Case Study

Palo Alto Networks InfoSec team deploys Prisma Cloud to protect the vulnerable software development lifecycle against threats and attacks

RESULTS

92%

of new vulnerabilities prevented

52%

of existing vulnerabilities fixed

1000+

scans daily across a complex set of ecosystems

In brief

Customer

Palo Alto Networks InfoSec team

Industry

Technology

Products and Services

Prisma® Cloud

Organization Size

14,000+

Location

Global

Challenges

The Palo Alto Networks InfoSec team knew that it needed to incorporate security early in the software development lifecycle (SDLC), while providing visibility into vulnerabilities across the complex ecosystem to protect the company and their products.
The immense scale of the infrastructure—with multiple cloud platforms, a vast codebase, and diverse security tools—created hurdles in achieving these goals. And while shift-left strategies have been widely recognized in the industry, operationalizing these approaches has never been easy.

Requirements

  • Integrate security across all source code management and CI/CD systems early in the SDLC.
  • Provide a unified view of security issues across vast and varied resources.
  • Give developers security visibility, enabling them to make rapid fixes.

Solution

Palo Alto Networks integrated Prisma Cloud early in its SDLC, streamlining security with visibility into vulnerabilities and saving developers significant amounts of time in production. The solution protects the SDLC early on, including all CI/ CD systems. Additionally, Prisma Cloud’s unified view from “code to cloud” allowed the InfoSec team to prioritize risks effectively and in a shift-left strategy, preventing thousands of vulnerabilities from ever getting into production.
INTRODUCTION

Palo Alto Networks deployed its own product Prisma Cloud, to protect the entire software value chain, reducing vulnerabilities from code to cloud and giving developers up-to-the-minute visibility into security issues during production. The InfoSec team integrated Prisma Cloud across all source code management and CI/CD systems, also allowing the team to shift-left to prevent security vulnerabilities by running 1,000 scans daily at speed, scale, and velocity.

CHALLENGE

Integrate security tools earlier in the dev lifecycle to prevent issues later

The Palo Alto Networks InfoSec team is chartered with securing and protecting the company and its products against security threats and attacks. The team knew it needed to integrate security tools and prevent security issues earlier in the SDLC, giving developers real-time visibility into vulnerabilities to manage fixes swiftly. At the same time, the team was deploying a large set of fragmented and redundant security tools that had been added incrementally over time. Moreover, there were few automated code-to-cloud security workflows. The team needed to transform these fragmented capabilities into automated workflows, providing a consolidated view of security vulnerabilities across the ecosystems.

Adding pressure, the Product Security team was struggling to adopt a shift-left approach to reduce the number of vulnerabilities getting into production. Shifting left to be more predictive and preventative has long been a topic of debate in the cybersecurity industry, but operationalizing these strategies in complex environments has never been easy to achieve. More specifically, the Palo Alto Networks InfoSec team was under pressure to integrate security early in the SDLC and operationalize a proactive shift-left approach to prevent vulnerabilities. In a highly complex software development environment, multiple cloud platforms, vast codebase, and fragmented security tools, that goal was challenging.

At Palo Alto Networks, the sheer scale of infrastructure includes the use of multiple cloud platforms—Google Cloud, Amazon Web Services, Microsoft Azure, Alibaba, Oracle, and others. The InfoSec team’s domain consists of:

  • Nearly 100 million cloud resources
  • 1 million running containers
  • 42 million lines of code
  • 500,000 user accounts
  • 56,000 open-source libraries
  • 100+ CI/CD systems

“Like many security teams, our biggest problem was how to integrate security early in the SDLC, give real-time visibility to developers on security vulnerabilities, create a security baseline and drive adoption of tools,” said Krithi Vasan, senior director of product security at Palo Alto Networks.

“So, we started drinking our own champagne, which is Prisma Cloud. We integrated Prisma Cloud across all our source code management and CI/CD systems. With that, Prisma Cloud helps us protect these systems and makes it easier for our developers because it provides continuous visibility back to them.”

REQUIREMENTS

Shift-left security strategy; full visibility into vulnerabilities

The InfoSec team set out to achieve a set of key goals to integrate software development with a shift-left security strategy while giving developers full visibility into security vulnerabilities. Solution requirements included:

  • Integrating security early and consistently across the SDLC
  • Supporting integration with CI/CD systems for continuous building and testing code changes
  • Empowering product engineering teams to identify, triage, and mitigate security issues
  • Delivering unified views on security-related issues across vast and varied resources
  • Helping development teams maintain a consistent security baseline
  • Driving critical-mass adoption of security tools

"Our Product Security Team’s mission at Palo Alto Networks is to make sure we are able to integrate security early in the SDLC, to prevent security issues and reduce time to remediate, to drive effective security baselines and standards, and to provide real-time visibility to developers and empower them to remediate vulnerabilities faster."

– Krithi Vasan

Senior Director,
Product Security, Palo Alto Networks

SOLUTION

Operationalized shift-left security and consolidated visibility

Palo Alto Networks integrated Prisma Cloud across all source code management (SCM) and CI/CD systems, making security integration easier for developers and providing them with visibility into vulnerabilities. Prisma Cloud secures the software management and CI/CD systems at Palo Alto Networks, offering a consolidated view of vulnerabilities across multiple tools and cloud environments. That enables developers to move quickly to make fixes. With Prisma Cloud, the InfoSec team also successfully operationalized an effective shift-left capability for predicting and preventing vulnerabilities.

“Prisma Cloud makes it easier to integrate natively with the existing SCM and CI/CD systems,” said Vasan. “And because it integrates across all these ecosystems, Prisma Cloud delivers a single view of all your security issues, making it easier to find where the issue is and where to fix it. The new module in Prisma Cloud called CI/CD Security, further helps you to gain in-depth visibility into your existing CI/CD systems vulnerabilities.”

Prisma Cloud’s IaC Security and Container Security capabilities empowered the InfoSec team to pinpoint and address issues efficiently by offering secure defaults such as secure Golden Images and IaC templates to support shift-left adoption. These capabilities saved developers around 1,800 hours of time over 18 months from fixing issues in production and runtime, enabling them to focus on creating secure products.

Additionally, Prisma Cloud offered a singular view of vulnerabilities with automated workflows from code to cloud. This Code to Cloud intelligence feature enabled the InfoSec team to prioritize risks based on various factors, like external exposure or customer impact. This was further amplified by the combination of shift left (prediction and prevention) with shift right (detection).

"Prevention is better than remediation. By shifting left early in the SDLC, our developers were free to be more productive."

– Krithi Vasan

Senior Director,
Product Security, Palo Alto Networks

BENEFITS

Security integration

Prisma Cloud makes it easy to integrate natively with existing software management and CI/CD systems, including GitHub, GitLab, Jenkins, Bamboo, Harness, and others. The solution also enables developers to verify every step of the software build process to ensure that what’s built is what’s deployed.

Enhanced security visibility

The software supply chain is highly complex with varied tools and plugins. DevOps tools are built for speed and velocity, not so much for security. Prisma Cloud integrates security across all ecosystems, creating single-pane, in-depth visibility for developers—including CI/CD systems, Prisma Cloud’s new security model. The solution also protects the extended landscape, offering visibility into traffic coming and going across plugins with Palo Alto Networks NGFW firewall and endpoints solutions.

Increased developer productivity

In addition to single-pane visibility, the solution speaks in the language of developers, which is policy as code, making it easier for the engineers to adopt security tools. Prisma Cloud automates workflows in the development lifecycle with response to vulnerabilities delivered out of the box. As it continuously scans preset images for vulnerabilities, Prisma Cloud provides visibility to patch early in the SDLC. By automating crucial security components, Palo Alto Networks saves developers’ time, giving them the ability to channel more time into product development instead of fixing issues.

Shifting left

The solution achieves scale, speed, and security by running approximately 1,000 scans daily across this complex set of ecosystems. The solution combines shift left (prevention) with shift right (detection) to prevent 92% of new vulnerabilities and fix 52% of existing ones. While the industry struggles to operationalize shift-left strategies, Palo Alto Networks has succeeded by simplifying security adoption for developers, providing up-to-the-minute visibility, and enabling predictive and preventive measures.

Risk prioritization

The threat landscape is constantly changing and the CI/CD pipeline is increasingly targeted. This can create risk because these vulnerabilities typically lie outside the attack surface that most organizations monitor. With a unified view of vulnerabilities, Prisma Cloud integrates into the SDLC, effectively categorizing and addressing risks based on their impact and urgency.

CONCLUSION

Palo Alto Networks successfully navigated the challenges of integrating security into a complex SDLC early on by employing the company’s premier solution, Prisma Cloud. The result significantly enhanced not only security but also operational efficiencies. The solution gives developers and software engineers real visibility in production for quick fixes to remediate security issues, making security easier to adopt. At the same time, Prisma Cloud empowers the InfoSec team to deploy effective shift-left strategies to predict and prevent vulnerabilities fast and at scale. This shift is vital to achieving efficiencies, cost savings, and productivity. At the end of the day, Prisma Cloud creates a bridge and fosters collaboration between software engineers and the business units they serve.