What does CNAPP (really) mean?
First termed in the Gartner Hype Cycle for Cloud Security, 2021, a cloud-native application protection platform (CNAPP) is, as the name implies, a platform approach for securing applications that are cloud-native across the span of the software development lifecycle (SDLC) of the applications. The need for CNAPP originates from the proliferation of the ease of access to cloud resources and the spectacular adoption of agile development frameworks for applications. Each step across the lifecycle has security concerns and implications, including artifact and exposure scanning of code, cloud infrastructure configuration, runtime protection, and exposure scanning of assets. Any step along this development journey has the potential to lead to exploitation, which is exacerbated by the speed of development and release schedules moving to a continuous integration/continuous delivery (CI/CD) format. Additionally, a burgeoning vector of potential threats is the development platforms and tools being used around these SDLC flows to facilitate faster and better delivery of applications.
Gartner originated the term CNAPP in response to the explosive popularity of cloud computing coupled with agile development. Security programs struggle to meet the need of keeping these ephemeral, -shifting, and exceptionally quick workflows secure across every step of the development lifecycle.
CNAPP, much like the SASE concept and Zero Trust, again moves security functionality closer to the assets being protected. Focus is brought to the key areas for all of the stages of an SDLC program, such as code being scanned for misconfigurations, secrets, and other dangerous artifacts, all the way to cloud workloads, services, and IAM profiles being scanned and protected from exploitations, -misconfigurations, and vulnerable packages. The ultimate vision of this protection strategy is to be consolidated into a single technology platform that follows the entire SDLC as historical security practices have proven that using disparate products for the different steps leads to too much loss of effectiveness and efficiency of the security program. The long-standing friction between development and security must be properly handled to satisfy both parties as well, which necessitates a level of ease of use that flows with the lifecycle as opposed to interrupting it.
As the last 5 to 10 years have shown us, anything “cloud-related” becomes hyped pretty quickly. In this hyped-up state, just claiming “We do CNAPP” is going to catch attention, even if the underlying truths are much less exciting. Additionally, with the term being so nascent, there is a level of confusion about what CNAPP even entails. This leads to vendors who have a single coverage type, or maybe an area of coverage, claiming they are fully CNAPP. Vendors who are only covering runtime exposure scanning or merely artifact scans in code will have customers believing that they are a full CNAPP platform. These vendors then hope the customers are happy long enough to stay with them while they develop the rest of an actual CNAPP product, or potentially just never realize they are exposed to the other areas of their SDLC process.
CNAPP is about securing all the steps in the convergence of development and cloud infrastructure. Every step along the lifecycle contains a business’s most critical and sensitive technology assets. This necessitates having security involved in all of these steps and should be a primary focus for companies that need to maintain the integrity of these assets in a manner that does not degrade the -effectiveness or speed of agile frameworks. The secondary focus then becomes ease of operating/administering the entire platform to validate that security effectiveness and updates to known vulnerabilities, -misconfigurations, threats, and other errata being assessed are all properly occurring. This brings us to a tertiary focus that involves considering all of the development platforms being used as potential new vectors of attack, after which a full platform would have a company facilitating security in, of, and around the code/application.
Here are some questions to ask your team for a successful CNAPP adoption:
- Have we analyzed every step of the process, meaning every user who accesses code, the repositories, the build and deployment environments, and the runtime environments? What solutions are in place to secure these steps?
- Can we ensure consistency in finding and preventing issues at their source no matter the stage of the lifecycle said issues originate from?
- How will we integrate the protection into our current workflows in the SDLC in order to maintain or even increase the speed of application delivery?
- How will we maintain visibility of the entire SDLC–from code to runtime–to verify security has looked in, of, and around each application’s development?
- If we can maintain consistent security while simplifying the technology stack, what prevents us from consolidating the tools we use today?
Learn more about CNAPP.