To secure open-source software, Palo Alto Networks expanded its cloud-native application protection platform (CNAPP) with capabilities such as context-aware software composition analysis (SCA) and software bill of materials (SBOM). The vendor also outlines five key principles that they think CNAPPs should have for code–to-cloud security.
Open-source software (OSS) is a critical component of cloud-native applications, which can, however, sometimes contain known vulnerabilities, according to Unit 42’s recent Cloud Threat Report.
Palo Alto Networks introduced code repository scanning earlier this year, and the launch of SCA is “the next foray into code security,” Ankur Shah, SVP and GM of Prisma Cloud at Palo Alto Networks, told SDxCentral. “With this SCA [and] code-to-cloud CNAPP, you can contextualize the open source vulnerability.”
“Software composition analysis is an idea of scanning the open source port for vulnerability,” he said, adding that what the vendor did differently from incumbents is on contextualizing, and its “cloud SCA” with infrastructure awareness.
“We can say you have open source code here, we know which container registries that code deploy, [that is] number one, and number two: which running containers are the hosts that have that open source component running? So customers are able to use that context [to] prioritize [remediation],” Shah explained.
For vulnerabilities like Log4Shell, “you can prevent it, trace it back to the code, build phase, and then redeploy the whole thing. That's what this infrastructure-aware SCA or runtime-aware SCA allows us to do,” Shah said.
The service supports the standard code languages and all the package managers that are typically used by those popular languages.
SBOM Usage Gains Traction, but Still in the Early PhasePalo Alto Networks also added SBOM capabilities to its CNAAP portfolio for maintaining and referencing a complete codebase inventory of every application component across multi-cloud.
Shah pointed out that for supply chain attacks such as the SolarWinds hack, victims need visibility into its software artifacts. But developers use various types of code toolkits, code repositories, and open source components.
Organizations need “a centralized visibility about all the code artifacts” that they have, he said. “Because you can't protect what you don't see.”
That’s why adopting SBOM is important for cloud security, which is a list of all the components, libraries, and modules that are required to build a piece of software. It includes both closed and open source code, and it details the supply chain relationships between the components to enable software transparency and security analysis.
Shah noted more customers are asking about SBOM, but “we're still in the early days… let's wait for another six months to a year before customers can say: Hey, these are the things that we have.”
The Biden administration last week issued a memo pushing for the use of SBOM. It shined a bright light on why SBOM is important, but security teams are adopting it mostly for security, but not compliance, Shah argues. “They want that because they want to understand which artifacts in the SBOM to go after and fix first.”
Palo Alto Networks Lists Five Key Principles for Complete CNAPPsThe code repository scanning, context-aware SCA, and SBOM capabilities are all on the code side of Palo Alto Networks’ CNAPP approach.
The vendor aims to build a single code-to-cloud security platform, allowing customers not to have to use point products, Shah said.
“Over the last three years, we have built out this vision where we have a consolidated view spanning your posture management, worker protection, identity security, data security, network security, all the things that your application leverages. In the cloud, we provide centralized visibility, security guardrails, detection, remediation,” he added.
The vendor claims a complete CNAPP should include comprehensive code-to-cloud applications protection across its development lifecycle including code, build, deploy, and run; continuous and real-time visibility to help prevent misconfigurations, vulnerabilities, and threats; have a prevention-first mindset to defend against zero-day vulnerabilities and drive down mean time; support a breadth of cloud service providers, CI/CD pipelines, workload architectures, and code repositories with a unified platform; and offer consistent security as cloud environments scale.