Familiarize yourself with Prisma Cloud Application Security
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Quick Start for Beginners
- Enable Application Security on Prisma Cloud
- Application Security Licenses
- Manage Roles and Permissions
- Generate Access Key
-
-
- Add Azure Repos to Prisma Cloud Application Security
- Add Bitbucket to Prisma Cloud Application Security
- Add Bitbucket Server to Prisma Cloud Application Security
- Add GitHub to Prisma Cloud Application Security
- Add GitHub Server to Prisma Cloud Application Security
- Add GitLab Self-Managed to Prisma Cloud Application Security
- Add GitLab to Prisma Cloud Application Security
-
- Add AWS Code Build to Prisma Cloud Application Security
- Add CircleCI to Prisma Cloud Application Security
- Add Checkov to Prisma Cloud Application Security
- Add GitHub Actions to Prisma Cloud Application Security
- Add Jenkins to Prisma Cloud Application Security
- Add Terraform Cloud (Sentinel)
- Add Terraform Cloud (Run Tasks)
- Add Terraform Enterprise (Sentinel)
- Add Terraform Enterprise (Run Tasks)
-
- Pre-receive Hooks
- Set up IaC Tag and Trace
- Setup Drift Detection
- Secrets Scanning
- Manage Workspaces
- Create and Manage Code Category views
Familiarize yourself with Prisma Cloud Application Security
Learn more about Application Security through multiple functionalities that help you secure your software development lifecycle.
Comprehensive Visibility
Real time, ongoing, comprehensive and accurate analysis of your technical stack, visualized through the following features:
- Repositories: A broad overview view of your organization’s assets, providing detailed analysis of more than 600 programming languages and frameworks, technologies and integrations in its environment. You can see information about all your connected repositories, VCS in use, technologies, CI/CD pipelines, and more. In addition, a summary of IaC misconfigurations, secrets exposed, SCA violations and CI/CD Risks is displayed, giving you a comprehensive and accurate view of your organization’s repositories.
- Technologies: An inventory of 100+ SDLC technologies in use across your software development delivery lifecycle. In addition you can view Supply Chain 3rd party inventories of all the apps and webhooks, Jenkins plugins and pipeline tools detected in your environment.
- SBOM: SBOM provides a detailed inventory of third-party components in the code, highlighting open-source packages and enabling tracking of both direct and indirect dependencies. It places a particular emphasis on identifying and addressing vulnerable software packages.
- CI/CD Risks: Displays all vulnerabilities detected in your CI/CD pipelines, including details such as the risk severity, the location and suggested remediation.
- Application Security Dashboard: The Application Security dashboard provides a unified view of the most critical application security vulnerabilities and misconfigurations detected during scans. This view provides a contextual understanding of high priority errors categorized by severity, common policy errors, licensing errors, IaC misconfigurations, CVE vulnerabilities and more.
Risk Prevention
Address root causes, preemptively mitigate risks in code, and stop real-time cloud breaches using precise, contextual and expert remediation through the following features.
- Projects: A consolidated view of application security scan results performed by Prisma Cloud, categorized into the following code categories: IaC misconfigurations, Vulnerabilities, Secrets, and Licenses, across periodic scans of default , CI/CD runs and pull requests. A contextual summary of all issues across code categories is displayed under the Overview.
- Code Reviews: Provides a global view of all application security scan results performed across repositories with insights into misconfigurations and vulnerabilities, as well as to CI/CD runs, identified by default policies based on pull requests (PR) and merge requests (MR).
- CI/CD Risks: Displays all vulnerabilities detected in your CI/CD pipelines, including details such as the risk severity, the location and suggested remediation.
Developer Integrations
- Detection: You can run automated scans through various interfaces, including a dedicated command line interface (CLI), integrated development environment (IDE), and version control system (VCS) to identify cloud infrastructure misconfigurations and vulnerabilities across IaC, SCA, Secrets and Licenses. Remediation. Integration with your IDEs is facilitated through the
- Remediation: The Application Security module automatically generates code fixes and patches to address vulnerabilities and secure your code. It offers integrated pull request comments, fixes, and smart fixes that automate the security code review process and streamline remediation efforts.
To know more about IDE integrations see here.
Fundamental Concepts
Familiarize yourself with the following fundamental concepts.
Concept | Definition |
|---|---|
AppSec | The practices and tools used to protect applications from external threats and ensure their confidentiality, integrity, and availability. This includes identifying and addressing security vulnerabilities in the application code, as well as ensuring that security controls are implemented throughout the application development lifecycle. |
SIP | Security In the Pipeline (SIP) addresses the risk of code with security flaws flowing through the pipeline, providing the most effective measures tailored to the organization stack in order to detect such issues. |
SAP | Security Around the Pipeline (SAP) addresses the risk of the pipeline being bypassed. |
SOP | Security Of the Pipeline (SOP) addresses the security posture and the risk of security settings in pipeline systems such as the source control, CI, artifact repositories and container registries being compromised. SOP prevents the abuse of software delivery systems and processes in order to access the production environment. |
Repositories | A comprehensive view of an organization’s engineering technical stack from repository to deployment. See here for more on Repositories. |
Application Graph/ Graph View | The repository’s path to production and connectivity between artifacts, presented in graph view. See here for more on repository Application Graphs. |
Technologies | An inventory of technologies in use across your organization’s engineering environment. Includes applications and webhooks, Jenkins plugins and pipeline tools. See here for more on Technologies. |
CI/CD pipeline | A set of practices and tools used to automate the building, testing, and deployment of software applications, facilitating the software development process. |
CI/CD risks | Risks in the CI/CD pipeline detected in the organization’s VCS, CI and artifacts, as well as cross-system risks. See here for more on CI/CD risks. |
CI/CD risk categories | Categories of CI/CD risks resulting from research into attack vectors associated with CI/CD, and the analysis of high profile breaches and security flaws as published by OWASP, allowing organizations to identify focus areas for securing their CI/CD ecosystems. |
Suppress CI/CD risks | Intentionally silence a specific warning of a risk detected in the CI/CD pipeline. This is often done when the issue is deemed low-risk or otherwise unimportant, and the developer wishes to prevent the warning or error message from appearing in future code scans or builds. See here for more on suppressing CI/CD risks. |
VCS 3rd Parties | Applications and webhooks connected to the VCS. See here for more on VCS 3rd Parties. |
Jenkins Plugins | An inventory of Jenkins plugin instances in the system. See here for more on Jenkins plugins. |
Pipeline Tools | An inventory of third party services and tools found in CI files. See here for more on Pipeline tools. |
Policies | A set of rules defining the expected behavior and configurations of resources such as cloud services. Policies cover a wide range of areas such as access control, encryption and compliance. See here for the policies applicable to Application Security. |
Resource | A resource is a Cloud Platform entity, for example, an Amazon EC2 instance, a CloudFormation stack, or an Amazon S3 bucket. |
Incident | During each scan, incidents corresponding to each instance of non-conformance to a policy in IaC, SCA, and Secrets files in buildtime environments are created. |
Errors | During each scan, errors corresponding to each instance of non-conformance to a policy in runtime environments are created. |
Suppression | Suppression indicates that an incident is not problematic. You can Suppress an incident for all relevant resources or for a specific resource only. |
Remediation | The following types of remediation are available, depending on the type of incident : Open Jira Ticket, Run Playbook, Open Fix PR. |