Palo Alto Networks Expands Checkov Tool to Secure Infrastructure

Palo Alto Networks has added support for GitHub, GitLab Runners, CircleCI, and Argo Workflows actions to Checkov, an open source tool that scans programmatically provisioned infrastructure for misconfigurations.
Guy Eisenkot, senior product manager for Bridgecrew by Prisma Cloud at Palo Alto Networks, said the goal is to make it easier to secure configurations created using infrastructure-as-code (IaC) tools such as Terraform.
These additions are now available as part of a library of Checkov policies, including graph-based checks, which provide a contextual way to identify risks within infrastructure and application code in a flow DevSecOps workspace using a tool that enables IT teams to manage policies. as code, he noted.
Cloud infrastructure misconfigurations have become a major problem. Typically, this infrastructure is programmatically provisioned by developers who have little or no cybersecurity expertise. As a result, cybercriminals are now looking more aggressively for misconfigurations that they can exploit to, for example, exfiltrate data or illegally access services through application programming interfaces (APIs). Checkov makes it easier to identify these potential security issues in the context of a DevOps workflow before cloud infrastructure is provisioned, Eisenkot noted.
There is much more focus on securing software supply chains following a series of high-profile breaches. Last year, the Biden administration even went so far as to issue an executive order requiring federal agencies to review the security of their software supply chains. The challenge is that most organizations have yet to implement a truly developer-centric approach to ensuring application security, Eisenkot said.
In general, cloud platforms are more secure than on-premise computing environments; However, the processes used to build and deploy cloud applications today are clearly problematic. A chronic shortage of cybersecurity personnel further compounds the problem, as most organizations are unable to keep up with the rate at which workloads are deployed in the cloud.
As more organizations also begin to adopt DevSecOps best practices, the overall state of cybersecurity is expected to improve. The challenge is that no matter how much time and effort goes into training developers, there will always be errors that a cybercriminal can exploit. Policy-as-code tools like Chekhov make it much less likely that these errors will trickle down to a production environment.
In the meantime, organizations must work to bridge the long-standing divide between application development and cybersecurity teams. Historically, cybersecurity teams aggregated the vulnerabilities they discovered into spreadsheets that developers then had to fix. The problem is not only the lack of time to fix these vulnerabilities, but also the lack of context provided. Many of these vulnerabilities often prove inapplicable to how an application is deployed. Over time, application developers begin to ignore many of these requests in favor of focusing their efforts on writing additional code. Of course, the more code written, the greater the number of vulnerabilities that theoretically need to be patched until a vicious circle is created.
Of course, it’s only a matter of time before a vulnerability becomes a critical exploit and becomes the exception to this rule.