Back to Feed

Filling the Gap with CNAPP

James Berthoty

-

May 28, 2024

The typical CNAPP Feature Suite

Whether good or bad, many companies have entered the world of cloud security with CSPM tooling. In the quest for market domination, CNAPP’s have chased acronyms with as many acquisitions as their investors could buy. Unfortunately, this has led to radically different levels of maturity around various CNAPP use cases.

In this article we’ll ask, “how can you best compliment your CNAPP tooling?” That starts with examining the set of features that lay at the heart of CNAPP. We’ll then move to what features are most frequently missed. We’ll conclude by examining the set of functionalities that best compliments these tools.

The Heart of CNAPP

CNAPP began with CSPM, which in its most rudimentary form was interrogating cloud API’s for misconfigurations. Security teams needed visibility into their cloud environments, and this was the fastest way to get it. CSPM was quickly disseminated and commoditized by various open source projects and companies rapidly began trying everything to achieve “cloud security.”

“Agentless” scanning from Orca and Wiz took a firm hold on the market following CSPM because they continued the trend of easy visibility. At its core, agentless scanning is a smart way to offer deep asset management capabilities, which is why the Orca/Wiz CSPM has been stickier than the earlier alternatives that didn’t look at underlying machine volumes. By cloning underlying disks instead of installing agents, security teams get vulnerabilities and asset visibility into their runtime cloud environment with little effort.

Runtime asset visibility and vulnerability management have come to define the heart of CNAPP. Even CNAPPs that started with an agent, such as Sysdig and Palo Alto, now offer agentless scanning because of how it addresses the core difficulty of maintaining an agent just for vulnerability scanning. Conversely, agentless scanners now advertise “realtime” agentless scanning.

Because CNAPP vendors focused on “cloud security” holistically, they have developed their entire technological approaches around cloud runtime environments. Sysdig and Aqua saw containerized workloads as the core of cloud, so they matured quickly around container protection and scanning. Conversely, Wiz and Orca saw the workload volumes as the source of truth for cloud infrastructure, so have built robust platforms around what they can pick up on disk.

The order of CNAPP Maturity

Now that Orca and Aqua have an official partnership, it’s more clear than ever that the cloud assets at runtime are the priority for CNAPP providers. Even Wiz has an agent for runtime protection, showing the commitment to “shifting right” with doing cloud protection. The next big focus for CNAPP is getting into the SOC, not into the IDE.

These are the two features at the heart of CNAPP: the core is asset & vulnerability management at runtime, and what’s coming next is greater runtime detection & response capabilities. To be frank, everything else exists only enough to be able to say they do it.

What’s Missing with CNAPP?

CNAPP providers realized early on that they could scan containers and infrastructure before it was deployed by providing container and IaC scanning. Because of this, they were fast to copy their existing rule sets into the pipeline. This was a fairly simple integration for them to make, since they were scanning both kinds of assets at runtime anyways.

Most recently, some CNAPP providers have made tepid steps into SCA and SAST scanners, but this entry has a fundamentally different level of challenge for them because they are not comparable to any existing scanning abilities. CNAPPs have zero existing view into how applications work when they’re deployed. Some try to fake it by looking at kubernetes configs or public IPs, but none of them have an understanding of how applications are coded or what kinds of vulnerabilities exist in the app itself.

Scanning developer code is the core weakness of CNAPP for several reasons:

  1. Developer languages, frameworks, and patterns are far more diverse than cloud infrastructure
  2. Getting visibility into application execution at runtime requires complex instrumentation
  3. Developer workflows don’t translate well into security operations contexts

The biggest challenge application security vendors face is developer adoption, and CNAPPs do little to address this challenge. As an example, it seems that it will be a long time before a security practitioner has any luck implementing a Palo Alto VS Code plugin.

Fundamentally, these tools are built around production environments and shift left security has always been an afterthought for them (debatably Aqua gets an exception here). I would argue many security teams are frustrated with shift left because they’ve never used tools that meaningfully make developer’s lives easier. 

In terms of scanners, I suggest there are 8 kinds of scanning that go into complete visibility of a cloud and application environment. SDLC (scanning configuration settings), SCA (open source dependencies), Secrets, SAST (code vulnerabilities), IaC (infrastructure configuration), Container (app + os), DAST (code at runtime), and CSPM (infrastructure at runtime). Ultimately, each of these scanner results need to end up back in a developer’s hand.

How to Compliment Each Other

In this time of tight security budgets, many teams are willing to give up best in class point solutions and lean on their existing tools. CNAPPs universally offer IaC, Container, and CSPM scanning. There are a few exceptions to this, but for the most part, these are the gaps: SDLC, SCA, Secrets, and DAST. Of these, DAST is a bit of an outlier because it requires special instrumentation to scan the app at runtime. We'll leave it alone because of its identity crisis at the moment with API Security.

If CNAPPs provide IaC, Container, and CSPM scanning, it makes the most sense to bucket these capabilities as “infrastructure scanning.” What remains is “code scanning,” composed of SCA, Secrets, and SAST at their core.

Therefore, platforms like BackSlash that provide SAST, SCA, and Secret scanning in a single place provide a no-brainer compliment to your existing CNAPP solution to cover the visibility gap.