Search

Software Supply Chain Security

Protect your software supply chain with complete visibility and policy enforcement across software components and delivery pipelines.
Request a Free Trial

Cloud-native development relies on software supply chains to increase developer productivity and reduce the mean time to market for new features. But software supply chains introduce unique risks and complexity because they incorporate third-party software and tooling into developer workflows. Security teams must proactively set up guardrails to protect software supply chains against threats and ensure that those guardrails aren’t compromising developer agility.

Read about Unit 42’s latest research on software supply chain risks.

Download the report
1

Insecure third-party components are a leading cause of attacks

Third-party open source components such as infrastructure as code (IaC) templates, packages and container images help dramatically improve developer productivity but are prone to vulnerabilities and are insecure by default.

Without continuous and proactive visibility into vulnerabilities and misconfigurations, developers are likely to use insecure components in their applications, leading to both noisy alerts and runtime weaknesses that attackers can leverage in a software supply chain attack.
2

Weak pipelines provide entry points for attackers

VCS repositories and CI/CD pipelines enable cloud-native teams to maximize their release velocity. But VCS configurations and CI/CD workflows are permissive by default and lack protections for reckless pushes, code injection or poisoning attacks. Weak configurations can allow attackers to gain access to proprietary code and mission-critical systems. With privileged access, attackers can leak data, inject malicious code or pivot using other weak software components.

Without automated supply chain coverage, it’s challenging for organizations to ensure that all repositories, registries and pipelines are locked down.
3

Keeping track of all assets from code to cloud is challenging

Cloud-native software supply chains are ever-changing and interconnected systems that make it difficult to maintain complete visibility across the supply chain. Point solutions don’t provide the seamless code-to-cloud coverage necessary to track resources, packages, vulnerabilities and misconfigurations across the development lifecycle.

Without context-aware coverage across cloud-native stacks and the development lifecycle, it’s difficult to prioritize security issues based on exposure and real-life risk.

Secure third-party components and delivery pipelines

Prisma Cloud gives organizations visibility into every component of their software supply chains – from code to resources to delivery pipelines – as well as the ability to continuously enforce secure configuration. Prisma Cloud’s trusted industry-leading data sources, coupled with native developer integrations, make it easy to manage and mitigate all third-party supply chain risk:
  • Visualization of software component and delivery pipeline risks.
  • Integrated into developer tools and workflows.
  • Best-in-class misconfiguration and vulnerability scanning engines.
  • Code inventory and visualization
    Code inventory and visualization
  • Secrets scanning
    Secrets scanning
  • Registry scanning
    Registry scanning
  • Trusted image enforcement
    Trusted image enforcement
  • CI/CD security
    CI/CD security
  • Automated IAM right-sizing
    Automated IAM right-sizing
THE PRISMA CLOUD SOLUTION

Our Approach to Supply Chain Security

Consolidated supply chain coverage and visualization

With Prisma Cloud’s Supply Chain Graph, organizations can visualize each component of their supply chain and understand all associated risks. Prisma Cloud’s Supply Chain Graph inventories all of an organization’s code and pipeline components into one visualization – augmented by an overlay of security posture data – to give a complete visual representation of an organization’s application and infrastructure asset dependencies. Using those insights, organizations can prioritize risks across their supply chain and more efficiently deploy resources to remediate the issues with the highest chance of exploitation.

  • Software supply chain visibility and cataloging

    The Supply Chain Graph provides a consolidated inventory of organizations’ delivery pipelines and code components. By visualizing all of the connections, organizations gain much-needed visibility into their supply chain’s attack surface. Organizations can then take action based on those findings, like by leveraging Prisma Cloud’s bulk pull request fixes feature. This feature enables organizations to create a single pull request that will apply an automated fix for many violations at once.

  • Context-aware Software Composition Analysis (SCA)

    Prisma Cloud supports open source package scanning with limitless dependency tree scanning and granular version bump fixes. By overlaying vulnerability findings with infrastructure misconfigurations and by embedding into developer tools, Prisma Cloud’s SCA empowers developers to prioritize and remediate open source risks faster.

  • Industry-leading IaC security

    Powered by the market’s most robust open source policy-as-code engine, Checkov, Prisma Cloud is equipped with thousands of policies to help proactively enforce cloud security best practices. Prisma Cloud surfaces cloud security issues early in the development lifecycle and provides code fixes to ensure only secure infrastructure code gets deployed.

Learn more
Consolidated supply chain coverage and visualization

Secure repositories and registries

To support the ever-growing complexities of cloud-native codebases, organizations rely heavily on third-party systems to store, version and manage their code. Version control systems (VCS) such as GitHub, GitLab or Bitbucket must support managing code, and because they contain proprietary code and critical systems, it’s vital that they are also secure. And image registries such as DockerHub are crucial to store and enable ready access to container images, but without the right protections in place, they can also introduce vulnerabilities or malicious images. Prisma Cloud is equipped with policies to continuously assess VCS organization settings to keep them up to date with security best practices, as defined by SLSA and CIS benchmarks.

  • Automated scanning of VCS organization settings

    When moving quickly, it’s easy to overlook VCS organization settings and assume that all code contributors will be secure. Prisma Cloud is equipped with policies to continuously ensure that VCS best practices, such as single sign-on (SSO) and two-factor authentication (2FA), are being enforced to prevent account takeover.

  • VCS repository settings scanning

    To deepen VCS security, Prisma Cloud also helps teams easily enforce branch protection rules to prevent malicious code injection and other unauthorized or suspicious activity. With policies to continuously scan VCS repo settings and maintain consistently applied branch protection rules, teams can be assured that their VCS repos are secure and that code is only allowed to be merged after proper review.

  • Continuous registry security and trusted images

    Container registries simplify the storage and delivery of container images but have unique security considerations that cloud-native teams must address to avoid image poisoning or deploying insecure images. Prisma Cloud continuously scans and monitors container registries, blocking vulnerable or untrusted images from deploymentwhile also enabling teams to set granular deployment rules to alert on or prevent specific vulnerability and compliance issues.

Secure repositories and registries

Secure CI/CD pipelines

CI/CD pipelines are critical as cloud-native teams work to maintain their release velocity. But these pipelines are not secure by default, and bad actors frequently take advantage of CI/CD weaknesses to instigate supply chain attacks. Prisma Cloud’s policy library includes CI/CD best practices so organizations can continuously assess their pipeline security by leveraging the same automation supported by those pipelines.

  • Establish guardrails to prevent code injection and poisoning

    With Prisma Cloud’s out-of-the-box CI/CD policies, organizations can automate the creation and enforcement of guardrails, such as blocking the use of unsecure commands or beta features.

  • Find and remove hardcoded secrets

    While it’s a best practice not to hardcode secrets into IaC templates or CI/CD configuration files, it sometimes happens when teams are moving fast. With Prisma Cloud’s secrets scanning, organizations can identify hardcoded secrets quickly and can prevent those secrets from being exposed to the public.

  • Automatically enforce the principle of least privilege

    Prisma Cloud enables automated IAM right-sizing with policy as code. By continuously scanning and auditing existing IAM policies, Prisma Cloud removes unused permissions and adjusts overly permissive CI/CD host environment access. Prisma Cloud also enables teams to reduce the likelihood of human error by automatically validating and deploying secure code.

Learn more
Secure CI/CD pipelines

Consolidated software bill of materials (SBOM) generation

An SBOM is a complete inventory of an organization’s software components and all associated security issues. But an SBOM is only as complete as the inputs it’s fed, and when leveraging individual point solutions, getting that completeness requires manual deduplication and consolidation. Prisma Cloud simplifies the SBOM generation process for cloud-native applications by providing a single SBOM across application and infrastructure components, which allows organizations to easily share inventory and risk information with internal and external customers.

  • Consolidated and flexible exports

    A complete SBOM includes all IaC resources, open source packages, image components, known vulnerabilities, misconfigurations and open source licenses. Prisma Cloud exports SBOMs into standardized report formats, including CSV and CycloneDX.

  • Fulfill SBOM vendor requirements

    End customers – including the U.S. government – are increasingly demanding SBOMs as a solution to many top-of-mind concerns. SBOMs are primarily used to maintain vendor accountability in procurement processes and to ensure risk attributed to individual vendors is accounted for during an organization’s continuous risk assessments.

  • Maintain a trusted, accurate software inventory

    By comparing the SBOMs generated before and after deployment, organizations can detect and remediate tampering to maintain the validity and reliability of the information stored within the SBOM.

Consolidated software bill of materials (SBOM) generation

Code Security Modules

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

Learn more

SOFTWARE COMPOSITION ANALYSIS (SCA)

Context-aware open source security and license compliance

Learn more

SOFTWARE SUPPLY CHAIN SECURITY

End-to-end protection for software components and pipelines

Learn more

SECRETS SECURITY

Full-stack, multidimensional secrets scanning across repos and pipelines.

Learn more
Featured Resources

Get more insight into what Prisma Cloud can do for your business

See all resources
WHITE PAPER

Software Supply Chain Security Checklist

Download
ON- DEMAND WEBINAR

Supply Chain Attacks: How They Work & How to Stop Them

Watch now
BLOG

The Anatomy of an Attack Against a Cloud Supply Pipeline

Read the blog
RESEARCH REPORT

UNIT 42 Cloud Threat Report Vol. 5: Secure the Software Supply Chain to Secure the Cloud

Read the report
DATASHEET

Code Security

Download the datasheet

Get the latest news, invites to events, and threat alerts

Popular Resources

Legal Notices

Popular Links

Report a Vulnerability