With the rise in attacks on continuous integration and continuous delivery (CI/CD) environments, it’s no surprise that the U.S. Government recently released guidance to help organizations understand their risks and defend their pipelines. CI/CD pipelines are critical to cloud-native software development and host highly sensitive data and credentials. But they often exist outside the purview of traditional AppSec teams.
To help AppSec practitioners secure their pipelines, we’re excited to announce CI/CD Security by Prisma Cloud.
With graph-based CI/CD security in the industry’s most comprehensive code-to-cloud cloud-native application protection platform (CNAPP), Prisma Cloud gives you:
- Unmatched visibility into your engineering ecosystem
- Protection from the OWASP Top 10 CI/CD Risks
- Pipeline Posture Management
- Attack Path Analysis via the Cloud Application Graph™
Let’s dive into the details.
Unmatched Visibility into the Engineering Ecosystem
As developers commit code to source control, most organizations have deployed various types of code scanners to detect misconfigurations in templates, vulnerabilities in open-source packages, exposed secrets and other issues. The best tools provide granular fix guidance directly for developers, but given the diversity of code and supporting scanners, AppSec teams are left with a fragmented view of risk spread across multiple siloed tools.
What’s more, most organizations lack visibility into developers contributing to trusted artifact registries, which technologies and frameworks are in use, and how to export a software bill of materials (SBOM) of the environment.
Prisma Cloud’s new Application Security dashboard unifies visibility across the engineering ecosystem. From a single pane, AppSec teams gain visibility across code repositories, contributors, technologies used and pipelines connected, along with specific code risks. By understanding which repositories and pipelines connect to production, teams can easily prioritize risk with full infrastructure context.
Defending Against the OWASP Top 10 CI/CD Risks
Attacks that seek to breach delivery pipelines are far too common, and up until recently no industry-recognized framework was available. To provide guidance on attack vectors and best practices to mitigate them, Prisma Cloud’s world-class AppSec researchers developed and published a formally recognized industry benchmark — the OWASP Top 10 CI/CD Security Risks project.
Organizations can benefit from the project at any stage in their CI/CD security journey. For example, it’s easy for teams to use the project’s guidance to help identify misconfigurations for version control systems (VCS) and CI/CD pipelines. Those misconfigurations could easily lead to code tampering, credential theft and ultimately a runtime breach.
Pipeline Posture Management
To embrace DevSecOps, it’s essential to observe the posture of your delivery pipeline, ensure it’s protected against the Top 10 CI/CD risks and then report your findings to leadership. Prisma Cloud’s new dashboard provides continuous visibility across the critical pipeline issues with added context like system risks and both the number and frequency of events to accurately measure and alert on criticality.
Attack Path Analysis via the Cloud Application Graph™
The power that graph databases bring to contextualizing security insights can’t be overstated. The ability to correlate multiple risk signals simultaneously to map an attacker's pathway to a breach is critical to delivering high fidelity alerts for AppSec teams. The Prisma Cloud Application Graph™ provides a dynamic visualization of your engineering ecosystem that allows you to better understand and analyze the environment and relationships between all artifacts from code to deployment.
By effectively modeling every asset, you can map attack paths. This is critical as you protect your delivery pipelines from today’s sophisticated attacks. For example, cross-platform misconfigurations like poisoned pipeline execution (PPE) are only discoverable with graph-based analysis, which is why Prisma Cloud’s CI/CD Security is built off of the world’s first Application Graph.
CI/CD Security and AppSec: Looking to the Future
In this modern threat landscape, protecting the delivery pipeline is more important than ever. Going forward, security and risk leaders must prioritize hardening CI/CD systems and processes as they begin to rearchitect their AppSec programs to account for the evolving threat landscape.
Since its inception, Prisma Cloud has been at the forefront of delivering solutions for the most pressing cloud security challenges. With the industry’s only code-to-cloud CNAPP, customers can now protect their delivery pipeline with graph-based CI/CD security.
To watch a live demo of CI/CD Security by Prisma Cloud, visit us at booth #1332 at BlackHat USA 2023. We’ll also highlight our research with related talks at BSidesLV and DEFCON this year:
- Actions Have Consequences: The Overlooked Security Risks in Third-Party GitHub Actions
Wednesday, August 9 at 2:30pm PDT, BSidesLV
- The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
Tuesday, August 8 at 5:00pm PDT, BSidesLV
Saturday, August 12 at 1:30pm PDT, DEFCON
And if you want to learn which attack vectors you should prioritize at the start of your CI/CD security journey, read this technical guide on the Top 10 CI/CD Security Risks.
