Risk Prevention

Protecting runtime environments begins at the source - the code that generated the application and infrastructure. Code security is an essential task for organizations that rely on software development and infrastructure as code (IaC) practices. Risks related to insecure coding, improperly managed IaC, and exposed secrets present substantial threats to the confidentiality, integrity, and availability of vital systems and data. Undetected vulnerabilities and data breaches can result in serious consequences, including substantial reputational harm and non-compliance with regulatory standards.

To tackle these significant security and compliance hurdles, Prisma Cloud's Secure Code Analytics (SCA), IaC Security, and Secrets Scanning modules offer vital security and compliance advantages for organizations engaged in software development and IaC practices. These modules embed into developer tools to continually inspect and analyze codebases for vulnerabilities, misconfigurations, and exposed secrets. The integrations can be used to enable developers to secure their code before merging, block code with security risks, and retroactively remediate issues with fix pull requests.

Through this proactive stance, SCA, IaC Security, and Secrets Scanning significantly reduce the risks associated with insecure code, misconfigured infrastructure, and leaked secrets. This approach drastically minimizes the potential for security incidents and unauthorized access, ultimately safeguarding your valuable digital assets and maintaining your organization's good standing.

1. Subscribe to the Add-On Features

Prisma Cloud provides you the flexibility to select the appropriate code and pipeline security modules that you need. Subscribe to and enable the Cloud Application Security add-ons relevant to your organization.

  1. Log in to the Prisma Cloud console.

Make sure that you have selected Application Security on the Prisma Cloud switcher.

  1. Select Settings > Application Security to enable the relevant modules.

If you have enabled Secret Scanning, also enable Validate Secrets.

2. Onboard your version control system

Begin by onboarding your version control systems(s) on Prisma Cloud. This will allow you to observe code issues and provide developer feedback.

  1. Log in to the Prisma Cloud console.
  2. Onboard your version control system.

Prisma Cloud supports a wide range of environments including GitHub, GitLab, Bitbucket.

  1. Set your Enforcement levels .

Enforcement enables you to configure code review scan parameters in your repositories and customize violation failures and comments. You can set it up to purely observe, add PR comments, or hard-fail based on thresholds.

3. Explore high-priority IaC risks

Identify and understand the most critical infrastructure as code risks present in your code base. Prisma Cloud will help you prioritize and remediate those risks.

  1. Find the high-priority IaC issues.
    1. Select Projects > IaC Misconfigurations.
    2. Filter on “Severity: High,Critical”
    3. Filter on “IaC Labels: Has fix”
  2. Explore the issues.

Now you can explore the high-severity issues that have an automated fix available for quick remediation.

    1. Select a resource.
    2. Explore the Details about the resource to understand more about the resource’s location, source, and configuration.
    3. See the Issues tab for the violation identified and the user who committed the issue in code as well as the fix.
  2. Remediate the issue with code.

Select Fix and Submit to open a pull request with the fix back in the repository.

4. Explore high-priority SCA risks

Understand the source and remediation for vulnerabilities and license compliance risks in your code.

  1. Filter for high priority Vulnerabilities.
    1. Select P rojects > Vulnerabilities.
    2. Filter on “Severity: High,Critical”
    3. Filter on “Vulnerability Risk Factors: Has Fix, Exploit POC, Exploit In The Wild”
  2. Explore the vulnerabilities.

Now you can explore the high-severity vulnerabilities that are actively being exploited and that have an automated fix available for quick remediation.

    1. Select a resource.
    2. Explore the Details about the package to understand more about the package’s location, source, and configuration.
    3. See the Issues tab for more details about the vulnerability identified and the issue in code as well as the package bump to fix the issue.
  2. Remediate the issue with code.

Select Fix and Submit to open a pull request with the fix back in the repository.

  1. Identify license compliance risks.
    1. Go to the Licenses view
    2. Explore the various packages with licenses that are not OSI or SPDX approved to plan a replacement process.

5. Explore high-priority Secrets risks

Understand the source and remediation for vulnerabilities and license compliance risks in your code.

  1. Filter for high-priority secrets.
    1. Select Projects > Secrets.
    2. Filter on “Severity: High,Critical”
    3. Filter on “Secrets Risk Factors: Valid,Privileged”
  2. Explore the secrets.

Now you can explore the high-severity secrets that have been validated. Plan the proper process to revoke these secrets and mitigate their risks.

    1. Select a resource.
    2. Explore the Details of the secret to understand more about the secret’s location, source, and configuration.
    3. See the Issues tab for more details about the secret identified.
  2. Remediate the issue.

Where appropriate, Suppress the finding or choose Manual Fix to be taken to the repository to remove the secret after revoking it from the service provider.

6. Proactively help developers secure their code

Provide proactive developer feedback about code issues.

  1. Set up an IDE plugin.
    1. From a supported IDE, go to the plugin settings and install the Prisma Cloud plugin
    2. Add your Prisma Cloud Access Key, Secret Key, API URL
  2. Run the first scan.
    1. Open a repository with a supported IaC template or package manager file
    2. Run the scan by either pressing “Scan” (JetBrains) or saving changes.
  3. Explore the results in the IDE.

Now you have the feedback to the developers about the issues in the code. Try the Suppression and Fix to see how developers can remediate issues automatically.

  1. Enable PR Comments.
    1. From Enforcement, enable PR Comments.
    2. Open a pull request that adds or modifies IaC code or a package manager file.
  2. Explore the results.
    1. See the comments left to understand the risk about to be introduced.
    2. Remediate an issue with a commit to see the dynamic fix comments.

7. Customize your policies

Refine your policy set for your environment by disabling policies and adding new policies to meet your security control and operational needs.

  1. Disable a policy.
    1. Select Governance, filter for “Subtype: Build, Run,Build”
    2. Choose a policy and change the status to “Off”.

That policy will no longer apply to scans

  1. Add a new policy.
    1. Select Governance, > Add Policy > Config.
    2. Fill in the provided field and select Type: “Build”.
    3. Add a custom policy, test and apply your policy.

8. Detect and remediate drift

Detect drift between your code and cloud configuration to prevent breaking best practices and introducing security issues out of band.

  1. Set up drift detection.
    1. Onboard a cloud account.
    2. For Terraform, enable the Tagging Bot with yor_trace

This isn’t necessary for CloudFormation.

    1. Make a modification to a cloud resource.
  2. Identify drift.
    1. Select Projects > Overview.
    2. Filter on “IaC Categories: Drift”.
    3. Select a violation.
  3. Remediate the drift.
    1. Remediating drift will open a pull request with the changes done on the cloud resource in code.
    2. Choose one of the violations.
    3. Select Fix, then Submit.
    4. The fix PR will be generated on the repository.
  4. Set up an alert rule.
    1. Get notified about drift to act quickly when cloud resources are manually modified.
    2. Select Alerts > Alert Rules and then select Add Alert Rules.
    3. Add details to create an alert rule for the configuration build policy.
    4. Select Account Groups to apply the alert rule.
    5. Select the policies for which you want to generate alerts.
      1. Traced Azure resources are manually modified
      2. AWS traced resources are manually modified
      3. Traced GCP resources are manually modified
  5. Explore a drift alert.
    1. Drift alerts identify the source of the drift in code.
    2. Select a drift alert.
    3. Open the side navigation to see the IaC resource details and the runtime resource details.
    4. Select View Drift Details to access the resource in Projects.