AI-SPM is generally available to all Prisma® Cloud users as we continue the rollout of Secure AI by Design product portfolio.     Let's go!
Search

Software Supply Chain Security

Harden your CI/CD pipelines, reduce your attack surface and protect your application development environment.
Request a demo
CI/CD Security Hero Front Image
CI/CD Security Hero Back Image

The volume and sophistication of attacks targeting the engineering ecosystem is rapidly growing. According to Gartner, organizations must protect the delivery pipeline to remain secure in the cloud. Prisma® Cloud provides a powerful yet simple way to gain visibility and control across application delivery pipelines.

Learn about the Top 10 CI/CD Security Risks

Download the report

Supply chain attacks carry an outsized risk

Cloud-native applications utilize numerous dependencies and third-party software. Comprehensive visibility across this diverse ecosystem of dependencies and software is essential to understand all potential security risks.

Software supply chains are often overlooked

Numerous technologies are connected to CI/CD Numerous technologies are connected to software supply chains — which are essential for automation controls — and can access both source code and runtime environments. But traditional AppSec programs don't recognize this source of risk and therefore don't include CI/CD pipelines in their attack surface monitoring workflow.

Siloed security tooling causes coverage gaps

Without the full context of an application’s infrastructure, it’s impossible to determine if an identified risk is exposed within the application or not. Only by connecting visibility across the delivery pipeline to runtime, can security issues be surfaced in the context of the entire codebase, allowing for better prioritization and faster fixes.

Prisma Cloud makes it simple for AppSec practitioners to secure their supply chain without slowing engineers down.

Prisma Cloud continuously monitors pipelines against the OWASP Top 10 and other attack vectors so that bad actors can’t breach the delivery pipeline or inject malicious code into applications.
  • Single view into the engineering ecosystem
  • Complete protection against the OWASP Top 10 CI/CD Security Risks
  • Granular controls to block insecure code from reaching production
  • Graph-based CI/CD mapping
    Graph-based CI/CD mapping
  • Comprehensive engineering tool inventory
    Comprehensive engineering tool inventory
  • Pipeline posture management
    Pipeline posture management
  • Actionable fix guidance
    Actionable fix guidance
THE PRISMA CLOUD SOLUTION

Our Approach to Software Supply Chain Security

Centralized visibility across the engineering ecosystem

The cloud-native engineering ecosystem is increasingly complex, making it challenging for AppSec teams to get the comprehensive visibility needed to secure it. Having a unified inventory of the languages, frameworks, tools and executables within your ecosystems is the first step toward a secure software supply chain.

Prisma Cloud brings together a single view of all technologies in use and their associated security risks.

  • Scan across languages and repositories with unmatched accuracy.

    Identify security risks across code types for all the most popular languages.

  • Connect infrastructure and application risks.

    Focus on the critical risks that are exposed within your codebase, eliminate false positives and prioritize remediations faster.

  • Visualize your software supply chain.

    Get a consolidated inventory of your CI/CD pipelines and code risks across your engineering ecosystem.

  • Catalog your software supply chain.

    Generate a software bill of materials (SBOM) to track all sources of application risk and understand your attack surface.

Centralized visibility across the engineering ecosystem

Posture management of the delivery pipeline

Cloud attacks frequently target CI/CD pipelines and the software supply chain, exposing organizations to code injection, credential theft, data exfiltration and intellectual property theft. Organizations must respond by implementing new security practices. Security issues mapped to the OWASP Top 10 identify attack vectors and provide guidance on how to address software supply chain security.

  • Get visibility into your software supply chain security posture.

    Identify missing branch protection rules, insecure pipeline configurations and potential for poisoned pipelines, with native controls to proactively prevent attacks.

  • Run a graph-based attack path analysis of the many resources impacting your pipelines.

    Software pipelines are multidimensional, with many tools, internal and external resources that must all be secured to prevent attacks.

  • Harden your delivery pipelines

    Backed by the world’s best security researchers, Prisma Cloud helps teams adopt critical security guardrails to harden their pipelines over time. These guardrails ensure that bad actors can’t leverage supply chain weaknesses to reach production environments or run malicious code.

  • Identify credentials exposed in pipelines.

    Find cleartext credentials in webhooks and pipeline logs that could be stolen and abused.

  • Create and enforce custom policies throughout the software development lifecycle.

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments.

Posture management of the delivery pipeline

Cloud Application Graph™

Harnessing the power of relational graph databases, Prisma Cloud distills all components of the modern engineering ecosystem into a single view. With supply chain context and per developer workflows, organizations can harden their supply chains over time and prevent security issues from reaching production.

  • Analyze the entire ecosystem.

    Correlate several disparate signals across codebases, scanners, orchestration and automation tools, and more to centralize visibility and control across all engineering technologies and workflows.

  • Visualize breach pathways.

    Untangle complex relationships to pinpoint critical risks and understand the breach pathways to reach critical assets.

Cloud Application Graph™

Integrated into the leading Code to Cloud platform

The only way to prevent insecure code from reaching production is to scan every code artifact, dependency and ensure the delivery pipeline is effectively protected. Software supply chain security is just one application security use case that’s a part of Prisma Cloud’s cloud-native application protection platform (CNAPP).

  • Identify risks in code as developers are building and testing software.

    Check packages and images for vulnerabilities and compliance issues across repositories like GitHub and registries such as Docker, Quay, Artifactory and others.

  • Lock down deployments to only vetted images and templates.

    Leverage Prisma Cloud code scanning and container sandbox analysis to identify and block malicious code and apps from reaching production.

  • Capture detailed forensics of every audit or security incident.

    Automatically and securely gather forensics details in a powerful timeline view to enable incident response. You can view data in Prisma Cloud or send it to other systems for deeper analysis.

  • Prevent risky activity across any runtime environment.

    Manage runtime policies from a centralized console to ensure security is always present as part of every deployment.Mapping of incidents to the MITRE ATT&CK® framework, along with detailed forensics and rich metadata, helps SOC teams track threats for ephemeral cloud-native workloads.

  • Context-aware security.

    Detect and prevent misconfigurations and vulnerabilities that lead to data breaches and compliance violations in runtime with complete cloud developer inventory, configuration assessments, automated remediations and more.

Part of the CNAPP

AppSec modules

IaC security

Automated IaC security embedded in developer workflows

Learn more

Software Composition Analysis (SCA)

Highly accurate and context-aware open source security and license compliance

Learn more

Software Supply Chain (CI/CD) Security

End-to-end protection for software components and pipelines

Learn more

Secrets Security

Full-stack, multidimensional secrets scanning across repos and pipelines

Learn more
Featured Resources
DATASHEET

CI/CD Security

Download
BLOG

Top 5 DevSecOps Tools to Help You Ship Secure Code Fast

Read the blog
DATASHEET

Code Security

Download
WHITEPAPER

CI/CD Top 10 Risks

Download
WHITEPAPER

CI/CD checklist

Download

Get the latest news, invites to events, and threat alerts