Protecting Your Delivery Pipeline: Extensive CI/CD Security with Prisma Cloud

Jul 27, 2023
5 minutes
15906 views

With the rise in attacks on continuous integration and continuous delivery (CI/CD) environments, it’s no surprise that the U.S. Government recently released guidance to help organizations understand their risks and defend their pipelines. CI/CD pipelines are critical to cloud-native software development and host highly sensitive data and credentials. But they often exist outside the purview of traditional AppSec teams.

To help AppSec practitioners secure their pipelines, we’re excited to announce CI/CD Security by Prisma Cloud.

With graph-based CI/CD security in the industry’s most comprehensive code-to-cloud cloud-native application protection platform (CNAPP), Prisma Cloud gives you:

  • Unmatched visibility into your engineering ecosystem
  • Protection from the OWASP Top 10 CI/CD Risks
  • Pipeline Posture Management
  • Attack Path Analysis via the Cloud Application Graph™

Let’s dive into the details.

Unmatched Visibility into the Engineering Ecosystem

As developers commit code to source control, most organizations have deployed various types of code scanners to detect misconfigurations in templates, vulnerabilities in open-source packages, exposed secrets and other issues. The best tools provide granular fix guidance directly for developers, but given the diversity of code and supporting scanners, AppSec teams are left with a fragmented view of risk spread across multiple siloed tools.

What’s more, most organizations lack visibility into developers contributing to trusted artifact registries, which technologies and frameworks are in use, and how to export a software bill of materials (SBOM) of the environment.

Prisma Cloud’s new Application Security dashboard unifies visibility across the engineering ecosystem. From a single pane, AppSec teams gain visibility across code repositories, contributors, technologies used and pipelines connected, along with specific code risks. By understanding which repositories and pipelines connect to production, teams can easily prioritize risk with full infrastructure context.

Figure 1: The Application Security dashboard provides a centralized view of your entire engineering ecosystem.

Defending Against the OWASP Top 10 CI/CD Risks

Attacks that seek to breach delivery pipelines are far too common, and up until recently no industry-recognized framework was available. To provide guidance on attack vectors and best practices to mitigate them, Prisma Cloud’s world-class AppSec researchers developed and published a formally recognized industry benchmark — the OWASP Top 10 CI/CD Security Risks project.

Organizations can benefit from the project at any stage in their CI/CD security journey. For example, it’s easy for teams to use the project’s guidance to help identify misconfigurations for version control systems (VCS) and CI/CD pipelines. Those misconfigurations could easily lead to code tampering, credential theft and ultimately a runtime breach.

Figure 2: The OWASP Top 10 CI/CD Security Risks

Pipeline Posture Management

To embrace DevSecOps, it’s essential to observe the posture of your delivery pipeline, ensure it’s protected against the Top 10 CI/CD risks and then report your findings to leadership. Prisma Cloud’s new dashboard provides continuous visibility across the critical pipeline issues with added context like system risks and both the number and frequency of events to accurately measure and alert on criticality.

Figure 3: Prisma Cloud provides continuous pipeline posture management against the OWASP Top 10 CI/CD Risks.

Attack Path Analysis via the Cloud Application Graph™

The power that graph databases bring to contextualizing security insights can’t be overstated. The ability to correlate multiple risk signals simultaneously to map an attacker's pathway to a breach is critical to delivering high fidelity alerts for AppSec teams. The Prisma Cloud Application Graph™ provides a dynamic visualization of your engineering ecosystem that allows you to better understand and analyze the environment and relationships between all artifacts from code to deployment.

By effectively modeling every asset, you can map attack paths. This is critical as you protect your delivery pipelines from today’s sophisticated attacks. For example, cross-platform misconfigurations like poisoned pipeline execution (PPE) are only discoverable with graph-based analysis, which is why Prisma Cloud’s CI/CD Security is built off of the world’s first Application Graph.

Figure 4: The Prisma Cloud Application Graph™ helps customers uncover breach paths.

CI/CD Security and AppSec: Looking to the Future

In this modern threat landscape, protecting the delivery pipeline is more important than ever. Going forward, security and risk leaders must prioritize hardening CI/CD systems and processes as they begin to rearchitect their AppSec programs to account for the evolving threat landscape.

Since its inception, Prisma Cloud has been at the forefront of delivering solutions for the most pressing cloud security challenges. With the industry’s only code-to-cloud CNAPP, customers can now protect their delivery pipeline with graph-based CI/CD security.

To watch a live demo of CI/CD Security by Prisma Cloud, visit us at booth #1332 at BlackHat USA 2023. We’ll also highlight our research with related talks at BSidesLV and DEFCON this year:

  • Actions Have Consequences: The Overlooked Security Risks in Third-Party GitHub Actions

Wednesday, August 9 at 2:30pm PDT, BSidesLV

  • The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree

Tuesday, August 8 at 5:00pm PDT, BSidesLV

Saturday, August 12 at 1:30pm PDT, DEFCON

And if you want to learn which attack vectors you should prioritize at the start of your CI/CD security journey, read this technical guide on the Top 10 CI/CD Security Risks.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.