CNAPP or Not CNAPP ?
The article is based on research into DevSecOPs security solutions, as well as trends in the consolidation of security capabilities.
Why CNAP is everywhere ?
For those familiar with the comic strip "The Black Smurfs," it's a fascinating tale of a fly that bites a Smurf, infecting the entire village until the Grand Smurf discovers a cure...
The only word the Black Smurfs know how to say is "GNAP GNAP."
It's quite close to the word CNAPP. It seems that the market has been bitten by the buzzing fly because numerous cybersecurity vendors are claiming be THE CNAPP leader !
Gartner didn't help by creating this category when there were many vendors addressing specific areas of cloud and application security.
What is it about ?
Cloud-native application protection platforms (CNAPPs) are a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection and runtime vulnerability/configuration scanning (source Gartner).
So in summary, it's a platform that encompasses dozens of features.
The first observation is the absence of CASB, which has shifted towards SASE/SSE.
The second is the consolidation into a single platform of players originating either from Cloud security or application security.
Gartner has defined a mininum set of features to be considered as a CNAPP platform, which are :
Today Appsec or API security vendors are considered as optionnal features to a CNAPP platform. It will evolve as the market and its players mature.
Today, it is clear that we are in the midst of a transition. Many actors are positioning themselves in the CNAPP category even though they lack many features outlined in the Gartner diagram above. Nevertheless, they are recognized leaders in their previous segments (i.e., AST, CIEM, CSPM, etc.).
Why creating the category ?
Removal of categories by Gartner
One of the evident reasons is the disappearance of categories by Gartner. If Gartner no longer produces reports on a category with the famous magic quadrant, it implies that the vendor is no longer considered "mainstream," and consequently, there will be a greater marketing and sales effort required to gain recognition and sell.
Categories like CWPP and CSPM are destined to fade away, and it's likely that other categories, such as CDR (Cloud Detection and Response), may never truly come into existence.
Simplified Request for Proposal
During product request for proposals (RFPs), a category is often associated. For instance, when initiating an RFP to select a solution for EPP, IAM, NDR, SIEM, SASE, DLP, etc.
This has already begun, but it is expected to accelerate in 2024; there will be RFPs for choosing CNAPP solutions, even though, as I mentioned just before, there is a huge gap between the actors within this category.
Structured the Market
Over the last three years, hundreds of millions have been invested through venture capital in companies falling into the CNAPP category, meaning they provide some of the expected functionalities. Consequently, due to a mimetic effect, there has been an amplification of the phenomenon, which could potentially be termed a bubble. I say this all the more willingly as the valuations of these young companies have declined, and some have had to reduce their workforce to seek profitability more quickly. Please note that I do not wish to downplay the significant benefits these solutions bring to customers on cybersecurity.
Marketing and Operational Imperative
The DevOps environment is already complex with a multitude of solutions, many of which come from the open-source world. Even though security is increasingly accepted by developers and operations, introducing complexity to an already complex practice would be poorly received. Presenting a CNAPP category to address all the security needs and challenges of Dev and Ops teams has a reassuring aspect.
I can already imagine the statement: "With a single platform and the right processes, we can ensure the security of our entire DevOps process. You can deliver new value-added services to our customers more quickly and securely." - Who could say no ?
Increased the Total Addressable Market
While Gartner has not yet sized precisly the CNAPP market. In 2022, It represents an estimated market size of more than 15 B$ with a 20% annual growth (sum of revenue from several stand-alone markets that make up the core of CNAPP functionality).
Who wants to bet with me ?
I'm convinced that market consolidation will come swiftly, given the current economic conditions, and the determination of several players to offer the most comprehensive CNAPP offering, in order to take a real leadership position.
It will probably include the acquisition of companies in the Application security testing category by Cloud Security or XDR vendors or vice-versa (ie Pingsafe acquired by SentinelOne).
Palo alto is very well positionned as already considered as a market leader in Cloud Security, XDR and also identified as a leading solution in DevSecOps through Prisma Cloud (cf. diagram below).
GitHub could also, in collaboration with Microsoft, build a top-notch CNAPP offering if the two organizations work closely together.
GitLab has also expanded its security features within its platform (IaC, Secrets, SCA, Container Security). Through the acquisition of a player from Cloud security (CSPM, CWPP), it could cover the entire scope.
领英推荐
So, CNAPP or not CNAPP ?
In a nutshell, there is a CNAPP category defined by Gartner, but this category is a target proposed by Gartner for a set of security vendors.
Very few players, if none, cover the full set of features outlined by Gartner, but this should evolve rapidly in the coming years.
What is certain is that organizations must strengthen the security of DevOps practices throughout the application lifecycle, given the acceleration of production releases to meet business needs, the increase in attack surfaces (ie supply chain attack), tightening regulations (ie DORA), and profits generated by attackers.
So, is it the right time to launch a CNAPP request for proposal (RFP) ?
In fact, a large majority of organizations have already taken steps through the acquisition of AST, CSPM, XDR solutions.
They should examine what their vendor offers to cover the entire range of CNAPP services and within what timeframe.
You have mainly three options :
A RFP is relevant only for the two last options.
Beyond CNAPP, it is also about optimizing the number of security vendors present in the cloud application lifecycle increasing efficiency and reducing friction.
As a first step, I would recommend to assess your current situation on the major risks/weaknesses and agree on a plan with the security, developpers and ops teams (short, middle and long terms initiatives).
As always, you should address the triad : PEOPLE, PROCESS and TECHNOLOGY
Cybersecurity is worthwhile only if it is shared .... !
Source and additional materials
Market Guide
Gartner Reprint (Market Guide for Cloud-Native Application Protection Platforms)
Gartner Reprint (How to Select DevSecOps Tools for Secure Software Delivery)
Total Economic Impact approach
Buyer's Guide
The Ultimate Buyer's Guide to Cloud-Native Application Protection Platforms (CNAPP) (checkpoint.com)
pour ceux qui ne connaissent pas la bande dessinée (quelques pages) - https://shorturl.at/uxzK9