Get to Know Your Engineering Ecosystem

Ensuring visibility into your engineering tools and ecosystems is critical in today's dynamic technology landscape. With the increasing diversity and constant introduction of new engineering tools, it becomes crucial to have real-time and continuous insights into your engineering environment. This not only empowers you to address security concerns promptly but also allows you to customize security solutions to your unique setup, ultimately leading to a more resilient and secure software development and deployment process.

1. Connect Prisma Cloud to your VCS and CI/CD Systems

Begin by onboarding your Version Control systems(s) and CI/CD systems on Prisma Cloud.

1. 1. GitHub
   2. GitHub Enterprise
   3. GitLab
   4. GitLab Self-hosted
   5. Bitbucket
   6. Bitbucket Server
   7. Azure Repos
   8. CircleCI
   9. Jenkins Plugin

2. Assess Your Code Repositories

Prisma Cloud provides a comprehensive view of your engineering ecosystem from code to deployment, all within a repository-based view. This lets you identify code repositories and their associated infrastructure, including programming languages, frameworks, CI files and connected pipelines.

• Assess public repositories
  • Repositories can be set to public unintentionally, it is a good practice to make sure that all public repositories are public for a reason. To assess all your public repositories:
  • Application Security > Repositories > set Visibility filter to Public
  • Click a repository to investigate its used programming languages, technologies or connection to pipeline
  • On the repository side panel, select Contributors” to see the users you might want to reach to understand if the repository visibility can be changed to private.

• Assess repositories that are connected to pipelines
  • Repositories that are connected to pipelines have a higher impact on your organization's security posture. To assess repositories that are connected to pipelines:
  • Application Security > Repositories
  • By default, the table is sorted by repositories connection to pipelines
  • Set Pipelines filter to “select all” to view only repositories that are connected to pipelines

• Get to know what code technologies are used by R&D teams
  • Select Application Security > Repositories.
  • Filter by Technologies to see what programming languages, frameworks, and DevOps systems were detected.
  • Choose a Repository to explore details, such as developers who are contributors.

3. Get to Know Your SDLC Technologies, Shadow IT, Unmanaged assets

Engineering ecosystem continuous visibility is critical for your application security program success. To make sure you are protecting your most critical assets, use Technologies Overview for your SDLC technologies inventory.

• Select Application Security > Technologies, to review your VCS and CI Systems.

To understand where these technologies were discovered, click on a technology and assess its Source .

• Verify that you can view all your technology sources on Prisma Cloud. If you see a technology source missing here, consider adding it on Prisma Cloud

4. Assess third- party Technologies Used in the Engineering Ecosystem

Gain visibility across all third-parties in your engineering ecosystem including apps and webhooks, Jenkins plugins and pipeline tools.

• Explore VCS 3rd Parties
  1. Log in to the Prisma Cloud console and select Application Security on the Prisma Cloud switcher.
  2. Select Technologies
  3. Select Apps & Webhooks to view all VCS 3rd Parties configured in your VCS.
  4. Each App contains the permission of the VCS organization or repository.
  5. Each Webhook contains the event details to which it subscribes.
• Explore vulnerable Jenkins plugins
  1. Select Technologies > Jenkins Plugins.

The table is sorted by the highest severity issues.

• 1. Review the most critical plugins and update the plugin version to remediate.
• Explore Pipeline Tools
  1. Select Technologies > Pipeline Tools to explore all the tools used in the CI.
  2. Use Insights for more context on tools that have low popularity, are deprecated, or have an unverified tool creator.
  3. Select a tool to assess the executables and usage information.

5. Explore the Organization SBOM (Software Bill of Materials)

Gain visibility into the Software Bill of Materials (SBOM) across your organization. This allows you to understand your software inventory including libraries, versions, licenses of third party components and open source packages, as well as to identify all detected vulnerabilities.

• Explore vulnerable open source packages
  1. Log in to the Prisma Cloud console and select Application Security on the Prisma Cloud switcher.
  2. Select Application Security > SBOM and select Show only vulnerable.
  3. Select a package name and view vulnerabilities on Issues.
  4. Select Repositories to explore all the evidence of the package and it’s dependency tree in case of a transitive dependency
• Identify license compliance in open source packages
  1. Filter on License and search for non-OSI or SPDX licenses such as GPL-3.0.