Palo Alto Networks adds software supply chain attack protections to its cloud platform

Palo Alto Networks Inc. today introduced what it says is the industry’s first runtime context-aware software composition analysis system that helps developers identify open-source software components that are safe to use.

The SCA functions will be integrated with Prisma Cloud, the company’s cloud-native application protection platform.

Software supply chain attacks, in which bad actors exploit known security to infiltrate systems and spread malicious payloads, are a growing problem that affected 62% of organizations last year, according to a survey conducted by Anchore Inc. Most detection systems are standalone products that spot risks too late in the application development process and only look for vulnerabilities in direct dependencies, Palo Alto Networks said.

That can create backlogs of vulnerabilities that increase risk and drive up remediation costs. Prisma Cloud SCA enables developers and security teams to find known vulnerabilities during the application development lifecycle and set remediation priorities based on software components that are in use.

Prisma Cloud SCA scans open-source packages and their dependency trees for risks such as vulnerabilities and license compliance issues, said Ankur Shah, senior vice president of Prisma Cloud, in a response to emailed questions. For example, it can detect the Log4Shell remote code execution vulnerability in the Log4j Java library and block any builds that contain it.

The enhanced suite covers the full range of cloud-native protection capabilities, including protection at every stage of the development lifecycle, real-time and contextual analysis of cloud environments, protection against zero-day attacks and support for a broad range of cloud service providers, development pipelines and integrated development environments.

Beyond vulnerabilities

The vulnerability database is built from trusted sources, including Palo Alto Networks’ own Unit 42 research arm, with findings correlated between them. In addition to scanning for vulnerabilities, the software looks for open-source packages with overly restrictive licenses and combines SCA findings with infrastructure-as-code analysis to spot vulnerabilities embedded in container dependencies, Shah said. “The most accurate database is chosen for a given configuration to improve accuracy,” he said. “Additionally, our threat research team is constantly monitoring our findings for false positives and missing vulnerabilities to improve and iterate on our findings.”

There are multiple ways to integrate the scanner into the development process, Shah said. There is a command line interface that can be used to scan repositories locally and plugins are available for integrated development environments. “For version control systems, we offer application integrations that can scan repositories continuously and as pull requests are opened by developers,” he said.

Prisma Cloud is also being enhanced with software bill of materials capabilities to enable developers to maintain and reference a complete codebase inventory of every application component used across cloud environments, the company said.

Other new capabilities being added in this release include a dashboard for at-a-glance determination of highest priority risks and incidents across cloud assets to help prioritize remediation, unified misconfiguration and vulnerability data from across the platform for use in determining the contextual risk of cloud assets, and fine-grained and consistent management of least-privilege access to Prisma Cloud features for different user profiles.

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.