Palo Alto Networks has extended the reach of its cloud-native application protection platform (CNAPP) to include the ability to secure continuous integration/continuous delivery (CI/CD) platforms.
Daniel Krivelevich, CTO for application security for Prisma Cloud at Palo Alto Networks, said this extension of the Prisma Cloud platform would make it easier to better secure software supply chains as software builds are continuously updated by application development teams.
Previously, Palo Alto Networks provided the ability to secure runtimes and secrets and scan code for vulnerabilities as it is being developed. This latest extension now adds the ability to secure the CI/CD platforms that drive DevOps workflows, he noted.
While more organizations than ever are shifting application security responsibility further left toward developers, many of them overlook the need to secure the CI/CD platform itself. Most developers are not cybersecurity experts, so the chances they will miss something that can find its way into a software build are still high. Extending the reach of Prisma Cloud to the CI/CD platform will ensure the build that forms the foundation of the code is free of vulnerabilities when it finds its way into a production environment.
That’s critical, because cybercriminals are becoming more adept at injecting malware into software supply chains in the hopes of being able to eventually compromise multiple downstream applications. In fact, this issue has prompted governments around the world to hold more organizations legally responsible for the security of the applications they build and deploy.
There are, of course, multiple approaches to securing software supply chains, but Palo Alto Networks is making a case for an integrated platform that provides a comprehensive approach to securing the entire IT environment. Rather than integrating multiple point products, a CNAPP ultimately reduces the total cost of cybersecurity on an end-to-end basis, noted Krivelevich.
It’s not clear how quickly organizations are transitioning to CNAPPs, but as that transition occurs, the overall state of application security should improve. One of the issues that has historically plagued application security is no one in an organization has been specifically tasked with ensuring it. Application development teams assumed cybersecurity professionals were allocating funds to it. Cybersecurity teams, however, tended to focus on areas they directly controlled, such as network firewalls. A CNAPP makes it simpler to deploy a cybersecurity framework in a more extensible way.
Of course, there’s still much work to be done when it comes to prioritizing vulnerability remediation efforts. The truth is developers only have so much time to allocate to developing patches, so the focus needs to be on identifying the vulnerabilities that are the most severe in terms of the amount of damage that might be inflicted. At the very least, however, a CNAPP should provide the means by which the context required to identify those vulnerabilities could be more easily shared.
One way or another, however, the number of vulnerabilities finding their way into production environments should steadily decline as more focus is put on securing software supply chains.