Today, I’m pleased to share the exciting news of our proposed acquisition of Bridgecrew, a developer-first cloud security company (see our press release). They are an amazing team with great technology and a pioneer in the emerging space of “shift left” cloud security. I’ll share a lot more on why this will be such a great fit, but first a little background to put it in context.
About two and a half years ago, we made an early bet on cloud security. We did so based on three fundamental principles:
- Cloud adoption would be the new normal. After leading the industry in our acquisitions of Evident and Redlock, we were well placed to serve customers as they began rapidly shifting workloads to the cloud and consuming more cloud-based applications and services.
- New technologies to support cloud native architectures such as containers and serverless would become mainstream. We were right again: Our acquisitions of Twistlock and PureSec and integrating them into our Prisma Cloud offering allowed us to meet customers' emerging needs of cloud workload protection.
- The future would be multi-cloud where Cloud Service Providers cannot be the sole provider of security, and a single pane of glass for multi-cloud security will be required. We were right for a third time: We’ve continued to evolve our Prisma Cloud portfolio through acquisition and organic product development to include identity-based microsegmentation, Data Security, and IAM Security.
This bet, the related combination of M&A and the proactive support of organic development have allowed us to build Prisma Cloud into the market-leading player of today: now servicing more than 1,800 customers, including 70% of the Fortune 100.
Today, we’re making another bet, this time on “shift left” security.
We believe that cloud security will need to integrate across the entire application lifecycle, and that the integration of build time and runtime security has to strengthen.
To give you an idea of the current challenges faced by customers as organizations embrace the cloud, the number of developers rapidly pushing code into the cloud outnumbers the security professionals tasked with monitoring these changes for security issues by 10 to 1. As security teams mature their runtime security practices, this puts back-pressure on the developers to fix issues found after deploying to production. The imbalance not only risks delays in application deployments, but also results in security missteps at the application development stage that may leave clouds exposed for attack and can be much more costly to fix when found after product release.
Developers and security teams alike are looking for a solution: Developers don’t want to figure out that security is not working at the late stage of the development cycle. And the CISO who is charged with protecting the entire organization certainly values the higher levels of security gained from fixing issues earlier in the development lifecycle.
Integrating cloud security across the application lifecycle will both improve security and speed up development, helping developers and DevOps teams to identify and correct security problems before code is pushed into production. This will also reduce the impact of security issues on end users and prevent the delay of application deployments.
Bridgecrew: An Early Pioneer of Security for Developers and DevOps
Enter Bridgecrew, who are at the forefront of the emerging space of Infrastructure as Code (IaC) security. They have had significant early traction with an open-source platform called Checkov that has had more than 1 million downloads in its first full year and is growing at an incredible pace.
To understand why there is so much early traction, let’s look at the challenges it addresses.
Historically, infrastructure, whether in the cloud or on-premises, was configured manually. IaC automates the provisioning of infrastructure, enabling organizations to develop, deploy and scale cloud applications with greater speed, less risk and reduced cost. Once an IaC template is created by a developer or a DevOps engineer, it’s typically used over and over again, and it's not uncommon that one template can be used hundreds or even thousands of times.
Why is this important? Any security mistakes made in that one template will be replicated across every deployment, and then for every deployment, all of those errors will be flagged by cloud security products. A single mistake can easily turn into thousands of alerts. And typically those alerts are eventually sent back to the developer to fix, since security teams don’t have the application insights or the permissions to do so. One mistake can result in thousands of alerts – and hours of lost developer productivity.
Bridgecrew, who pioneered a developer-first approach to secure IaC, have built a cloud security product for developer and DevOps teams that makes it really easy to identify and fix issues as early in the development process as possible – hence the term “shift left.” By fixing the issues at their source, the IaC template is secured before it is deployed to hundreds of workloads, resulting in a massive reduction in security alerts.
Bridgecrew’s product embeds security into every commit, pull request and build job. In doing so, it alerts the dev teams in realtime and in the tools they know and love so much. This is not only good for developer productivity – it also helps security teams to focus on critical runtime security threats. Both teams win in the end.
Expanding Our Cloud Native Security Platform With Prisma Cloud + Bridgecrew
There are so many exciting things we have in store as we look to enforce a consistent set of security policies from build time to runtime. This combination will enable more security controls to be embedded earlier in the development lifecycle, fewer compliance errors and faster time to remediation, and reduced friction between security and development teams.
Bridgecrew provides a very valuable set of capabilities that our customers are looking for, and most importantly, opens up an opportunity for us to further engage with the developer community which is so important to the future of cloud security.
Stay tuned for more information following the close of this acquisition.