Palo Alto Networks has added a new software composition analysis (SCA) solution to Prisma Cloud to help developers safely use open-source software components. The vendor has also introduced a software bill of materials (SBOM) for developers to maintain and reference a codebase inventory of application components used across cloud environments. The updates come as open-source software risks persist with attention steadily turning toward raising the security bar surrounding open-source components.
Vulnerabilities prevalent in open-source software
In a press release, Palo Alto noted that, while open-source software is a critical component of cloud-native applications that can allow developers greater speed and modularity, it often contains vulnerabilities which can open organizations up to significant risk. Indeed, the Unit 42 Cloud Threat Report 2H 2021 found that 63% of third-party code templates used in building cloud infrastructure contained insecure configurations, while 96% of third-party container applications deployed in cloud infrastructure contained known vulnerabilities.
Palo Alto’s new SCA solution has been designed to enable developers and security teams to proactively surface and prioritize known vulnerabilities throughout the application lifecycle (code, build, deploy and run). It also helps developers prioritize remediation based on software components that are in use, the vendor stated. With the new, in-built SCA capabilities, Prisma Cloud brings in context from each capability, providing a unified view across organizations’ cloud environments and delivering deep dependency vulnerability detection and remediation of open-source software before applications reach production, Palo Alto added.
Commenting on the release, IDC’s Program VP of Security and Trust Frank Dickson said that buyers looking for cloud-native security solutions need to keep the requirements of microservices security protection in mind. “The ‘bolted-on’ and ‘whack-a-mole’ approaches are a thing of the past. Security should be embedded throughout the application development life cycle,” he added. This means that buyers need to fundamentally change their approach to security and embrace solutions that embed security in the application development process, an approach referred to as shift left. “Shift left requires one to think less about security products and more about continuous security processes,” Dickson said.
Open-source software security high on the agenda in 2022
Palo Alto’s move to introduce open-source SCA to Prisma Cloud is reflective of a wider recent focus on improving the security of open-source software and development. This year has seen several notable initiatives launched by vendors, collectives and governments to improve the security of open-source resources. These include the OpenSSF/Linux Foundation’s Open Source Software Security Mobilization Plan, JFrog’s Project Pyrsia, GitGuardian’s ggcanary project, and Google’s open-source software vulnerability bug bounty program.
“In many ways the problem is not an open-source software or closed source software problem; it’s a software problem,” David A. Wheeler, director of open-source supply chain security at the Linux Foundation, tells CSO. “Most software developers don’t know how to develop secure software, and so often they don’t do it, no matter what kind of software it is. So, we’re now starting to play catch-up, industry wide.”
Many organizations are moving to multi-factor authentication (MFA), at least for some critical projects, to make it harder for attackers to take over open-source software developer accounts and release subverted software, he adds. “There’s been concern from some quarters because this imposes some changes on what open-source software developers must do, and rightfully developers are worried about excessive burdens. That said, I think these specific steps have been received positively, and we’ll need to keep working on not overburdening developers.”
Copyright © 2022 IDG Communications, Inc.