Security Assurance Policy on Prisma Cloud Compute
Table of Contents
Expand all | Collapse all
-
- Getting started
- System Requirements
- Cluster Context
-
- Prisma Cloud Container Images
- Kubernetes
- Deploy the Prisma Cloud Console on Amazon ECS
- Console on Fargate
- Onebox
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Container Service (ACS) with Kubernetes
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- IBM Kubernetes Service (IKS)
- OpenShift v4
-
- Defender Types
- Manage your Defenders
- Redeploy Defenders
- Uninstall Defenders
-
- Deploy Orchestrator Defenders on Amazon ECS
- Automatically Install Container Defender in a Cluster
- Deploy Prisma Cloud Defender from the GCP Marketplace
- Deploy Defenders as DaemonSets
- VMware Tanzu Application Service (TAS) Defender
- Deploy Defender on Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- Deploy Defender on OpenShift v4
-
- Agentless Scanning Modes
-
- Onboard AWS Accounts for Agentless Scanning
- Onboard Azure Accounts for Agentless Scanning
- Configure Agentless Scanning for Azure
- Onboard GCP Accounts for Agentless Scanning
- Configure Agentless Scanning for GCP
- Onboard Oracle Cloud Infrastructure (OCI) Accounts for Agentless Scanning
- Configure Agentless Scanning for Oracle Cloud Infrastructure (OCI)
- Agentless Scanning Results
-
- Rule ordering and pattern matching
- Backup and Restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with Certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire Settings
- Log Scrubbing
- Clustered-DB
- Permissions by feature
-
- Logging into Prisma Cloud
- Integrating with an IdP
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
-
- Prisma Cloud Vulnerability Feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
-
- Configure Registry Scans
- Scan Images in Alibaba Cloud Container Registry
- Scan Images in Amazon Elastic Container Registry (ECR)
- Scan images in Azure Container Registry (ACR)
- Scan Images in Docker Registry v2 (including Docker Hub)
- Scan Images in GitLab Container Registry
- Scan images in Google Artifact Registry
- Scan Images in Google Container Registry (GCR)
- Scan Images in Harbor Registry
- Scan Images in IBM Cloud Container Registry
- Scan Images in JFrog Artifactory Docker Registry
- Scan Images in Sonatype Nexus Registry
- Scan images in OpenShift integrated Docker registry
- Scan Images in CoreOS Quay Registry
- Trigger Registry Scans with Webhooks
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless Functions Scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot Vulnerability Detection
-
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
-
- Alert Mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
- API
Security Assurance Policy on Prisma Cloud Compute
Prisma Cloud adheres to the guidelines outlined in the Palo Alto Networks Product Security Assurance Policy.
In accordance with this policy, Prisma Cloud Compute may have security releases outside of the regular release schedule.
Security releases are used for the sole purpose of remediating vulnerabilities that affect Prisma Cloud Compute, whether in its codebase or its dependencies.
We frequently analyze new vulnerabilities between releases to determine if any issue warrants a security release before the next scheduled release. This section outlines which issues are addressed in security releases.
With each new release of Prisma Cloud Compute, software dependencies are kept up-to-date to eliminate any known and confirmed vulnerabilities in third-party dependencies.
When new vulnerabilities are discovered in Prisma Cloud Compute dependencies after an official release, these vulnerabilities are addressed in the newer releases with the exceptions noted below.
Therefore, as a best practice, always upgrade to the latest release of Prisma Cloud Compute.
Vulnerability Triage
New releases of Prisma Cloud Compute are signed off with up-to-date dependencies. Vulnerabilities that meet the below criteria are analyzed between releases:
Vulnerabilities Analyzed
- Any vulnerability with severity high and above, regardless of having a fix or not.
- Any vulnerability with moderate severity when a fix is available.
Vulnerabilities Not Analyzed
- Any vulnerability with severity lower than high that does not have an existing fix.
- Any vulnerability with severity low or unimportant.
Exceptions
We also review vulnerabilities of any other severity when there is a known exploit or proof-of-concept that is affects Prisma Cloud Compute.
Including product vulnerabilities identified during development, reported by customers or third-party researchers.
To report a vulnerability in Prisma Cloud Compute, submit the vulnerability details to our PSIRT team.
Frequently Asked Questions
- Which Prisma Cloud Compute releases receive security updates?
Prisma Cloud has an 'n-2' support policy that means the current release ('n') and the previous two releases ('n-1' and 'n-2') receive support. Security fixes will be backported only for supported releases. End of Life (EOL) releases will not receive security fixes.
For more information, see support lifecycle.
Are security fixes provided for both Prisma Cloud Enterprise and Compute editions?
Yes, security vulnerabilities are addressed in both the editions.
Do I have to upgrade my console/defender to get security updates?
If security fixes are released, you may be required to upgrade either or both the Console and Defender. We recommend that all security releases are adopted immediately.
For the full details of which vulnerabilities were fixed in a release, refer to the
What is the minimum severity for vulnerabilities to warrant a security release?
See triage criteria above.
What is the frequency of security releases for Prisma Cloud Compute?
There is no schedule for security releases.
Security releases happens anytime a new vulnerability that meets the criteria outlined above is discovered in Prisma Cloud Compute.
Where do you take information on severity and fix details when triaging?
Console and Defender images are based on Red Hat Universal Base Images (ubi8/ubi-minimal).
For known vulnerabilities that are assigned a CVE identifier, we rely on severity ratings and fixes released by Red Hat.
For zero-days or undocumented vulnerabilities (such as PRISMA-IDs), we rely on severity determined by our researchers.
A new vulnerability is affecting Prisma Cloud Compute, but a security release was not issued.
If the vulnerability affects the latest release, meets the criteria for a security release outlined above, but it has not yet been addressed: please report it through to Palo Alto Networks Support or to PSIRT.