4 Takeaways from the 2023 Gartner® Market Guide for CNAPP

Last updated at Tue, 06 Feb 2024 16:08:41 GMT

In an ongoing effort to help security organizations gain greater visibility into risk, we're pleased to offer this complimentary Gartner research, and share our 4 Takeaways from the 2023 Gartner® Market Guide for CNAPP. This critical research can help security leaders take an in-depth look into cloud-native application protection platforms (CNAPPs), and evaluate potential solutions that best fit their specific environments.

Takeaway #1: Attack surfaces are increasing

There's nothing minor about misconfigurations. If a cloud resource or service is misconfigured, attackers will target and exploit it. It may not even be a misconfiguration in your cloud network, but one found in a supply chain partner that puts everyone's infrastructure at risk. Application programming interfaces (APIs) are at risk as well, and are being increasingly targeted by threat actors because they're such a critical component of the build process. The report states:

“CNAPP offerings bring together multiple disparate security and protection capabilities into a single platform that most importantly is able to identify, prioritize, enable collaboration and help remediate excessive risk across the extremely complex logical boundary of a modern cloud-native application."

Takeaway #2: Developer scope is expanding

As organizations increasingly look to shift left, developers are being asked to take on a more active role in ensuring their applications and the supporting cloud infrastructure are secure and compliant. We feel the report reiterates this point, stating:

“Shifting risk visibility left requires a deep understanding of the development pipeline and artifacts and extending vulnerability scanning earlier into the development pipeline as these artifacts are being created."

However, the report also states that developers are increasingly responsible for operational tasks, such as addressing vulnerabilities, deploying infrastructure as code, and deploying and tearing down implementations in production, thus requiring tools that address this expanded scope

Extra tooling is needed to address these concerns, with the very real possibility that tooling will be fragmented if it's coming from different vendors and addressing different parts of the application development process. As far as recommendations, the report states:

“Reduce complexity and improve the developer experience by choosing integrated CNAPP offerings that provide complete life cycle visibility and protection of cloud-native applications across development and staging and into runtime operation."

Takeaway #3: Context around risk is needed

Developers simply do not want the process to be slowed. Security is important, but if developers are constantly tripped up in their workflows, it's almost inevitable that adoption of security practices and tooling will become a struggle. Therefore, it's critical to prioritize security tasks and provide the context needed to remediate the issue as quickly as possible.

That can, however, be easier said than done when collecting disparate information and trying to gain as much visibility as possible into an environment. Let's look at a few ways to understand context in security data:

• Set VM processes to detect more than just vulnerabilities in the cloud. It's also key to be able to see misconfigurations and issues with IAM permissions as well as understand resource/service configurations, permissions and privileges, which applications are running and what data is stored inside. These processes help to contextualize and action on the highest-priority risks.

• Identify if a vulnerable instance is publicly accessible and the nature of its business application — this will help you determine the scope of the vulnerability.

• Simply saying developers need to find and fix vulnerabilities in production or pre-production by shifting security left is generally an oversimplification. It's critical to communicate with developers about why a vulnerability is being prioritized and specific actions they can take to remediate.

Takeaway #4: Depth of functionality is critical

Gartner states that “multiple providers market CNAPP capabilities — some starting with runtime expertise and some starting with development expertise. Few offer the required breadth and depth of functionality with integration between all components across development and operations." Each customer's situation will be specific; therefore, there will be no one-size-fits-all solution. Ideally, though, a provider should be able to offer runtime risk visibility, cloud risk visibility, and development artifact risk visibility.

As customer feedback helps to refine the offerings of CNAPP providers, Gartner shares that one of the reasons for moving towards consolidation to a CNAPP offering is to eliminate redundant capabilities. Moving forward, there is a strong customer preference to consolidate vendors.

To secure and protect

That's the name of the game: to secure and protect cloud-native applications across the development and production lifecycle. Unknown risks can appear anywhere in the process, but it's possible to mitigate many of these vulnerabilities and blockers. Learn how CNAPP offerings deliver an integrated set of capabilities spanning runtime visibility and control, CSPM capabilities, software composition analysis (SCA) capabilities and container scanning. Download and read the full Market Guide now.

Gartner, “Market Guide for Cloud-Native Application Protection Platforms" Neil MacDonald, Charlie Winckless, Dale Koeppen. 14 March 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.