Subscribe
About
  • Home
  • /
  • Security
  • /
  • Shift left and right needed to mitigate supply chain risks

Shift left and right needed to mitigate supply chain risks

Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks.
Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks.

Shift-left and DevSecOps have become increasingly important to help organisations mitigate risk in a complex hybrid cloud environment, in which organisations face growing challenges like software supply chain attacks.

This is according to Prisma Cloud solution experts who were addressing a webinar on Cloud-Native Application Protection Platforms (CNAPP): an integrated platform approach to cloud security.

Frans de Waal, Prisma Cloud sales specialist at Palo Alto Networks, said: “Adversaries see the cloud as a honeypot because they understand that, as an industry, we don’t have the maturity and/or skills to combat all risks. Just as we are standardising and automating to enhance security, attackers are looking for gaps to infiltrate as fast as possible also using automation strategies.

"Among our customers in Africa, we see a trend of initially using a lift and shift approach then quickly moving to use the cloud as an innovation engine. So inevitably they are on a journey to adopt cloud-native architectures and applications, with more agile iterative development approaches. They also inevitably adopt a hybrid multi cloud model. This makes cloud security across a diverse tech stack challenging from a visibility, governance/compliance and security standpoint.”

He said that as organisations mature in their cloud journey, they become aware of a growing number of capabilities that are needed to secure their cloud environments.

De Waal said: “In the past we would look at point solutions to address specific security needs, but this means organisations can end up with ten or more security tools. This presents a massive challenge because data, alerting and policies are not centralised, so from an overall governance and risk point of view they don’t have risk clarity. Organisations are asking: how do we embed security from code to cloud?”

Organisations are asking: how do we embed security from code to cloud?

Frans de Waal, Palo Alto Networks

Polls of webinar participants found that 75% use multiple cloud providers and/or hybrid clouds. While 63% said they had implemented security into their software development lifecycle, 57% also said they did not have a clear cloud security strategy and roadmap to get there.

Gordon Bailey-McEwan, Prisma Cloud Solutions Architect at Palo Alto Networks, said: “Most organisations I deal with don’t have a clear cloud security strategy and roadmap to get there yet.”

He  said: “The high profile SolarWinds breach, which involved the software supply chain wasn’t the first to do so – as far back as 2015, an attacker distributed a version of Apple’s Xcode software that injected code into the iOS apps built using it; there were also KeRanger, BotPeytya and CCleaner attacks in recent years.

“Cloud supply chains are very complex, with multiple IaC packages and helm charts, each Helm chart depending on multiple container images, and each image depending on multiple app packages. We can have misconfigurations and vulnerabilities throughout the process."

He highlighted the Prisma Cloud Unit 42 Cloud Threat Report 2H 2021 which said a global analysis revealed that 63% of third party code used in building cloud infrastructure contained insecure configurations, 96% of third party container applications deployed in cloud infrastructure contained known vulnerabilities and 99% of Helm charts contained one or more insecure configurations.

Unit 42’s report on securing the software supply chain to secure the cloud noted that misconfigurations and cloud supply chain insecurity are increasing as organisations shift more applications to the cloud, with high-profile attacks like those involving SolarWinds and Kaseya making these risks top of mind. 

However, the report said that while risks related to supply chains had received a lot of attention, discussions often overlooked the fact that attackers don’t necessarily modify source code repositories to facilitate these breaches – they find weaknesses in the software development pipeline and attack those. Proactively addressing these threats is of the utmost importance, the report said.

Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks.
Gordon Bailey-McEwan, Prisma Cloud solutions architect at Palo Alto Networks.

“Organisations need to understand where and how software is created and how it moves to cloud, they need to shift security as far left as possible, and they need to identify and implement security-quality guardrails,” Bailey-McEwan said.

We need to shift left but also stay right, focusing on security throughout the application development life cycle.

De Waal said: “To effectively integrate security across the full application life cycle, we need to shift left but also stay right, focusing on security throughout the application development life cycle.” Palo Alto Networks notes that shift-left and DevSecOps plug security into development and IT processes, and position organisations to better manage security.

They highlighted Prisma Cloud – the industry’s most comprehensive Cloud Native Security Platform (CNSP), addressing security needs across all stages of the cloud software development lifecycle, no matter which cloud services are used or how they are managed. Prisma Cloud offers the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across hybrid and multi-cloud environments, they said. The platform has an integrated approach that enables security operations and DevOps teams to collaborate effectively and accelerate secure cloud-native application development. Prisma Cloud protects and integrates with cloud-native architectures and toolkits to ensure complete security coverage while breaking security operational silos across the entire application lifecycle.  

Share