Palo Alto Networks today rolled out an update to its software supply chain platform targeted at combating the surge in attacks such as the the SolarWinds hack and those exploiting Log4j vulnerabilities. The Prisma Cloud Supply Chain Security product wraps several of the vendor’s existing security features, including code repository scanning, threat modeling visualization, and pipeline configuration analysis, into a single software supply chain security platform.

“We already provide code security, and cloud posture management, and workload protection, and network security and identity security,” Taylor Smith, senior product marketing manager at Palo Alto Networks Prisma Cloud, told SDxCentral. “What's missing and what we've added is more of the supply chain aspect and tying that all together.”

The vendor’s Unit 42 threat intelligence team recently conducted a red team exercise that found credentials for a continuous integration/continuous delivery (CI/CD) pipeline were overly permissive and ​​had more admin privileges than they needed to. “So this was really an exercise to show how simple it would be to compromise modern supply chains these days," Smith said.

The Prisma Cloud Supply Chain Security platform is designed to address those software supply chain threats. Smith used Log4j flaws as an example.

When the platform identifies new vulnerabilities like Log4shell, it will locate the flaws, notify the users, and surface critical ones to the top as high priority alerts with remediation suggestions. For the more challenging ones that enterprises cannot patch, its visualization service will show the package location, and resources and interconnected components impact to help calculate the “blast radius,” Smith said.

The new Prisma Cloud Supply Chain Security platform features code assets auto-discovery using existing cloud code security scanners, graph visualization to identify weaknesses across the attack surface, supply chain code remediation, code repository scanning, and extending policy checks to harden version control system (VCS) and pipeline configuration via Checkov to help prevent code tampering attacks.

Some of the features are based on technologies developed by the Bridgecrew and Twistlock teams. Palo Alto Networks acquired DevOps security startup Bridgecrew for $156 million in cash last February, and paid $410 million to buy container security company Twistlock in 2019.

The Bridgecrew team amplified the open-source infrastructure-as-code scanner Checkov and then integrated it into the Prisma Cloud after the acquisition along with automated code-tampering remediation measures, according to Smith. 

The team also built the visualization capabilities. And Bridgecrew “has been fully integrated now, so this visualization could be considered in an in-house build out,” Smith explained. Additionally, the code repository scanning feature came from the Twistlock acquisition. 

“Our idea is that each of those components needs their own security, but the idea of supply chain is to tie that all together and provide security for all of that,” Smith concluded. So, “you don't have to go to multiple different tools to get all of these different capabilities, you can get it all from Prisma cloud.”