denisismagilov - Fotolia
Customers of Palo Alto Networks' Prisma Cloud security products will gain DevSecOps features now that the acquisition of Bridgecrew is complete, while Bridgecrew's infrastructure-as-code community gets fresh funding.
A merger agreement between Palo Alto and Bridgecrew was signed last month to add Bridgecrew's software for developers into the wider Prisma Cloud suite and open its security-focused toolset to DevSecOps collaboration.
After the $156 million deal closed this week, the companies also disclosed plans to maintain Bridgecrew's roadmap in an appeal to developers, including its open source Checkov project, which performs static code analysis for infrastructure as code.
"For the last two-and-a-half years… Prisma Cloud has predominantly been focused toward the security practitioner," said Varun Badhwar, senior vice president of product at Prisma Cloud. "Now, developers and DevOps teams [are] playing a much more prominent role in cloud automation with infrastructure as code [and] security teams have to better partner with developers."
Infrastructure-as-code tools such as HashiCorp's Terraform, Amazon Cloud Formation and Azure Resource Manager express in a programming language how cloud resources such as virtual machines and containers should be created. Developers can use them to manage infrastructure with the same tools they use to write applications. Such tools have become common as developers manage their own applications under DevOps, and automate complex cloud infrastructures built out of software components.
These trends gave rise to the concept of DevSecOps over the last two years, an approach to IT team organization where developers also build security into applications and code-driven infrastructure.
It hasn't been easy for previously separate teams to learn how to work together under DevSecOps, but there are signs of progress, according to one analyst.
"[IT teams] are getting more familiar with cloud platforms and their security capabilities, and upper management is aware that security is important and that they need to make security tools available to people," said Fernando Montenegro, analyst at 451 Research, a division of S&P Global. "We're just starting to 'get it' as an industry."
Bridgecrew will fill Prisma Cloud developer gaps
Bridgecrew's software integrates with code repositories such as GitHub and Bitbucket where developers store infrastructure-as-code templates, as well as CI/CD tools developers use to test and deploy infrastructure as code, such as Jenkins and Azure Pipelines. The Checkov tool analyzes infrastructure-as-code templates for mistakes that make them vulnerable to attackers. Bridgecrew's platform adds correction suggestions, including code snippets, to help developers fix these issues before they reach production.
The integration plan with Prisma Cloud will link Bridgecrew's pre-production checks with Prisma Cloud's runtime security scans. Prisma Cloud can catch vulnerabilities in infrastructure-as-code deployments that make it past Checkov. Similarly, Bridgecrew AirIAM, which helps developers set up app permissions in Terraform, will flow into Prisma Cloud's feature that detects malicious use of permissions in production.
"[We want to create] a consistent set of policies for security, all the way from build time to runtime," Badhwar said. "The problem with not having that is developers have their own set of checks… security then uses a different tool and at runtime says, 'Wait a minute…' That's friction we can remove when everybody's talking the same language."
Prisma Cloud won't gobble Bridgecrew whole
In addition to Checkov, investment from Palo Alto via Prisma Cloud will speed the development of early alpha projects Bridgecrew had already started, such as an automated infrastructure-as-code tagging tool.
Tagging, which organizes infrastructure parts using metadata labels, is typical in Kubernetes cluster management, but non-container infrastructure doesn't accommodate it as easily, said Idan Tendler, CEO and co-founder of Bridgecrew.
"There are challenges that you don't have in Kubernetes today, and [tagging] is one of the biggest needs that we heard from the community," he said. He declined to provide further details.
Fernando MontenegroAnalyst, 451 Research
Bridgecrew's commercial products won't disappear into Prisma Cloud post-acquisition, either, Badhwar said. Collaboration between developers and security teams is important, but he acknowledged the two specialties still expect different things from product interfaces.
"For example, in Bridgecrew, developers can log in using GitHub credentials," he said. "In Prisma Cloud, you can't; you have to use a different enterprise-class tool with different types of integrations."
Market research shows this may be a prudent approach. While 43% of 551 respondents to a 451 Research survey conducted in 2020 said IT security and application development teams are collaborating, that leaves 57% of the market that hasn't yet made the shift to DevSecOps.
"[The industry has] made some progress, but that certainly points to the notion that different teams behave differently and expect different things," 451's Montenegro said. "Security teams are rushing to close the gap, but vendors also recognize they have to meet developers where they are, and not browbeat them into submission."
To bring developers up to speed with security, Palo Alto and Prisma Cloud will expand Bridgecrew tools such as AirIAM and the TerraGoat testing tool to infrastructure-as-code frameworks other than Terraform, which both use currently.
TerraGoat deploys deliberately vulnerable infrastructure as code into a sandbox environment to demonstrate what goes wrong as a result. It has become popular in the community for developer training, Tendler said.
"It's not enough to give [them] tools to fix misconfigurations as we do today," he said. "We need to give DevOps engineers tools so they will understand what it means when their infrastructure is not secure, and they have policies that are not accurate."
Such experiential learning tends to be more effective in helping developers understand security concepts than simple vulnerability reports, Montenegro said.
"Being able to see it in their [programming] language as it actually manifests itself is much better than sending a PDF saying, 'you are vulnerable,'" he said.