The backstories of AppSec and cloud security
In an industry that moves so quickly and pivots so frequently, it’s easy to forget that the term and discipline of application security (AppSec) emerged in the late 1990s and early 2000s. Driven by what was considered rapid web application growth at the time, the Open Web Application Security Project (OWASP) was founded in 2001 to help security practitioners and software developers through frameworks and resources for building and launching secure applications.
Over time, as applications and custom application development became more prevalent, vulnerabilities in software grew to be a significant concern; organizations relied on these apps for business operations, customer service, and revenue generation. They simply couldn’t be too risky to use. A better system of AppSec and vulnerability management were crucial to organizations’ health.
A very similar trajectory occurred with cloud security. Cloud security as a concept began to take shape in the mid-to-late 2000s. When AWS launched in 2006, companies that wanted to increase productivity and lower costs began adopting cloud computing, much to security practitioners’ chagrin. “The cloud isn’t safe,” they said. “How can we trust cloud providers to protect our assets as well as we can our on-prem assets?” “How can we be sure these companies have the in-house talent to adequately address security threats? Where does the line of responsibility stop?”
These were all valid concerns. Many of which have been addressed. Some of which continue to plague IT and security operators today.
Arriving at present day, both cloud security and AppSec are now regarded as their own, distinct areas within the broader field of cybersecurity. Though each discipline has evolved in its own right (albeit with distinct technical differences between how to protect applications and how to protect cloud environments), the parallels between the two security strategies are sufficiently similar.
The emergence of CNAPP
It’s no surprise that a comingling of cloud computing and application security evolved into its own, niche security discipline. Cloud-Native Application Protection Protection (CNAPP) is a relatively new concept that resulted from organizations’ heavy use of cloud and the increase in applications running and being built in cloud environments. CNAPP started to gain traction only a few years ago as cloud and application security vendors started to converge security functions into one, unified platform. The goal of CNAPP was — and is today — to combine cloud security functionality from disparate solutions into one consolidated visibility and management plane. This centralization gives AppSec and DevOps teams the ability to understand applications’ security state, starting at the codebases on which they’re built, and including build environments, runtime environments, developer access to underlying code, API vulnerabilities, material code changes, secrets protection, and more.
CNAPPs significantly help operators quickly identify and act on the growing number and volume of threats against cloud-native applications and all the complexity inherent in their creation and use.
It’s this complexity and volume that make applications (especially in cloud environments) a focus of cyber adversaries’ attention. In simpler terms, more applications plus more cloud environments equals a bigger attack surface. A second reason is that software security and software supply chain security are evolving extremely rapidly as attackers understand not only the “big target, greater change of likelihood” concept, but also the reality that software is rife with vulnerabilities, not just for cloud-native applications, but all applications built and used.
In the Gartner® Market Guide report, the “Explosion in the Risk Surface Area of a Cloud-Native Application” is illustrated in Figure 2 of the report:
We believe while there are commonalities between the two, CNAPP and AppSec tools remain in separate categories, and for most commercial tools, separate procurement buckets. We at OX expect some convergence in the future, but for now, they are complementary characters.
CNAPP and ASPM: A synergistic partnership
AppSec is a large functional area. Like the umbrella category “cloud security,” under which CNAPP traditionally falls, AppSec processes and tools can be broken out into several subdomains, including application security testing (AST — static, dynamic, and interactive), API discovery and testing, software composition analysis (SCA), artifact scanning, runtime application self-protection (RASP), software bill of materials (SBOM), and more. Some practitioners might say CNAPP fits just as snugly in AppSec as it does in CloudSec.
Each of the aforementioned subdomains is available as a standalone tool. However, given the complexity, speed of delivery, and business criticality of applications, application security posture management — ASPM — has become its own umbrella category for AppSec. ASPM serves as an orchestrator or data fabric that ties together formerly siloed tools mentioned above and their data outputs. The unification and correlation of bundled functionality in ASPM is what gives AppSec and development teams greater visibility into the application SDLC. But ASPM doesn’t stop at visibility; as its name implies, ASPM raises AppSec to a whole other level of vulnerability and risk management.
One of the factors that drives client interest in CNAPPs is a need for centralized visibility into the risk environment, in the case of cloud-native applications, holistically, across hybrid computing environments, and throughout applications’ entire lifecycle, from design through deployment, from code to cloud. This simply cannot be achieved using separate and siloed security and legacy application testing offerings. CNAPP offerings operationalize cloud-native application risk analysis to help AppSec and development teams understand their security posture and to operationalize vulnerability analysis and risk remediation.
Designed to enhance overall security
For the moment, while CNAPP and application security-specific solutions remain disparate categories, the best course of action is to integrate their capabilities. Smart vendors are building solutions that not only ingest or export data between these solutions, but are building in normalization and correlation engines that allow user teams to quickly identify, contextualize, prioritize, and act on application-based risk. Vendors that offer this capability are in a good position to provide a comprehensive solution that covers all aspects of cloud and application risk management.
According to Gartner, “To obtain the most comprehensive understanding of risk, use both CNAPP and application security tools. For this reason, more CNAPP vendors are either developing their own capabilities or providing third-party integrations with these specific functions. By doing so, they aim to offer a comprehensive solution that covers all aspects of cloud and application risk management. Over the next several years, Gartner expects several CNAPP offerings to expand into the following areas:
- Application security testing (AST) such as traditional static AST and dynamic AST (SAST/DAST) use cases
- Application security posture management (ASPM)
- API discovery and testing tools and API posture management
- Distributed web application firewall (WAF) for application protection
- Cloud detection and response (CDR)
- Data security posture management (DSPM) for very specific data management use cases.”
We believe this is a safe bet. CNAPP and ASPM are naturally complementary technologies.
ASPM focuses on application visibility across the SDLC, from code development to deployment, ensuring that security practices are consistently applied. In OX’s view of ASPM, an effective solution unifies the entirety of organizations’ AppSec tools (including AST, API, SCA, secrets scanning, etc.).
CNAPPs have historically been focused on a broader approach to AppSec, incorporating infrastructure and runtime protection. CNAPP leverages ASPM capability and adds layers of security for the application’s cloud environment.
However, ASPM solutions like OX provide visibility and control for applications before they reach runtime, lowering the risk of exploitability during runtime. Nonetheless, it’s important to remember that some issues will appear in the runtime environment, which is why the OX platform integrates with CNAPP — demonstrating how ASPM and CNAPP can be the perfect partners. With a simple connector, ASPMs can assess the security posture of the applications’ environments; they shed light on access controls, misconfigurations, and material changes; and help security teams identify issues before an attacker does.
The verdict
It’s clear that there isn’t just synergy between CNAPP and ASPM; there is significant benefit in integrating and coordinating their complementary capabilities. Both categories offer:
- End-to-end visibility, from code to cloud, monitoring applications for misconfigurations, vulnerabilities, and threats. ASPM extends the application focus to pre-production, meaning, throughout the entire SDLC, before the application is running.
- Integrated security across the app lifecycle, to ensure issues are surfaced and mitigated early in the process. ASPM combines various AppSec tooling capabilities while CNAPP does the same for cloud security functionality.
- Consistent policy enforcement, so that applications are covered from design through production. While CNAPP might not have the ability to assert policy during the design and build stages, some advanced ASPMs (like OX) offer runtime management because they collect and correlate data from an integrated CNAPP.
- Risk management, to address code-level and infrastructure-level vulnerabilities.
- Faster time to remediation, for early detection of security issues. ASPM allows pre-deployment remediation and (again, in some solutions like OX) detection and response capabilities post-launch. CNAPP adds layers of security for workloads and configurations that provide critical insights for managing overall security risk
In short, CNAPP and ASPM are not just friends but BFFs. They work together to ensure that cloud-based applications are secure from the moment they are written. ASPM extends these capabilities outside of cloud environments, though, ensuring that wherever an application “lives,” at whatever stage it’s in, AppSec and development teams can identify, prioritize, and manage risk, at scale.
Gartner, Market Guide for Cloud-Native Application Protection Platforms, By Dale Koeppen, Charlie Winckless, Neil MacDonald, Esraa ElTahawy, 22 July 2024.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.