Last week, Gartner published their Market Guide for Cloud Native Application Protection Platforms (CNAPP). The report explores the different aspects of securing modern applications and provides guidelines for a unified approach to securing them.
If you’re not already familiar with CNAPPs, they’re a set of tools that help to secure and keep cloud-native applications safe across the entire software development lifecycle, from development through production. In essence, CNAPP combines the following capabilities:
(Note: For a great primer on the history and evolution of CNAPP, check out our webinar on “Why the 'A' in CNAPP is So Important - Application Security in the Age of Cloud Native Applications”- the relevant section begins at 2:18)
Given the fact that Oxeye is firmly focused on the CNAPP landscape with our cloud-native application security platform, we took a keen interest in the report. Here are some of our takeaways and thoughts:
1. Cloud Native is not merely about architecture or technology, but rather a software development paradigm which involves technology, people, and processes.
Building modern applications is much more than just assembling loosely coupled microservices, K8s, or APIs. It is also about getting the processes right so that the people involved in application development can focus on getting products out quickly and efficiently. A fast-paced development environment with modern dev-ops methodologies requires the automation of processes, and the elimination of the need to manually review or confirm the different development steps.
The same thing goes with securing cloud-native apps. The solutions should be fully integrated with minimal manual intervention. Everyone involved in the process must get what they need in order to realize the true benefits of cloud-native; security gets to govern and manage the risk, and developers and DevOps get what they need to quickly and efficiently resolve vulnerabilities.
Neither party should have to spend time manually triaging to determine what vulnerabilities are real and exploitable, nor should they have to wonder if the remediation work that they’re doing is on a redundant vulnerability that showed up twice because they’re using different tools, placed at different parts of the software development lifecycle (SDLC).
2. Cloud Native Application Security Needs a New Approach to “Shift Left”
With the rapid pace of development, and the high ratio of devs to AppSec personnel, dev teams are the only resource that can, on a day-to-day basis, overcome application security challenges.
According to Verizon’s 2022 Data Breach Investigations Report, applications were the attack vector for over 40% of successful breaches. This indicates that there’s still a fair amount of work to be done to secure cloud-native applications.
One of the primary challenges of securing them is that the attack surface of cloud-native applications is increasing. Attackers are targeting the misconfiguration of cloud infrastructure (network, compute, storage, identities and permissions), APIs and the software supply chain itself.
Compounding the challenge is that in the world of cloud-native, applications do not consist only of code, but are part of a much broader and more comprehensive architecture - containers, clusters, cloud, orchestrators, etc. Developers are increasingly being tasked with the responsibility for building the cloud infrastructure too - increasing their workload even further.
In order to enable developers to fulfill their roles as product and infrastructure builders, and contributors to product security, they must be given the support to perform each task efficiently and effectively.
Today, developers primarily use SAST tools for security, which doesn’t have any infrastructure or runtime perspective, and only provides an isolated view of application security. They also often have to manually triage vulnerabilities to figure out what’s exploitable, and frequently asked to revisit vulnerabilities weeks, or months after they pushed the code out, because the DAST tools that the AppSec team uses are deployed towards the end of the SDLC.
To resolve these issues, a seamless static and runtime view, both at the code and infrastructure level, is required in order to prioritize application vulnerability remediation efforts according to the highest risk to the business. This would greatly reduce application risks, while enabling developers to continue building rapidly.
3. There’s a need for fully-integrated CNAPP solutions, but they don’t exist yet
In order to fully understand and manage application risks in the era of cloud-native, a CNAPP offering has to provide a comprehensive view of all the risk factors along the entire software lifecycle, from development through production. What’s missing from today’s CNAPP is an intimate understanding of development artifact risks in custom code and packages. CNAPP originally arose from the consolidation of the Cloud Service Posture Management (CSPM) and the Cloud Workload Protection Platform (CWPP) categories, and other technologies such as Cloud Infrastructure Entitlement Management (CIEM) were added to the platform to round out its functionality.
At the moment, the majority of the tools that have come together to make up CNAPP are focused on cloud risk visibility and runtime operation risk visibility, which leaves a big gap in risk visibility from the application layer. Having this visibility is crucial, given the fact that cloud native applications differ significantly from their monolithic predecessors, and offer attackers a larger attack surface. In addition to that, the shift to cloud native has been accompanied by a shift in the responsibility for setting up infrastructure to development and DevOps teams. Giving everyone in security a continuous, holistic view of application and cloud security will ensure that there are no gaps in visibility and a much lower likelihood of security issues mushrooming as a result of gaps in visibility and accountability.
Note: Oxeye is honored to be included in the report as a vendor in the list of Application and Software Supply Chain Security Tools Adjacent to CNAPP.