Getty Images/iStockphoto

Prisma Cloud analytics, automation boost DevSecOps speed

Prisma Cloud's Darwin update looks to address DevSecOps communication and velocity lags with centralized analytics and by ditching tickets for automated pull requests.

Prisma Cloud has added six new features to its DevSecOps software meant to tighten communication between security teams and application developers using updated analytics and direct tie-ins to code version control systems.

The update, code-named Darwin, will be built into all versions of Prisma Cloud's Cloud-Native Application Protection Platform (CNAPP). Updates include:

  • AppDNA visualization that displays infrastructure components within their associated cloud apps, including cloud services, infrastructure assets, compute workloads, API endpoints, data, and code;
  • A knowledge graph-based topology visualization of security attack paths that points to the causes of vulnerabilities, such as misconfiguration or vulnerabilities in code;
  • A "fix in cloud" option for security teams to remediate high-risk vulnerabilities in production before engaging developers for longer-term code fixes;
  • A "fix in code" remediation feature that opens a pull request in developers' version control systems, such as GitHub, and identifies where vulnerabilities exist in application code;
  • Cloud discovery and exposure management that identifies unmanaged cloud resources and assesses their risk; and
  • New dashboards that span application code to cloud deployments that can be customized for business leaders such as CISOs and product managers.

The knowledge graph update, which Prisma Cloud calls Infinity Graph, now includes natural language processing for queries. Prisma Cloud has long used machine learning behind the scenes for analytics, but the new features aren't AI-driven. These more centralized tools could lend themselves to future use with behind-the-scenes AI analysis of threats and remediation advisories, but the company has no plans to create a GitHub Copilot-like code generator to fix vulnerabilities, according to company officials.

"Mission-critical fixes shouldn't be auto-generated by default," said Sai Balabhadrapatruni, vice president of marketing at Prisma Cloud. "There are still developers who are in control of how the fix actually gets done. We are simplifying the whole process of getting to that fix."

Prisma Cloud fix in cloud option
Security teams can fix critical issues in production without waiting for developers to update code, but they also have the option to add vulnerability remediation directly to developers' pull requests.

DevSecOps communication, speed issues

This year's generative AI boom will still play a role in DevSecOps, analysts said, as enterprises look for ways to secure AI-generated code – and be quicker about it.

Analysis from the code level to find vulnerabilities, especially with a lot of code generation tools offering very vulnerable code, could be very useful.
Andy ThuraiAnalyst, Constellation Research

"Analysis from the code level to find vulnerabilities, especially with a lot of code-generation tools offering very vulnerable code, could be very useful," said Andy Thurai, an analyst at Constellation Research. "Plus, analyzing cloud runtime configurations and cloud infrastructure can be very useful, as many major incidents happen because of misconfigurations."

AI or no AI, enterprises must speed up communications between security and development teams to keep up with cloud-native applications. Organizations' median time to patch critical vulnerabilities sits at 49 days -- a number that hasn't improved in years, according to Verizon's 2023 Data Breach Investigations Report.

"The challenge has been that security lacks control and visibility into what developers are doing or not doing for security," said Melinda Marks, an analyst at Enterprise Strategy Group, a division of TechTarget. "Then applications are deployed with security issues, and it takes time to prioritize issues needing attention. The result has been a high number of security incidents."

Prisma Cloud isn't alone in seeing and addressing this problem. DevSecOps platform vendors GitLab and JFrog can also open pull requests in response to vulnerabilities, for example, and also offer centralized dashboards and analytics that span from code to cloud.

But Prisma Cloud, a division of Palo Alto Networks, can harness a large install base for such DevSecOps features as a widely used network and security vendor, Thurai said.

"Palo Alto being a major security player will fit right in [with this], instead of having many piecemeal [products] in place," he said.

This update could potentially set Prisma Cloud apart from other CNAPP competitors, as opposed to DevSecOps platforms, Marks said. CNAPP is a relatively new category formed from previously separate cloud security disciplines including cloud security posture management, cloud infrastructure entitlement management and cloud workload protection.

"This is the value prop for the CNAPP vendors -- prioritizing risk to help security scale with cloud-native application development, for cloud application protection," she said. "Some of the CNAPP vendors are weaker on the application security and development security side, so that is where Prisma Cloud is emphasizing its advantages … with the software supply chain and CI/CD pipeline capabilities from its Cider Security acquisition."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Prisma Cloud fix in code pull request
Prisma Cloud users now have the option of directly opening pull requests in version control systems to remediate vulnerabilities in code.

Dig Deeper on DevOps