Palo Alto Networks: Driving a Secure DevOps Transformation

Since its inception in the IT industry, DevOps has changed the way developers and operating engineers think and work on their projects. In fact, the DevOps paradigm has completely transformed the application development process. This in a way is dramatically improving performance and delivering faster outcomes to meet the growing market demands. However, as the infrastructure evolves, security has become a new concern. Developers are now working to address it on a regular basis while some of the leading security professionals have had to look at options that can implement security mechanisms through the DevOps process. This is also with the vision to prevent and mitigate security threats as they emerge across the software development process. In its true sense DevSecOps is an inevitable progression of the way development teams think about protection of applications and ensuring their secure performance. From complex tools to resistance to change and incomplete knowledge, DevSecOps also has a variety of challenges that businesses face during the process.

This is where Palo Alto Networks—the global cybersecurity leader—steps into the game by continually delivering innovation to enable secure digital transformation—even as the pace of change is accelerating. In a nutshell, the company’s vision is a world where each day is safer and more secure than the one before. Everyday, Palo Alto Networks provides the visibility, trusted intelligence, automation and flexibility that help complex organizations advance securely. “By delivering a comprehensive portfolio and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices.”

An innovative DevSecOps offering from the company is Prisma Cloud, a solution that delivers automated security for cloud native infrastructure and applications, integrated with developer tools. As cloud native application development is fast-paced and complex, it can be a challenge for security teams to keep up. With Palo Alto Networks, DevOps practices present an opportunity to use automation to secure apps and infrastructure before deployment, alleviating that pressure. The solution acts as a single tool for securing IaC, container images and source code across all modern architectures cloud environments. The Prisma Cloud embeds comprehensive security across the software development cycle. The platform identifies vulnerabilities, misconfigurations and compliance violations in IaC templates, container images and git repositories. It offers IaC scanning backed by an open source community, and image analysis backed by years of container expertise and threat research. With centralized visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that only secure code is deployed.

Infrastructure as Code Scanning

Infrastructure as code presents an opportunity to secure cloud infrastructure in code before it’s ever deployed to production. Prisma Cloud streamlines security throughout the software development lifecycle using automation and by embedding security into workflows in DevOps tooling for Terraform, CloudFormation, Kubernetes, Dockerfile, Serverless and ARM templates. The solution also comes with an automate cloud misconfiguration checks in code which performs automated checks for misconfigurations at every step of the software development lifecycle. Users can also leverage the power of open source and the community

Checkov with the open-source tool Bridgecrew built to power its build time scanning, is backed by an active community and has been downloaded millions of times. Bridgecrew comes with native integrations for IDEs, VCS, and CI/CD tooling to help developers secure code in their existing workflows. The tool automatically tracks dependencies for IaC resources as well as the most recent developer modifiers to improve collaboration in large teams. As a result, users can automate pull request comments for misconfigurations along with automated pull requests and commit fixes for identified misconfigurations.

Bridgecrew is built on the open-source project Checkov. Checkov is a policy-as-code tool with millions of downloads that checks for misconfigurations in IaC templates such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework. Users can leverage hundreds of out-of-the-box policies and add custom rules. Bridgecrew augments Checkov with simplified user experience and enterprise features. Checkov checks IaC templates against hundreds of out of the box policies based on benchmarks, such as CIS, and community sourced checks. Checkov’s policies include graph-based checks that allow multiple levels of resource relationships for complex policies such as higher severity levels for internet facing resources. The solution is uniquely designed to be extensible, with the ability to add custom policies and tags, as well as CLIs designed to be added to continuous integration and other DevOps tools. Bridgecrew augments Checkov’s open-source capabilities with Bridgecrew for a history of scans, additional integrations, auto-fixes and more.

Integrated IaCwith Ease

Involving developers in remediation is the fastest way to get things fixed. Bridgecrew provides feedback directly in popular DevOps, including integrated development environments (IDE), continuous integration (CI) tools, and version control system (VCS). Additional aggregation and reporting are available in the Bridgecrew platform. Bridgecrew integrates with IDEs, CI tools and VCS to provide feedback and guardrails in the tools developers already use.

Native integrations with VCS creates code comments with each new pull request for identified misconfigurations to make finding and fixing misconfigurations easier. Bridgecrew includes a centralized view of all misconfigurations across scanned repositories, with filtering and searching to find code blocks and owners. Integrations with collaboration and ticketing tools can generate tickets and alerts to notify the right teams to add remediations to DevOps tasks.

The Prisma Effect

Prisma Cloud delivers a single, unified agent framework to secure Linux and Windows hosts, containers and Kubernetes, on-demand container platforms, and serverless functions.With 74% of the Fortune 100 as customers, 2,000+ enterprises across the globe trust Prisma Cloud with over 2.5 B cloud resources secured. An instance that highlight the company’s value proposition is when Prisma Cloud is used by Sabre, a travel technology leader, to foster a culture of secure innovation on Google Cloud. Sabre wanted to gain complete cloud visibility and centralize security management to confidently “shift left,” apply automation, and build a secure-by-design culture of innovation. Sabre selected Prisma Cloud by Palo Alto Networks to centralize cloud visibility and security management across diverse infrastructure in a single pane of glass. Prisma Cloud offers direct integration with compliance frameworks (e.g., GDPR, PCI, SOC 2) that Sabre can consistently review to maintain a compliant state. Based on these frameworks, the team can build policies inside Prisma Cloud to show where the company is noncompliant, and then follow simple instructions to fix any issues.

These security achievements elevated Sabre’s overall security posture and competitive edge by reducing the number of critical vulnerabilities that required team attention and resources to remediate, as well as increasing production velocity, delivering safe and secure products and services to market more quickly than ever before.

Fostering a Secure Culture

Cloud security requires a unified and integrated approach to deliver full stack, full lifecycle security. That’s why Palo Alto Networks has acquired and integrated the world’s leading startups into their Cloud Native Security Platform (CNSP).Today, the team is on a mission to build a more secure future for the world. With a set of innovations, acquisitions and investments Palo Alto Networks will continue protecting tens of thousands of organizations across cloud networks and mobile devices. With many niche vendors to choose from, what stands out about Prisma Cloud is the roadmap and the Palo Alto Networks vision to remediate critical vulnerabilities as well as delivering safe and secure products and services to market more quickly than ever before.