Emerging Trends on Cloud-Native Application Protection Platforms

Optimal security of cloud-native applications requires an integrated approach that starts in development and extends to runtime protection. SRM leaders should evaluate emerging cloud-native application protection platforms that provide a complete life cycle approach for security.

Key Findings

• Cloud-native applications arise from the combination of?microservices?applications (typically using Linux containers), built using rapid DevOps-style development and automatically deployed onto programmatic cloud infrastructure.
• The unique characteristics of cloud-native applications makes them impossible to secure without a?complex set of overlapping?tools spanning development and production including:
• Infrastructure as code (IaC) scanning
• Container scanning
• Cloud workload protection platforms (CWPPs)
• Cloud infrastructure entitlement management (CIEM)
• Cloud security posture management (CSPM)
• Cloud-native applications are typically built from containers and serverless platform as a service (PaaS), but most communicate with virtual machine (VM)-based workloads and on-premises data centers, complicating protection strategies.
• Understanding and addressing the real risk of cloud-native applications?requires advanced analytics?combining siloed views of application risk, open-source component risk, cloud infrastructure risk and runtime workload risk.
• There is a shift in focus in leading-edge security organizations from protecting infrastructure to protecting workloads and the applications that run on these workloads.

As a security and risk management (SRM) leader responsible for infrastructure security, you should:

• Implement an integrated security approach that covers the entire life cycle of cloud-native applications, starting in development and extending into production.
• Integrate security into the developer’s toolchain so that security testing is automated as code is created and moves through the development pipeline, reducing the friction of adoption.
• Acknowledge that perfect apps aren’t possible and focus developers on highest severity, highest confidence and highest risk vulnerabilities to avoid wasting developer’s time.
• Scan development artifacts and cloud configuration comprehensively, and combine this with runtime visibility and configuration awareness in order to prioritize risk remediation.

Introduction

Every business is a digital business and boards of directors indicate their digital business initiatives have accelerated as a result of COVID-19.?To support these initiatives, developers have embraced cloud-native application development, typically combining microservices-based architectures built using containers, assembled in DevOps-style development pipelines, deployed into programmatic cloud infrastructure and orchestrated at runtime using?Kubernetes?and maintained with an immutable infrastructure mindset.?This shift creates significant challenges in securing these applications.

Security testing needs to be integrated as seamlessly as possible into the DevOps-style development and deployment of cloud-native applications. We refer to this as DevSecOps?

These organizations have?manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk,

• In development, static application security testing (SAST), API security testing, dynamic application security testing (DAST), IaC scanning and threat modeling were identified as the five most commonly used tools to secure cloud-native applications.
• In production, web application firewalls (WAF)/web application and API protection (WAAP), application security monitoring, DAST, CWPP and CSPM were identified as the five most commonly used tools to secure cloud-native applications.

CNAPPs are an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including:

• Development artifact?scanning, including containers
• Cloud security posture management
• IaC scanning
• Cloud infrastructure entitlements management
• Runtime cloud workload protection platform

Benefits and Uses

The most significant benefit of a CNAPP approach is better visibility and control of cloud-native application risk. Attempts to identify and remediate application risk have been fragmented across multiple toolsets spanning development and runtime. For example, for known vulnerabilities, a vulnerability score — such as the common vulnerability scoring system (CVSS) — is a measurement of risk, but it represents only one aspect of overall application risk.

Yet, a vulnerability score is the most commonly cited metric used by enterprises to measure the risk of a vulnerability in application code or software components.?Enterprise security teams and DevSecOps architects need an integrated way of understanding and addressing application risk that spans: Open-source software (OSS), custom code, container contents, cloud infrastructure configuration and runtime protection.

Other benefits?of CNAPP?adoption?includes its ability to:

• Reduce the chance of misconfiguration, mistakes or mismanagement as cloud-native applications are rapidly developed, released into production and iterated.
• Reduce the number of tools and vendors involved in the CI/CD pipeline.
• Reduce the complexity and costs associated with creating secure and compliant cloud-native applications.
• Allow developers to accept security-scanning capabilities that seamlessly integrate into their development pipelines and tooling.
• Allow security departments to place an emphasis on scanning cloud-native applications for risk proactively in development and rely less on runtime protection.?This strategy is well-suited for container-as-a-service and serverless function environments?and enterprises that have adopted an immutable infrastructure mindset.
• Allow security departments to understand attack path analysis based on relationships — identities, permissions, networking and infrastructure configuration that would enable an attacker to target an application.
• Bidirectionally link development and operations visibility and insight into risk analysis to improve the overall enterprise security posture

Risks

SRM leaders interested in securing cloud-native applications face many risks, including:

• Enterprise security and development teams lack the right skills.?In a recent Gartner survey, the highest rated challenge when securing cloud-native applications in a DevSecOps pipeline was a lack of internal knowledge about security.
• Organizational immaturity, in terms of cloud-native application development, may inhibit adoption.
• Incumbent security protection vendors used by an enterprise (e.g., CWPP, WAF and WAAP vendors) aren’t necessarily good at integrating into development and often don’t understand the needs of modern DevOps style development pipelines or developers, hampering adoption.
• Developers won’t accept cumbersome intrusion into the development/deployment process, nor will they accept security tooling that wastes their time with false positives or low-risk findings.
• Developers may have adopted OSS tools that achieve some of the desired outcomes of CNAPP but not all, creating visibility and control gaps the security team is unaware of.
• Cloud-native application security strategies may fail to address all types of development artifacts within the project scope, creating visibility and control gaps.
• Organizations may have siloed purchases of application security testing tooling, often caused when chosen by a different team than the team that manages the runtime protection of workloads.?Unclear boundaries between application and infrastructure was the third highest challenge to successfully secure cloud-native applications cited in a recent Gartner survey.?The increasing overlap is driven by cloud-native application developers

Blurring Boundaries of Responsibilities

Recommendations

SRM leaders responsible for the security of cloud workloads and applications should:

• Develop an overall strategy for cloud-native app protection that spans development and runtime.
• Evaluate emerging CNAPP offerings as contracts for CSPM and CWPP expire, and use this opportunity to reduce complexity and consolidate vendors.
• Sign one to two year contracts only, because the market for CNAPP is still evolving.
• Require CNAPP vendors to charge for licenses-based modules you use, as it may take several years to adopt the entire integrated set of capabilities.
• Scan all cloud-native development artifacts for vulnerabilities and compliance: source code, containers, VM images, IaC scripts, API declarations and cloud configuration files.
• Require CWPP vendors to?scan containers in development and add CSPM capabilities, including IaC scanning.
• Require CSPM vendors to add scanning of Kubernetes security posture (KSPM) and IaC scanning in development, as well as runtime assessment using APIs.
• Evaluate the opportunity to consolidate OSS vulnerability scanning, license scanning and software composition analysis from a unified CNAPP offering.
• Scan development artifacts proactively in development for all types of vulnerabilities, not just vulnerable components — but also including hard-coded secrets and malware.