In the wake of rising software supply chain attacks, Palo Alto Networks on Wednesday announced Prisma Cloud Supply Chain Security so development organizations can more easily trace the source of code misconfigurations and vulnerabilities and fix them before apps get released to the cloud.
“Every day new vulnerabilities are found in open source and other software components that have previously been integrated into the organization's software code,” said Ankur Shah, senior vice president of Prisma Cloud products at Palo Alto. “Without the proper tools, it’s very difficult for organizations to quickly spot where they have used the unpatched versions of these components.”
Melinda Marks senior analyst at the Enterprise Strategy Group, explained that Palo Alto acquired Bridgecrew last year. Marks said Bridgecrew was focused on empowering developers with security tools and its infrastructure as code (IaC) testing solution, Checkov, has been effective and popular, along with the company’s resources and playbooks for helping software engineers test their code.
“We’ve been talking about the benefits of shift-left security for years now to help security scale with modern software development,” Marks said. “The developers are using a majority of open-source code from repositories and templates to release products more quickly. But it’s been difficult to help developers consistently use the right testing tools and processes, while giving security teams the visibility and control they need to scale the security tools and processes across rapidly growing development teams. By integrating Bridgecrew with Prisma Cloud, Palo Alto will help organizations shift the security testing left so the developers have a shorter feedback loop to finding and fixing coding issues so that misconfigurations are caught before software is deployed to the cloud.”
Frank Dickson, program vice president for security and trust at IDC, added that as applications went from on-premises to the cloud and went from monolithic to multi-services-based, we lost visibility, allowing gaps to arise.
“A comprehensive view simply does not exist,” Dickson said. “Palo Alto’s approach is to provide a comprehensive view to provide a wholistic view to identify vulnerabilities and misconfigurations. Visibility is the first step in the process for subsequent shift-left remediation.”