As more organizations shift to cloud-native application development to support new business features and digital transformation initiatives, software supply chain issues have become more visible. Because cloud-native development relies so heavily on open source software, organizations have to start thinking about the components that go into these applications.
To build these cloud-native applications, developers have adopted agile application development practices and rapid release cycles, and they rely heavily on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may primarily come from an established ecosystem, it is common for some to originate from unknown sources or obsolete projects.
Traditional security approaches aren't designed to handle this new approach to application development, especially for modern cloud compute and serverless architectures. This is the area cloud-native application protection platforms (CNAPP) evolved to address. Gartner describes CNAPP as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."
According to a recent Frost & Sullivan report, sales of CNAPP topped $1.7 billion in 2021, nearly 49% higher than 2020. Frost & Sullivan projects that CNAPP revenues will grow at a compound annual growth rate of almost 26% from 2021 to 2026. The report's author, industry principal for global cybersecurity Anh Tien Vu, forecasts that by 2026, revenues will exceed $5.4 billion "because of the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."
Prevent Problems During Development
Attackers are increasingly homing in on cloud-native targets to exploit vulnerabilities that enter the software supply chain. Last year, the Log4Shell vulnerability in the widely deployed Log4j Java runtime library illustrated the broad impact such a vulnerability can have on the application ecosystem. Given the widespread distributed deployment of Java applications, organizations had to scramble to find and patch them after Apache Foundation's public disclosure.
"With Log4j, people didn't know whether those libraries were in use or not," says Enterprise Strategy Group senior analyst Melinda Marks. Experts frequently cite Log4j as a wake-up call to CISOs and CIOs that software development life cycles need to collaborate more closely and shift left.
Marks says CNAPP enables organizations to establish DevSecOps processes in which software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, but it also goes further.
"This is important for preventing security issues before you deploy your applications to the cloud because once you deploy them, they're available for the hackers," Marks says.
Monitor Runtime to Identify Priorities
CNAPPs consolidate siloed capabilities, including the scanning of development artifacts, such as containers and infrastructure as code (IaC), cloud security posture management (CSPM), cloud infrastructure management (CIEM), and runtime cloud workload protection platforms. Besides providing a more unified approach and better visibility of the risk of cloud-native computing environments, CNAPP provides common controls to mitigate vulnerabilities.
Notably, CNAPP also facilitates collaboration among application development, cybersecurity, and IT infrastructure teams, paving the way for detecting and mitigating vulnerabilities before applications are deployed into production. Security vendors such as Check Point and Palo Alto Networks are adding CNAPP capabilities to their security platforms.
Marks warns of a misconception about shifting security left: that it's all about moving security up front in the software development and build cycles.
"There's also the need to tie in the runtime monitoring and have that context for developer workflows, so they're not wasting time on fixing things that have no impact on how the application is actually going to run in the cloud," she says.