Search

Shift-Left with
Prisma Cloud

One company’s road to
proactive cloud security

14-minute read
Code is
Every­where

From the applications you use to the financial decisions you make, code is the foundation of both business and cloud security.  

The rapid pace of development and the increasingly sophisticated attacks targeting dev tools, code, cloud-delivered pipelines, and deployed assets and applications demand a new way of thinking about securing code. 
One thing’s certain: Security shouldn’t be an afterthought. It should be an integral part of the development process from start to finish. And taking a linear, “assembly line” approach to the systems development lifecycle and integrating security after code is written and deployed to production doesn’t cut it.  
Which is why so many organizations have shifted security controls “left” on the development timeline and are extending security through all the workflows that dev teams work in, not just runtime protection. 
decorative imagedecorative image

Embedding security across the entire development lifecycle

How to Truly Shift-Left

For too many teams, shift-left security merely means applying runtime security tools only to the build phase of the pipeline.

To properly defend this “everything is code” world we live in, organizations must pull security to the left before build and deployment. This includes policy as code, compliance as code, infrastructure as code (IaC), and secrets management, all leveraging automation.

In modern cloud environments, scanning solutions only deliver a fraction of the code-to-cloud security capabilities compared to code-level intervention.

Meet Acme Financial–Our Totally Fictional Company 

Let’s look at how one organization solved its pipeline security challenges by using Prisma® Cloud to extend visibility and control across the full app lifecycle, adopting a true shift-left security model.  

Acme Financial is a financial services company that we created just for the purposes of this story. As we’ll see, Acme had more than a few speed bumps on its journey to becoming a truly innovative cloud-centric organization, but adopting Prisma Cloud allowed the company to truly commit to a shift-left cloud security model.  

We didn’t just make Acme up, though—it’s based on the hypothetical composite organization featured in Forrester’s The Total ImpactTM Of Palo Alto Networks Prisma Cloud. In the report, Forrester analyzed the major organizational and role-based impacts that adopting Prisma Cloud would offer a company like Acme Corp.  

Acme Dev Team: A Lot on Their Plate

The Acme Financial development team was responsible for crafting code for business-critical apps, plus every step of the development process, from coding to compilation to testing and patching. That’s a lot of responsibility and influence for a single department.
Like many organizations, Acme’s pace of development has accelerated—the CI/CD pipeline runs faster than ever and faces lots of top-down business pressure to deliver faster. Like similar organizations, new code deployment frequency increased 68% in 2023.1

Acme Security: Always on the Back Foot

Acme security teams struggled to keep up with the pace and agility of these new development cycles without throttling production and innovation. Outnumbered 20:1 by Acme devs, SecOps was in firefighting mode, reacting to runtime risks rather than proactively managing vulnerabilities throughout the entire CI/CD pipeline. Not catching vulnerabilities and misconfigurations also created a lot more work for SecOps in production. One mistake early on could become hundreds of alerts later.
Acme’s time-crunched developers would do a merge and realize they’d deployed packages with vulnerabilities into the runtime environment.

Acme’s New App: Anvil

Acme Financial’s development and security paradigm worked well enough—until it didn’t.
The senior leadership team wanted a sophisticated portfolio application for Acme’s business customers. Code-named “Anvil,” the ambitious new app would include advanced features supported by extensive APIs to connect it to other Acme systems and ultimately, to the public internet.
Not incidentally, this app would serve as a flagship digital initiative for Acme’s investors, so it had to launch by Q4 in time for the big annual earnings call. The dev team had just 6 months to get a working version of the business investment portfolio app into the market.
Both DevOps and security architects pointed out the risks in rushing an innovative new app to market without ensuring comprehensive security measures. To save time, the team leveraged some code from a similar consumer-level app that Acme had developed previously, despite the CISO’s reservations about potential vulnerabilities within the code.

Disconnected Tools = Lack of Visibility

The dev team crunched for months, working heroically to get Anvil into production despite constant pivots and new features being added.
All the while, the security team was flagging their lack of visibility into production code and the risk of exposing vulnerable code and secrets to public view.
Like many companies, Acme relied on about a dozen disconnected traditional security tools for its cloud security needs. With this patchwork of tools, achieving end-to-end visibility and applying security controls to every stage of the CI/CD pipeline was beyond the organization’s reach. Acme security teams had no insight into the potential attack paths caused by vulnerabilities or misconfigurations.

“More tools don’t mean more security.”

– Acme Cloud Security Architect

Zero Day

Due to this lack of visibility, code vulnerabilities weren’t identified at the build quality gate. When the Anvil app went live, developers and cloud engineers inadvertently pushed vulnerable code and secrets into production.

A code vulnerability in a Kubernetes YAML file was exposed publicly, and within days, attackers breached the database system to access a treasure trove of sensitive data that belonged to Acme Financial’s business clients.

Additionally, a vulnerability was found in the application that allowed the attackers to use SQL injection to access additional data from internal databases that contained sensitive user information about employees.

When the Acme team discovered these vulnerabilities, it was difficult to know the escalation path to follow, who to engage with, and what was needed to resolve the incident.

Fallout from Zero Day

Acme’s security team was ill prepared to respond to the incident which left the team unable to quickly contain and resolve it. It took them three weeks to fully contain the breach and fix the damage caused by the rushed rollout of the Anvil app. 

By the time they finally addressed the vulnerabilities, the financial and reputational harm was done. The next-gen app that leadership intended to lift Acme stock prices had instead weighed the company down. 

To its credit, Acme conducted a thorough postmortem of “the Anvil incident” and took a hard look at what went wrong. The company evaluated how to fix the core issues so that Acme Financial could continue to innovate, but without compromising its security—or customers’ data. 

Partnering with
Prisma Cloud

Acme learned from its mistakes with Anvil and wanted to ensure the company would never repeat that painful experience.

After some changes in Acme’s senior leadership team, the company realized it needed to rethink how to secure the software development lifecycle. After months of debriefs, roundtables, and extensive research, Acme redefined the requirements for an end-to-end solution to secure and protect the entire application development lifecycle. After doing a couple of extensive proofs of value in the market they selected Prisma Cloud as the new CNAPP solution.

Integrating Prisma Cloud is more than adopting another tool set. It’s about changing how developers and security pros work together. For instance, Acme teams now have to spend about 10% more time up front during the build/dev phase to address code vulnerabilities, but that pays off massively down the road in terms of time, expense, stress, and risk. By addressing and preventing code issues early, Acme reduced the time previously spent on vulnerabilities by 60%.2

Integrated Security Across the Entire Software Development Lifecycle

Working in increasingly automated cloud-native environments means Acme Financial’s security teams need to set and enforce quality gates in the pipeline to avoid disastrous code vulnerabilities like the ones they faced in the Anvil project.

With Prisma Cloud, Acme’s security pros can now fail a build based on vulnerability or compliance issues, preventing insecure software from progressing farther in the pipeline. They can scan any container registry or serverless repository and enforce trusted code sources to ensure all host operating systems, container images, and serverless functions are free of new vulnerabilities.

If the defined security requirements aren’t met, Prisma Cloud allows them to stop the deployment and kick it back to the dev team to prevent code issues from making it to a live environment.

  • IaC Security
  • Secrets Security
  • Software Composition Analysis
  • CI/CD Security
  • CSPM
  • CIEM
  • Agentless Workload Scanning
  • API Visibility
  • Cloud Data Security
  • Cloud Discovery & Exposure Mgmt
  • Threat Detection
  • Host Security
  • Container Security
  • Serverless Security
  • Web Application & API Security

    • Seamless Integration of Security Tools for Developers

    Acme learned from bitter experience that by the time vulnerabilities hit the runtime environment, there was a problem that they needed to throw valuable resources at.

    Prisma Cloud has empowered Acme’s dev and security teams to adopt a proactive, code-to-cloud risk management stance where security is built into the DNA of every project they develop.

    Prisma Cloud helps devs fix problems within their code before those things get to the cloud. Now Acme developers can better identify problems in infrastructure-as-code templates.

    Once Acme has analyzed, identified, and remediated a given vulnerability, Prisma Cloud automatically applies this enforcement to every new asset. Acme can track the journey of assets as they make their way through the development process to ensure that vulnerability doesn’t repeat itself.

    Comprehensive Risk Visibility for Security Operations

    Enforcing code security during the code, build, and deploy phase is important, but Acme doesn’t just shift-left; the company also “shields right” by securing the production environment from vulnerabilities that may be discovered after the code has passed the build quality gate.

    Prisma Cloud provides Acme with comprehensive runtime security that automatically ranks issues by risk severity and how it impacts the unique usage and environment. Prisma Cloud uses metadata from an application (during the CI stage) along with tags to automatically notify the relevant developer directly within whatever development tooling they’re already using.

    Prisma Cloud provides risk prioritization for any running environment so Acme security teams can continuously monitor all their cloud-native infrastructure and apps and quickly prioritize remediation efforts. By automatically informing developers when they must fix and redeploy their code, Prisma Cloud helps make DevSecOps a reality.

    “Prisma Cloud helps us find things sooner. We’re not expecting breaches because Palo Alto Networks helps us find vulnerabilities early so we can remediate faster.”

    – Acme Sr. Cloud Security Engineer

    A Secure Future

    Secure Deployment from the Beginning

    Shifting-left has allowed Acme to greatly reduce attack vectors and limit the amount of vulnerable code that reaches production.

    Now the Acme teams feel confident that no matter when or where a build was done, they’re always deploying secure code.

    Acme’s Success with Shifting-Left

    Acme was able to take a step back to examine how to holistically and strategically embed security earlier in the app lifecycle. That supported all three of its major security goals: providing frictionless, effective tools for its developers, surfacing issues early to security operations before they got into production, and reducing overall risk and disruptive security fails.

    “Our cloud security team is more proactive and less stressed than I’ve ever seen them.”

    – Acme Sr. Cloud Security Engineer

    Sources

    1. The State of Cloud-Native Security, Palo Alto Networks, March 7, 2023.
    2. The Total Economic Impact™ Of Palo Alto Networks Prisma Cloud, Forrester Consulting, November 28, 2023.