By integrating SCA with the Prisma Cloud platform, Palo Alto aims to let developers and security teams proactively prioritize known vulnerabilities that impact the application lifecycle. Prisma Cloud SCA promises detection and remediation of vulnerabilities in open-source software before applications reach production.
"Developers leveraging open-source software should be able to build applications with the confidence they aren't opening the organization up to risk," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "With the average application consisting of 75% open source components, SCA on Prisma Cloud is key to protecting the organization from code to cloud and empowering developers to build with speed."
Palo Alto Networks is clearly not alone in trying to bridge the gap between security and development teams.
Melinda Marks, a senior analyst at the Enterprise Strategy Group, said this has become a hot area as security teams face challenges keeping up with cloud-native development. Marks said organizations face security incidents from a number of issues: misconfigurations, many are access-related, code vulnerabilities for their proprietary code or for open-source components.
Up to now, Marks said security teams tended to add different tools to try catch these issues, but if the alerts pile up, and they can’t get to them, or they can’t tell which are the most important to address first, then the security issues leave them vulnerable to attack.
“So we see more and more vendors trying to provide the context needed to speed remediation to manage risk,” Marks said. “Palo Alto Networks has been strategically making acquisitions, integrating them into Prisma Cloud to help customers consolidate their tools, and the platform can give them the context to better prioritize needed actions to reduce risk."
Marks said this cloud-native application protection platform (CNAPP) area has many players since it has cloud security posture management (CSPM) vendors tying in with developer tools to drive efficiency in remediation, and then the AppSec vendors also tying their solutions into what they are seeing in runtime. Marks said the vendors are trying to help developers take on some security responsibilities so they can efficiently test and fix their code — they can release their software without worrying that it has a serious security flaw — while giving security teams visibility and control to manage their risk.
Aqua just had an announcement Tuesday with similar code-to-runtime messaging, said Marks. Other players include: Orca and Wiz use runtime context for faster remediation; Lacework acquired Soluble to tie in their CSPM capabilities with Soluble’s static security testing capabilities for IaC and other open source tools; and, Checkmarx, Check Point, Contrast Security, Invicti are other vendors more on the AppSec side that are helping customers pull in context for efficient remediation and helping security better work with developers.
Mike McGuire, senior security solutions manager at Synopsys Software Integrity Group, added that SCA technologies, and the ways they are leveraged in modern, cloud-native application development environments, have evolved dramatically over the past several years.
McGuire said embedding automated SCA checks within DevOps workflows via integrations with tools such as IDEs, SCMs, CI/CD tools, and container orchestration platforms lets organizations continuously assess the security posture of the apps within the context of the open source components, dependencies, and infrastructure used to build and deploy them.
“While these technologies are not novel or unique to a specific SCA provider, they are becoming increasingly important for organizations that want to embrace the benefits of open source and cloud-native technology without increasing their exposure to software security risk,” McGuire said.