November 30 2021 | 4 min read
Executive | November 30 2021 | 4 min read
A gap in current thinking has become so obvious and critical that an entirely new approach is needed to combine seemingly disparate ideas into a cohesive picture. This has happened with our understanding of how to secure cloud-native applications and we now have a new market definition: the Cloud Native Application Protection Platform (CNAPP).
Cloud-native applications are built using agile development methodologies and DevOps processes that continuously change the design and automatically deploy code to cloud infrastructure. Traditional application security, from legacy SAST and SCA to siloed secrets and IaC scanners, is no longer sufficient to secure cloud-native applications. A fundamentally new framework is needed that is business risk-based and contextual to accelerate software delivery instead of adding security roadblocks.
Gartner coined the term CNAPP to convey the idea that securing modern applications early in the development lifecycle requires an integrated approach that extends across the SDLC and encompasses both application code and cloud infrastructure. It consists of three main components: Cloud-Native Application Security Scanning, Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platforms (CWPP). By combining these areas, AppSec experts are better able to understand the risk to their applications:
“By integrating vulnerabilities, context and relationships across the development life cycle, excessive risk can be surfaced, enabling development teams and product owners to focus on remediating the areas of the application that represent the most risk.” – Gartner
Gartner has such an expansive vision for CNAPP that no one vendor is able to comprehensively provide all of the capabilities that are part of the framework. This is, in and of itself, not a bad thing. There will always be best-of-breed solutions in individual market areas that provide unique value. But there is a fundamental gap between each individual CNAPP sub-market and the end-goal of understanding and remediating risk at a holistic level. Here is the issue:
The premise is to reduce risks early in the SDLC before delivering to the cloud using low-code/no-code continuous Secure by Design. The economics are compelling – find and fix early to reduce costs and risk, with context.
In order to fulfill the promise of CNAPP, a solution needs to deeply understand code with context from design across the SDLC. In addition, “risk” is a concept that must include both the likelihood of the exploitability of an attack surface element (e.g., API, data, S3 bucket) and the business impact if it occurs.
Apiiro secures your Software Development Lifecycle, from design to code to cloud. Our raison d’etre has always been to identify changes that introduce critical application risks by understanding code, individual developer skill sets, and cloud infrastructure (mis)configurations before delivering software to the cloud. We call these material changes, or in other words, software and infrastructure architecture drifts. We were founded on the idea that risk is multidimensional and that is the fundamental truth for CNAPP.
Apiiro Code is a fast, contextual static analysis & NLP engine that remediates critical risks such as design flaws, misconfigurations, architecture drifts, secrets, and supply chain attacks across Application Code, Infra-as-Code and Open Source at commit, PR & CI time.
The Apiiro Application Risk Management Platform provides a real-time code inventory, governance engine, remediation workflow engine and one DevSecOps control plane that ingests data from any type of legacy AppSec tool or manual process in order to enrich the results with risk-based context and focus the AppSec engineer only on critical risks. Apiiro address many specific CNAPP use cases:
But CNAPP requires more than a list of individual capabilities. Its value comes from correlating data across many areas to build a comprehensive picture of risk. As Gartner states, “The most significant benefit of a CNAPP approach is better visibility and control of cloud-native application risk.” And that is exactly what Apiiro provides.
Apiiro is a “risk hub” that goes beyond traditional Application and Cloud Security to leverage the context that security professionals need in order to focus on Application Risk. Apiiro uses this understanding of risk to automatically trigger contextual security code reviews, threat models, and automates risk assessment questionnaires – all before risky changes reach production! And that is the ultimate goal of a Cloud Native Application Protection Platform.