Cookies Notice

This site uses cookies to deliver services and to analyze traffic.

Ok, Got it

Go back

November 30 2021 | 4 min read

A leap forward in risk-based AppSec: The cloud native application protection platform (CNAPP)

Executive | November 30 2021 | 4 min read

A gap in current thinking has become so obvious and critical that an entirely new approach is needed to combine seemingly disparate ideas into a cohesive picture. This has happened with our understanding of how to secure cloud-native applications and we now have a new market definition: the Cloud Native Application Protection Platform (CNAPP).

Cloud-native applications are built using agile development methodologies and DevOps processes that continuously change the design and automatically deploy code to cloud infrastructure. Traditional application security, from legacy SAST and SCA to siloed secrets and IaC scanners, is no longer sufficient to secure cloud-native applications. A fundamentally new framework is needed that is business risk-based and contextual to accelerate software delivery instead of adding security roadblocks.

Gartner coined the term CNAPP to convey the idea that securing modern applications early in the development lifecycle requires an integrated approach that extends across the SDLC and encompasses both application code and cloud infrastructure. It consists of three main components: Cloud-Native Application Security Scanning, Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platforms (CWPP). By combining these areas, AppSec experts are better able to understand the risk to their applications:

“By integrating vulnerabilities, context and relationships across the development life cycle, excessive risk can be surfaced, enabling development teams and product owners to focus on remediating the areas of the application that represent the most risk.” – Gartner

Existing Approaches to CNAPP Fall Short

Gartner has such an expansive vision for CNAPP that no one vendor is able to comprehensively provide all of the capabilities that are part of the framework. This is, in and of itself, not a bad thing. There will always be best-of-breed solutions in individual market areas that provide unique value. But there is a fundamental gap between each individual CNAPP sub-market and the end-goal of understanding and remediating risk at a holistic level. Here is the issue:

  • Legacy AppSec vendors, including SAST and SCA, are focused on discovering individual vulnerabilities without analyzing risk using a multidimensional approach.
  • CSPM and Application Security Orchestration and Correlation (ASOC) tools don’t understand the Application code, Infra-as-Code, and OSS code or the developers’ knowledge and activities! It is impossible to understand if cloud-native applications are secure without understanding the code and the security maturity of the developers.

The premise is to reduce risks early in the SDLC before delivering to the cloud using low-code/no-code continuous Secure by Design. The economics are compelling – find and fix early to reduce costs and risk, with context.

In order to fulfill the promise of CNAPP, a solution needs to deeply understand code with context from design across the SDLC. In addition, “risk” is a concept that must include both the likelihood of the exploitability of an attack surface element (e.g., API, data, S3 bucket) and the business impact if it occurs. 

The Apiiro Approach to CNAPP

Apiiro secures your Software Development Lifecycle, from design to code to cloud. Our raison d’etre has always been to identify changes that introduce critical application risks by understanding code, individual developer skill sets, and cloud infrastructure (mis)configurations before delivering software to the cloud. We call these material changes, or in other words, software and infrastructure architecture drifts. We were founded on the idea that risk is multidimensional and that is the fundamental truth for CNAPP.

Apiiro Code is a fast, contextual static analysis & NLP engine that remediates critical risks such as design flaws, misconfigurations, architecture drifts, secrets, and supply chain attacks across Application Code, Infra-as-Code and Open Source at commit, PR & CI time.

The Apiiro Application Risk Management Platform provides a real-time code inventory, governance engine, remediation workflow engine and one DevSecOps control plane that  ingests data from any type of legacy AppSec tool or manual process in order to enrich the results with risk-based context and focus the AppSec engineer only on critical risks. Apiiro address many specific CNAPP use cases:

  • Artifact Scanning
      • SAST. Apiiro scans code to discover assets and identify risky changes, including sensitive data and architecture drifts.
      • API Scanning. Apiiro discovers APIs, missing security controls, and PII via integrations with API Gateways and Infra as Code analysis
      • Secrets Scanning. Apiiro natively discovers secrets in code, including user passwords, API keys, authentication tokens, private encryption keys, and digital certificates.
      • OSS CVE & Dependency Scanning. Apiiro created and manages the open source Dependency Combobulator to prevent dependency confusion attacks.
  • Cloud Configuration
    • IaC Scanning. Apiiro parses and analyzes Infrastructure as Code to identify cloud misconfigurations and correlect them to the application risks.
    • Sensitive Data Scanning. Apiiro identifies sensitive data, including Personally Identifiable Information (PII), Protected Health Information (PHI), credit card numbers, social security numbers, and more.

But CNAPP requires more than a list of individual capabilities. Its value comes from correlating data across many areas to build a comprehensive picture of risk. As Gartner states, “The most significant benefit of a CNAPP approach is better visibility and control of cloud-native application risk.” And that is exactly what Apiiro provides.

Apiiro is a “risk hub” that goes beyond traditional Application and Cloud Security to leverage the context that security professionals need in order to focus on Application Risk. Apiiro uses this understanding of risk to automatically trigger contextual security code reviews, threat models, and automates risk assessment questionnaires – all before risky changes reach production! And that is the ultimate goal of a Cloud Native Application Protection Platform.

Idan Plotnik