In an industry that moves so quickly and pivots so frequently, it’s easy to forget that the term and discipline of application security (AppSec) emerged in the late 1990s and early 2000s. Driven by what was considered rapid web application growth at the time, the Open Web Application Security Project (OWASP) was founded in 2001 to help security practitioners and software developers through frameworks and resources for building and launching secure applications.
Over time, as applications and custom application development became more prevalent, vulnerabilities in software grew to be a significant concern; organizations relied on these apps for business operations, customer service, and revenue generation. They simply couldn’t be too risky to use. A better system of AppSec and vulnerability management were crucial to organizations’ health.
A very similar trajectory occurred with cloud security. Cloud security as a concept began to take shape in the mid-to-late 2000s. When AWS launched in 2006, companies that wanted to increase productivity and lower costs began adopting cloud computing, much to security practitioners’ chagrin. “The cloud isn’t safe,” they said. “How can we trust cloud providers to protect our assets as well as we can our on-prem assets?” “How can we be sure these companies have the in-house talent to adequately address security threats? Where does the line of responsibility stop?”
These were all valid concerns. Many of which have been addressed. Some of which continue to plague IT and security operators today.
Arriving at present day, both cloud security and AppSec are now regarded as their own, distinct areas within the broader field of cybersecurity. Though each discipline has evolved in its own right (albeit with distinct technical differences between how to protect applications and how to protect cloud environments), the parallels between the two security strategies are sufficiently similar.
It’s no surprise that a comingling of cloud computing and application security evolved into its own, niche security discipline. Cloud-Native Application Protection Protection (CNAPP) is a relatively new concept that resulted from organizations’ heavy use of cloud and the increase in applications running and being built in cloud environments. CNAPP started to gain traction only a few years ago as cloud and application security vendors started to converge security functions into one, unified platform. The goal of CNAPP was — and is today — to combine cloud security functionality from disparate solutions into one “consolidated and tightly integrated set of proactive and reactive security capabilities designed to ensure visibility, configuration compliance, code analysis, and risk assessment throughout the development and operations stages of cloud-native applications,” according to Gartner in their recently published “Market Guide for Cloud-Native Application Protection Platforms.”
The authors’ key findings include the recognition that cyber threat actors are increasingly targeting applications in cloud environments, at runtime. One reason for this increase in criminal attention is a simple matter of mass; more applications plus more cloud environments equals bigger targets to attack.
A second reason, though, while not expressly stated in the Gartner report, is that software security and software supply chain security are evolving extremely rapidly as attackers understand not only the “big target, greater change of likelihood” concept, but also the reality that software is rife with vulnerabilities, not just for cloud-native applications, but all applications built and used.
Gartner eloquently illustrates the “explosion in the risk surface area of a cloud-native application” in the following graphic.
Source: Gartner Market Guide for Cloud-Native Application Protection Platforms
Based on this graphic alone, and the commonalities between the two disciplines, it would be easy to think that CNAPP tools automatically include AppSec functionality. In some cases this is correct. But for many commercial offerings, the two remain — at least for the time being — separate functionalities and/or separate sales skews.
AppSec is a large functional area. Like the umbrella category “cloud security,” under which CNAPP traditionally falls, AppSec processes and tools can be broken out into several subdomains, including application security testing (AST — static, dynamic, and interactive), API discovery and testing, software composition analysis (SCA), artifact scanning, runtime application self-protection (RASP), software bill of materials (SBOM), and more. Some practitioners might say CNAPP fits just as snugly in AppSec as it does in CloudSec.
Each of the aforementioned subdomains is available as a standalone tool. However, given the complexity, speed of delivery, and business criticality of applications, application security posture management — ASPM — has become its own umbrella category for AppSec. ASPM serves as an orchestrator or data fabric that ties together formerly siloed tools mentioned above and their data outputs. The unification and correlation of bundled functionality in ASPM is what gives AppSec and development teams greater visibility into the application SDLC. But ASPM doesn’t stop at visibility; as its name implies, ASPM raises AppSec to a whole other level of vulnerability and risk management.
This is why Gartner, in the Market Guide quoted above, states that there is a significant “need to unify risk visibility across cloud environments and the entire application development life cycle.” Further, the guide states, “This simply cannot be achieved using separate and siloed security and legacy application testing offerings,” and recommends that AppSec teams “use both CNAPP and application security tools” to achieve a comprehensive understanding of security risk posture.
The Gartner report calls out ASPM as a specific functional area into which CNAPP will expand over the next few years. This is a safe bet. CNAPP and ASPM are naturally complementary technologies.
ASPM focuses on application visibility across the SDLC, from code development to deployment, ensuring that security practices are consistently applied. In OX’s view of ASPM, an effective solution unifies the entirety of organizations’ AppSec tools (including AST, API, SCA, secrets scanning, etc.).
CNAPPs have historically been focused on a broader approach to AppSec, incorporating infrastructure and runtime protection. CNAPP leverages ASPM capability and adds layers of security for the application’s cloud environment.
However, ASPM solutions like OX provide visibility and control for applications before they reach runtime, lowering the risk of exploitability during runtime. Nonetheless, it’s important to remember that some issues will appear in the runtime environment, which is why the OX platform integrates with CNAPP — demonstrating how ASPM and CNAPP can be the perfect partners. With a simple connector, ASPMs can assess the security posture of the applications’ environments; they shed light on access controls, misconfigurations, and material changes; and help security teams identify issues before an attacker does.
It’s clear that there isn’t just synergy between CNAPP and ASPM; there is significant benefit in integrating and coordinating their complementary capabilities. Both categories offer:
In short, CNAPP and ASPM are not just friends but BFFs. They work together to ensure that cloud-based applications are secure from the moment they are written. ASPM extends these capabilities outside of cloud environments, though, ensuring that wherever an application “lives,” at whatever stage it’s in, AppSec and development teams can identify, prioritize, and manage risk, at scale.
The post CNAPP and ASPM — Friends or Foes? appeared first on OX Security.
*** This is a Security Bloggers Network syndicated blog from OX Security authored by Katie Teitler-Santullo. Read the original post at: https://www.ox.security/cnapp-and-aspm-friends-or-foes/