box, she adds. "It only takes a little while before you're not paying close enough attention to the dependencies you're referencing or how you handle credentials within the build and deployment process."

Misconfigurations have long been a leading cause of breaches, with the commonly referenced joke that "it all starts with one s3" bucket being far too often close to the truth, Cregg says. "If an attacker manages to compromise your CI/CD pipeline, they can effectively inject malicious code into your application packaging. Depending on the point of entry, this could turn into a fully-fledged supply chain attack, or result in credential or secret compromise, as we've seen in recent years with the likes of GitHub and GoCD."