When Check Point Software acquired Israeli startup Spectral a year ago, it joined the ranks of other network security providers that were acknowledging the growing threat of software supply chain attacks. Spectral helped fill a critical gap in CloudGuard, Check Point's unified threat protection and network security platform for public and hybrid clouds, with its code scanning and leakage detection tools.
Spectral offers infrastructure-as-code (IaC) scanning, code-tampering prevention, hard-coded secrets detection source controls, and continuous integration/continuous delivery (CI/CD) security and source code leakage detection tools. It provided the underpinning of Check Point's Cloud-Native Application Protection Platform (CNAPP), which is now part of CloudGuard, one of four core Check Point product lines.
Understanding the Role of CNAPP
CNAPP is gaining a lot of attention as developers shift to cloud-native application development to support new business applications and digital transformation initiatives. Gartner describes CNAPPs as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."
Developers are increasingly relying on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may come from an established ecosystem, it is common for some components to have roots from unknown or obsolete sources. CNAPP enables organizations to establish DevSecOps processes where software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, says Melinda Marks, a senior analyst at Enterprise Strategy Group.
"This is important for preventing security issues before you deploy your applications to the cloud because once you deploy them, they're available for the hackers," Marks says.
Agentless Scanning and Other New Features
After integrating Spectral's tools into CloudGuard upon completing last year's acquisition, Check Point added some critical new capabilities to the CNAPP, rolled out this month, including permissions and entitlement management, agentless scanning, and deeper risk scoring of an organization's entire environment. Check Point officials underscored the company CNAPP push last week during its annual CPX 360 event in New York.
"We significantly enriched the platform to address many important elements of the cloud-native control environment," Check Point chief product officer Dorit Dor tells Dark Reading. Check Point also announced plans to feed all data from CloudGuard to its new Horizon Events, a unified dashboard that gathers logs from the entire Check Point ecosystem. Check Point introduced Horizon Events late last year, and an early access version is now available.
For Check Point, adding CNAPP to CloudGuard was critical. Check Point's key competitors are also on the CNAPP bandwagon. Among them, Palo Alto Networks has significantly emphasized its Prisma Cloud, which recently gained added software composition analysis (SCA) and secret scanning capabilities. In December, Palo Alto Networks acquired supply chain security tool provider Cider Security.
Check Point Shares CNAPP Roadmap
Dor touted Spectral's "very strong" secret scanning capabilities. She explained that developers could plug it into their CI/CD environments and implement policies as code through open policy agents.
Dor presented the roadmap for CloudGuard, noting that Check Point is looking to implement more AI. Check Point plans to improve observability and visibility to help developers identify malicious code. Also in the pipeline, Check Point is working on allowing CloudGuard to handle the entire software bill of materials (SBOM) life cycle, ultimately enabling and enforcing them.
Check Point is also working on enhancing how CloudGuard works with network security. "Network Security has been there for a long time; we have a very mature network security solution," Dor said. "But the challenge now is to make it speak more of the language of the developers."
Check Point is addressing that by integrating network security into its AWS Security framework and offering it with the AWS network security as a service. Dor noted that Check Point recently integrated CloudGuard network security with Microsoft Azure, allowing administrators to manage their Microsoft environments.
"It's a space for continuous investment," Dor said. With a direction toward multicloud coverage, the goal is to enable it to "support your developers natively and to support the system administration and giving you one cloud control plane."