www.gartner.com
Open in
urlscan Pro
65.9.86.43
Public Scan
Submitted URL: https://webitcinsights.com/31854-249988/126435?uid=2Kfe92gve9E6vkgWhMnLj8xAvLUTicc64NHPQT2BiG2F6Naf&prom_type=regular&prom_...
Effective URL: https://www.gartner.com/doc/reprints?id=1-2CZE3HKZ&ct=230320&st=sb
Submission: On January 03 via api from ES — Scanned from ES
Effective URL: https://www.gartner.com/doc/reprints?id=1-2CZE3HKZ&ct=230320&st=sb
Submission: On January 03 via api from ES — Scanned from ES
Form analysis 0 forms found in the DOM
Text Content
Licensed for Distribution
Licensed for Distribution
This research note is restricted to the personal use of ().
MARKET GUIDE FOR CLOUD-NATIVE APPLICATION PROTECTION PLATFORMS
14 March 2023 - ID G00785751 - 28 min read
By Neil MacDonald, Charlie Winckless, and 1 more
--------------------------------------------------------------------------------
CNAPPs address the full life cycle protection requirements of cloud-native
applications from development to production. Security and risk management
leaders responsible for cloud security strategies should use this research to
analyze and evaluate emerging CNAPP offerings.
ADDITIONAL PERSPECTIVES
* Summary Translation: Market Guide for Cloud-Native Application Protection
Platforms(24 April 2023)
OVERVIEW
KEY FINDINGS
* CNAPP offerings bring together multiple disparate security and protection
capabilities into a single platform focused on identifying and prioritizing
excessive risk of the entire cloud-native application and its associated
infrastructure.
* The attack surface of cloud-native applications is increasing. Attackers are
targeting the misconfiguration of cloud infrastructure (network, compute,
storage, identities and permissions), APIs and the software supply chain
itself.
* Developers are increasingly responsible for operational tasks, such as
addressing vulnerabilities, deploying infrastructure as code, and deploying
and tearing down implementations in production, thus requiring tools that
address this expanded scope.
* Because security is often viewed as an obstacle to developers, it is
absolutely critical to prioritize risks identified and provide sufficient
context for the developer to remediate it.
* Multiple providers market CNAPP capabilities — some starting with runtime
expertise and some starting with development expertise. Few offer the
required breadth and depth of functionality with integration between all
components across development and operations.
* Agentless workload scanning has become a popular approach and an expected
core CNAPP capability, although in-workload approaches provide the best
protection.
RECOMMENDATIONS
Security leaders responsible for cloud security strategies should:
* Reduce complexity and improve the developer experience by choosing integrated
CNAPP offerings that provide complete life cycle visibility and protection of
cloud-native applications across development and staging and into runtime
operation.
* Ensure the right person/team is tasked with remediating an identified risk,
by requiring CNAPP offerings to understand ownership and provenance of
development artifacts. At a minimum, the CNAPP offering must understand what
developer/development team created the artifact, when it was scanned, when it
was deployed, and who has since changed or modified it.
* Build a team for the evaluation and selection of CNAPP offerings with skills
spanning cloud security, workload security (including containers),
application and middleware security, development security and developers.
* To ensure a successful evaluation, rank the CNAPP offering requirements. No
single vendor offers best-of-breed capabilities across all capabilities.
* Favor CNAPP vendors that provide a variety of runtime visibility techniques,
including traditional agents, Extended Berkeley Packet Filter (eBPF) support,
snapshotting, privileged containers and Kubernetes (K8s) integration to
provide the most flexibility at deployment.
STRATEGIC PLANNING ASSUMPTIONS
By 2025, 60% of enterprises will have consolidated cloud workload protection
platform (CWPP) and cloud security posture management (CSPM) capabilities to a
single vendor, up from 25% in 2022.
By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering.
By 2025, 80% of enterprises will have adopted multiple public cloud
infrastructure as a service (IaaS) offerings — including multiple K8s offerings.
By 2026, 80% of enterprises will have consolidated security tooling for the life
cycle protection of cloud-native applications to three or fewer vendors, down
from an average of 10 in 2022.
MARKET DEFINITION
This document was revised on 17 March 2023. The document you are viewing is the
corrected version. For more information, see the Corrections page on
gartner.com.
Cloud-native application protection platforms (CNAPPs) are a unified and tightly
integrated set of security and compliance capabilities designed to secure and
protect cloud-native applications across development and production. CNAPPs
consolidate a large number of previously siloed capabilities, including
container scanning, cloud security posture management, infrastructure as code
scanning, cloud infrastructure entitlement management, runtime cloud workload
protection and runtime vulnerability/configuration scanning.
MARKET DESCRIPTION
CNAPP offerings integrate visibility, configuration and testing across
development and operations in a modern DevOps-style development organization to
address unknown and unexpected risks that result from the increased complexity
in the development and deployment of cloud-native applications (see Note 1).
CNAPP offerings are typically sold and delivered as a service, with integration
into the runtime cloud environments and development pipeline tools used by the
development organization. CNAPP offerings deliver an integrated set of
capabilities spanning runtime visibility and control, CSPM capabilities,
software composition analysis (SCA) capabilities and container scanning.
Additional capabilities may include API testing and monitoring, traditional
static application security testing (SAST)/dynamic application security testing
(DAST), and runtime web application and API protection. While information
security is typically the primary buyer, the user ultimately is the development
team/product team responsible for the cloud-native application.
A cloud-native application typically has these characteristics:
* Applications architected using loosely coupled microservices, often
interacting via application programming interfaces,
* developed within a DevOps-style continuous integration (CI)/continuous
delivery (CD) pipeline supporting frequent updates,
* using a majority of the code and libraries from open source,
* often built using Linux containers using Kubernetes-based orchestration,
supplemented with serverless functions and platform as a service (PaaS)
services from the cloud provider,
* deployed onto programmatic cloud infrastructure,
* updated more frequently, making the workloads more ephemeral,
* and managed with a bias toward immutability such that few or no changes to
production workloads are allowed — all changes in production are driven
through the development pipeline.
Until recently, comprehensively securing cloud-native applications required the
use of multiple tools from multiple vendors that are rarely well-integrated and
often only designed for security professionals, not in collaboration with
developers. This lack of integration creates fragmented views of risk with
insufficient context individually making it difficult to prioritize the actual
risk. As a result, fragmented tools create excessive alerts, wasting developers’
time and making remediation efforts confusing to target roles.
CNAPP offerings allow an organization to use a single integrated offering to
identify risk across the entire life cycle and disparate elements of a
cloud-native application, and one that collaboratively puts the developer at the
core of the application risk responsibility (see Figure 1).
Figure 1: CNAPP Simplified View
CNAPP offerings bring together multiple disparate security and protection
capabilities into a single platform that most importantly is able to identify,
prioritize, enable collaboration and help remediate excessive risk across the
extremely complex logical boundary of a modern cloud-native application (see
Figure 2).
Figure 2: Explosion in the Risk Surface Area of a Cloud-Native Application
However, runtime risk visibility is only a part of the risk equation. Developers
are increasingly responsible for building more of the cloud infrastructure shown
in Figure 2, including the containers and cloud infrastructure setup using
infrastructure as code scripts (see Figure 3).
Figure 3: Developers’ Expanded Scope of Responsibility for Cloud-Native
Applications
Because developers are creating containers, serverless functions and cloud
infrastructure, CNAPP tooling needs to “shift left” into the development life
cycle — in addition to the comprehensive runtime visibility shown in Figure 2.
Shifting risk visibility left requires a deep understanding of the development
pipeline and artifacts and extending vulnerability scanning earlier into the
development pipeline as these artifacts are being created (see Figure 4 and Note
2).
Figure 4: Code-to-Cloud Risk Visibility, Prioritization and Remediation
Combining the need for runtime risk visibility, cloud risk visibility and
development artifact risk visibility results in a robust integrated set of
capabilities needed for a complete CNAPP platform (see Figure 5).
Figure 5: CNAPP Detailed View
No single vendor delivers all of the capabilities shown in Figure 5 today. CNAPP
offerings are emerging from multiple providers, often from different starting
points.
* Many CNAPP offerings are from vendors that started with runtime workload
visibility and protection, a market referred to as cloud workload protection
platforms (see Market Guide for Cloud Workload Protection Platforms). As the
development model shifted to cloud-native applications, these vendors
“shifted left” with container scanning capabilities and later cloud security
posture management (CSPM) capabilities (see Innovation Insight for Cloud
Security Posture Management).
* Several CNAPP offerings are from vendors that started first with CSPM, but
also were asked by customers to shift left to scan for cloud configuration
before the clouds were deployed by scanning infrastructure as code scripts.
* A few vendors started first by addressing artifact scanning early in the
development life cycle (for example, with software composition analysis and
API security testing) but were asked by customers to broaden their platform
to adjacent capabilities.
The budget for a CNAPP typically comes from the chief information security
officer (CISO) organization, with specific buying centers of cloud security
operations, cloud security architects, DevSecOps architects, cloud-native
application architects and application security. There is also an emerging role
of platform engineering team leaders, architects and security (see Adopt
Platform Engineering to Improve the Developer Experience) that will also be
interested in CNAPP capabilities.
MARKET DIRECTION
Since identifying the convergence between CWPP, CSPM, cloud infrastructure
entitlement management (CIEM) and other cloud security technologies in early
2021, client interest as indicated by inbound inquiries with inquiry growth has
grown significantly.1 The number of end-user calls on CNAPPs grew 70% from 2021
to 2022 with an emphasis on CSPM due to compliance drivers and ease of
deployment via APIs.
There are several factors driving client interest in CNAPPs.
* The most significant driver is the need to unify risk visibility across the
entire hybrid application and across the entire application life cycle. This
simply cannot be achieved using separate and siloed security and legacy
application testing offerings. CNAPP offerings operationalize cloud-native
application risk (a concept referred to as RiskOps and introduced in Seven
Imperatives to Adopt a CARTA Strategic Approach) by “connecting the dots” to
help understand the effective risk across the multiple layers of a modern
cloud-native application. Risk-prioritizing the findings is critical as
developers and security professionals are overloaded with alerts and findings
of siloed tools.
* Another driver is the desire to reduce complexity by consolidating the number
of security vendors (see Infographic: Top Trends in Cybersecurity 2022 —
Vendor Consolidation). Data from the 2022 Gartner CISO: Security Vendor
Consolidation XDR and SASE Trends Survey indicates a clear customer
preference to consolidate vendors in the security space, with 92% of
enterprises indicating they will be actively pursuing a vendor consolidation
strategy by year-end 2022.2
* There is a desire to integrate security and compliance testing seamlessly and
transparently into modern DevOps (referred to as DevSecOps) in a manner that
balances security and speed and doesn’t unnecessarily slow down digital
innovation. Information security’s role shifts to one of providing the
guardrails across the entire development pipeline, not gates. An analogy
would be a racetrack where the guardrails are encountered by the driver only
if there is a serious issue. Likewise, developers are allowed to innovate at
their desired speed with little or no friction from security, unless a
critical risk issue is identified. CNAPP offerings enable the construction of
guardrails for a modern cloud-native application development pipeline.
All of this is expected to lead to significant growth in the CNAPP market over
the next several years. While Gartner has not yet sized the CNAPP market, it
overlaps capabilities and will pull revenue from several stand-alone markets
that make up the core of CNAPP functionality (see Table 1 and Forecast:
Information Security and Risk Management, Worldwide, 2020-2026, 4Q22 Update).
TABLE 1: SPENDING ON CNAPPS WILL PULL FROM THESE MARKET SEGMENTS
Enlarge Table
Gartner Market Forecast
Estimated Market Size at Year-End 2022, Billions of U.S. Dollars in Constant
Currency
Estimated Market Percentage Growth in 2022 in Constant Currency
Application Security Testing Software3
3.1
24.8
CWPPs
3.8
26.4
Vulnerability Assessment
2.3
24.6
Web Application and API Protection
1.7
25.3
Cloud Access Security Brokers (see Note 3)
1.6
30.4
Other Information Security Software
2.1
19.0
Source: Gartner (March 2023)
CNAPPs will also pull spending from several point solution areas that Gartner
included in the above table, which Gartner has not yet broken out and sized
separately. These areas include the CSPM market (currently spread across the
CWPP and cloud access security broker [CASB] segments above and “other security
software” in Gartner’s market forecast) and spending on software composition
analysis tools (see Market Guide for Software Composition Analysis).
MARKET ANALYSIS
As with any emerging technology category and especially as CNAPPs near the Peak
of Inflated Expectations in multiple Gartner Hype Cycles (see Hype Cycle for
Application Security, 2022 and Hype Cycle for Workload and Network Security,
2022), CNAPPs have been subject to an immense amount of marketing hype and
abuse. We frequently see vendors that market CNAPPs but don’t meet Gartner’s
minimum requirements. Since the complete listing of CNAPP capabilities is quite
broad, we have broken the capabilities into three categories: core, recommended
and optional (see Table 2).
TABLE 2: CNAPP CORE, RECOMMENDED AND OPTIONAL CAPABILITIES
Enlarge Table
CNAPP Core Capabilities
CNAPP Recommended Capabilities
CNAPP Optional Capabilities
* Runtime visibility into virtual machine (VM) and container workloads
* Cloud security posture management, including all leading hyperscale providers
and their managed Kubernetes offerings (Kubernetes security posture
management [KSPM])
* Infrastructure as code (IaC) scanning, including for major IaC scripting
languages and YAML/Helm for Kubernetes
* Cloud infrastructure entitlement management
* Network connectivity mapping
* Scanning of containers and container registries for risk*
* Software composition analysis, including software bill of materials (SBOM)
creation
* Real-time workload visibility from the inside for critical VMs and containers
including workload detection/response
* API discovery and scanning for correct configuration in development
* API discovery in development and monitoring at runtime
* Scanning of unstructured IaaS data repositories for risk*
* Network monitoring capabilities
* Workload detection and response
* Expanded cloud detection and response (CDR) capabilities beyond just workload
monitoring (for example, looking at event logs, network logs and DNS lookups)
* Drift detection from expected state
* Support for other common clouds — Oracle, IBM, Alibaba Cloud, Tencent
* Scanning of other application artifacts for risk*
* VMs
* Serverless functions
* Application runtime self-protection (RASP)
* Serverless function instrumentation and monitoring
* Application layer observability/monitoring
* Support for VMware-based infrastructure (on-premises and public-cloud-based)
* Support for other cloud and container environments such as Red Hat OpenShift
and SUSE’s Rancher
* Support for policy-as-code scanning
* Support for Open Policy Agent
* MicroWAF/web application and API protection (WAAP) at runtime
* Scanning of IaaS structured data repositories for risk* (combined with
unstructured data scanning, delivers a data security posture management
[DSPM] capability)
* Traditional static analysis of custom code for unknown vulnerabilities
* Traditional dynamic scanning for unknown vulnerabilities
* API scanning for unknown vulnerabilities
* Development pipeline/software supply chain security beyond SCA (see Note 4)
* Development pipeline hardening
*Risk scanning includes
* Configuration scanning
* Vulnerability scanning for known vulnerabilities
* Secrets scanning
* Attack path analysis
*Risk scanning expands to also include
* Sensitive data in unstructured data repositories
* Malware scanning
*Risk scanning expands to include
* Sensitive data in structured data repositories
* Scanning custom code for unknown vulnerabilities
Source: Gartner (March 2023)
The capabilities in Table 2 should be cohesive. A well-architected single-vendor
CNAPP offering should have the following characteristics:
* All services should be fully integrated, not loosely coupled independent
modules (typically resulting from a vendor’s internal silos, poorly
integrated OEM components or those added from an acquisition). Integration
should include the front-end console, unified policy across multiple points
of inspection and a unified back-end data model.
* Deep understanding of relationships between the elements of an application
(VMs, containers, service functions and storage), security posture,
permissions and connectivity, typically enabled by underlying graph database
technology.
* Deep understanding of the relationship between development artifacts (custom
code, libraries, container images, VMs and IaC scripts), who created them and
when they were created, who deployed them and when they were deployed, and
who changed them and when they were changed.
* Integrated advanced analytics that are combined with the graph relationships
to risk-prioritize findings both in development and at runtime.
* A single unified management plane to reduce switching between multiple
consoles, not disparate management systems loosely integrated via API.
* Primary management console is delivered as a service. Optionally, support for
customer-hosted management consoles is provided to address security and
risk-sensitive environments, such as air-gapped environments or regulatory
domains.
* Single security policy for risk inspection across all artifacts — containers,
VMs, serverless functions and data storage.
* Simple consumption-based pricing model based on major cloud-native
application assets, such as virtual machines, container hosts, serverless
functions and unstructured/structured storage repositories.
* Inspection of artifacts can be cloud-based SaaS or in the customer’s control
and let the customer choose the location of the inspection, including
on-premises for security-sensitive use cases.
* The option for single tenancy even if delivery is cloud-based (for
security-sensitive use cases).
* Integration with key management systems to allow scanning of encrypted
storage objects for risk.
* Integration into CI/CD common development toolsets including code
repositories, build servers and container registries and their audit/logging
telemetry.
* Predefined templates for reporting against common compliance standards — for
example, CIS, NIST, PCI, GDPR and HIPAA.
* Support for all three major hyperscale providers: Amazon Web Services (AWS),
Microsoft Azure and Google Cloud Platform (GCP). Some organizations may
require integration with additional clouds, such as Oracle, IBM, Alibaba
Cloud, VMware and others.
Even in this early phase of the market, there are multiple CNAPP offerings in
the market that meet these core requirements. Vendors of these offerings are
listed in Table 3.
Since integrated CNAPP vendors have different starting points (some were CWPP
vendors adding CNAPP capabilities, some were SCA vendors adding CSPM, and others
were CIEM vendors that have expanded their portfolio), no single vendor is
best-of-breed in every capability. For this reason, it is critical that the
joint team evaluating CNAPP capabilities prioritize and rank their requirements
for mandatory, recommended and optional prior to the evaluation of offerings.
Deep understanding of the relationships between the different elements of a
cloud-native application (see Figure 2) is critical in order to deliver against
the vision of RiskOps. In other words, to make risk identification remediation
operational, CNAPP tools must be able to build a model (similar conceptually to
a digital twin) of the application code, libraries, containers, scripts,
configuration and vulnerabilities to identify where the effective risk resides.
Since risk-free applications are impossible, the challenge for information
security shifts to risk-prioritizing findings according to business context,
identifying the root cause and getting developers to focus first on the findings
that are of the highest risk and the highest confidence of potential impact to
the business. Likewise, a deep understanding of the relationship between
developers/development teams across the life cycle of an application (see Figure
3) is critical to identifying the right developer/development team or
engineering team to remediate the risks identified (and to provide them with
sufficient context to understand and remediate the risks quickly and
effectively).
With cloud-native applications, rarely is IT or information security responsible
for remediating the issue identified.
CNAPP offerings focus the majority of their scanning efforts identifying known
types of vulnerabilities, misconfigurations, and hard-coded secrets in
development artifacts using a combination of static and dynamic techniques. In
contrast, traditional static and dynamic analysis application security testing
tools focus on using a combination of static and dynamic techniques to find
unknown vulnerabilities in custom code. As such, CNAPP offerings and application
security testing (AST) offerings are complementary, but will increasingly
overlap. For the most complete view of risk, both CNAPP and AST tools would be
used. Over the next several years, we expect several CNAPP offerings to expand
into traditional SAST/DAST use cases, as well as some traditional SAST/DAST and
API testing tools to expand into CNAPP.
With modern cloud-native applications, it can be difficult if not impossible to
use a traditional host-OS-based agent approach. In some cases, the DevOps
product teams won’t accept them, and in other cases, the value of runtime
visibility into ephemeral workloads is not offset by the operational overhead of
deploying and managing agents. To address this, leading CNAPP offerings provide
a variety of agent and agentless alternatives for runtime visibility into
workloads, including:
* Snapshots of running workloads and analyzing the snapshot created
* Privileged containers
* DaemonSets
* Kubernetes sidecars
* Libraries for inclusion in the development pipeline
* EBPF-based instrumentation for Linux
* LD_PRELOAD Linux system call interception (see What Is the LD_PRELOAD
Trick?, Baeldung)
* Envoy or F5 NGNX proxy integration
* Service mesh integration
* Cloud control plane API-based integration to inspect configuration and
activity logs
* Kubernetes API controller integration to inspect configuration and activity
logs
* Copies of workloads that are mounted and dynamically observed in an isolated
environment (application sandboxing)
* Language-specific runtime instrumentation (sometimes referred to as RASP)
* Serverless function instrumentation layering techniques (e.g., AWS Lambda
layers)
BENEFITS OF SINGLE-VENDOR CNAPP OFFERINGS
An organization could implement 10 or more tools to deliver fully against the
capabilities shown in Figure 4. However, there are reasons that organizations
are moving toward consolidation to a CNAPP offering:
* Better identification, prioritization and remediation of cloud-native
application risk.
* Reduces operational complexity through consolidation of vendors, consoles,
policies and contracts, thereby reducing chances of misconfiguration or
mistakes. This enables:
* A single place to define consistent security policies across development
and operations.
* Consistent enforcement of security policy across all application artifacts
— code, containers, VMs and serverless functions.
* Elimination of overlapping policies of disparate products and
standardization of application policies and policy objects across all
development artifacts.
* A single vendor should implement a single data lake, data model and unified
graph database for all event logging, reporting, alerting and relationship
mappings. This enables the vendor to deliver against the vision of RiskOps —
finding the root cause of the risk, identifying the person/team responsible
for fixing it and risk-prioritizing the remediation efforts. This reduces the
attack surface and shortens remediation times.
* By having consistently enforced policies and by risk-prioritizing remediation
efforts, a single-vendor CNAPP offering should reduce developer friction and
improve developer experience.
* By integrating security testing throughout the life cycle and directly into
the developer’s toolset versus one large test prior to production, CNAPP
offerings enable fixing problems earlier and speeding application
deployment.
* Eliminates redundant capabilities (for example, most cloud providers offer
container vulnerability scanning).
* More easily enables visibility from runtime so that it can be used to feed
back into development. Likewise, a single platform more easily enables
visibility from development used to strengthen runtime protection (see Figure
6).
Figure 6: Bidirectional Integration Between Development and Runtime
CHALLENGES TO CNAPP ADOPTION
* Security organizational silos: There are multiple teams that have a part of
the responsibility for cloud-native application security. Today, these are
spread across data center security teams, application security teams, and
cloud security teams. Each of these teams has tools that solve a part of the
cloud risk puzzle, but rarely do these teams cooperate in product evaluation
and selection.
* Adversarial relationship between developers and security: Security teams are
perceived as slowing down modern DevOps style development. Security controls
weren’t designed for the speed and scale of cloud-native applications and
weren’t designed with the developer as the central customer (not security).
The result historically has been poorly integrated testing that required the
developer to leave their development environment, slowed development and
often wasted developer time with false positives or asking them to remediate
low-risk vulnerabilities.
* Existing investments: Most organizations already have some form of runtime
CWPP in their virtual machines. Many have also selected a scanning tool for
containers in development and a solution for CSPM. Most organizations have
several vendors for different (or sometimes similar overlapping) functions,
creating silos of users and findings, making it difficult to create a unified
picture of risk. As organizations shift to a CNAPP-based approach, the
synergy of an integrated platform will provide more benefits than a
best-of-breed strategy that is difficult to scale.
* Mindset changes: Security teams must understand and acknowledge that a
perfect, risk-free application is not possible. Perfect is the enemy of good
enough. Instead, security teams should focus on an approach that identifies
the highest severity, highest confidence risk and risk-prioritizing
remediation efforts to the responsible developer. Cloud-native security
becomes a risk-prioritized set of guardrails, replacing the former model of
security “gates” in the development process.
* Architecture: Some CNAPP offerings are built to be provided as a SaaS-only
offering. Others were designed to be run entirely by the customer. The best
offerings will use a distributed cloud architecture with a cloud-managed
control plane and decentralized inspection under the customer’s control (for
example, scanning containers or snapshots locally without requiring them to
be uploaded to a SaaS service).
* Maturity: For the next several years, CNAPP capabilities will vary widely,
and some vendors are immature in multiple areas. For example, sensitive-data
visibility and control is often a priority capability, but it is difficult
for many CNAPP vendors to address. Understanding of data context in
unstructured and structured storage repositories is necessary to fully
understand and risk-prioritize issues identified, but many CNAPP vendors
don’t yet offer this. Another example is agentless snapshot-based inspection
to augment traditional agents.
* Legacy applications: Older applications that aren’t fully cloud-native may
require specialized tooling and rely more heavily on traditional approaches,
such as SAST and monolithic web application firewalls (WAFs).
REPRESENTATIVE VENDORS
The vendors listed in this Market Guide do not imply an exhaustive list. This
section is intended to provide more understanding of the market and its
offerings.
MARKET INTRODUCTION
Cloud security leaders looking to secure the rapid development needs of
cloud-native applications should consider CNAPP offerings as an integrated,
developer-centric solution. CNAPPs can improve the developer experience by
integrating into their native development toolset as seamlessly and
transparently as possible by reducing false positives and noise, by
risk-prioritizing their remediation efforts and by providing specific
remediation guidance to resolve the identified risk. CNAPP offerings can also
help organizations adopt a stronger security posture in their development
pipeline throughout the entire development life cycle (code to cloud).
Table 3 lists representative CNAPP vendors. To develop the list of
representative vendors, we used the core and recommended capabilities and
characteristics described in the Market Analysis section of this research. Some
vendors sell multiple modules to build out the full set of CNAPP capabilities.
In this early stage of the market, no single vendor has all capabilities.
TABLE 3: REPRESENTATIVE CNAPP VENDORS
Enlarge Table
Vendor
Offering
Aqua Security Software
Aqua Cloud Security Platform
Caveonix
Caveonix Cloud-Native Application Protection Platform
Check Point Software Technologies
CloudGuard CNAPP
CrowdStrike
CrowdStrike Falcon Horizon
CrowdStrike Falcon Cloud Workload Protection
Cloud Infrastructure Entitlement Management
CrowdStrike Falcon Container Security
Data Theorem
Cloud Secure
DoSec XIAOYOU TECH (China only, containers only)
Container Security
Ermetic
Cloud Native Application Protection Platform
Lacework
Polygraph Data Platform
Lightspin
Lightspin
Microsoft
Microsoft Defender for Cloud
GitHub
Orca Security
Orca Cloud Security Platform
Palo Alto Networks
Prisma Cloud
Qualys
Qualys TotalCloud with FlexScan
Rapid7
InsightCloudSec
Red Hat (containers only)
Red Hat Advanced Cluster Security for Kubernetes
Safedog (China only)
Cloud Native Application Protection
Sonatype (with OEM of NeuVector, containers only)
Nexus Container
Sonrai Security
Sonrai Cloud Security Platform
Sysdig
Sysdig Secure
Tenable
Tenable.cs
Tencent Cloud (China only)
Cloud Workload Protection Platform
Tencent Container Security Service
Security Operations Center (CSPM)
Tigera
Calico Cloud
Calico Enterprise
Trend Micro
Trend Cloud One:
Workload Security
Container Security
Application Security
Network Security
Conformity
File Storage Security
Open Source Security by Snyk
Trend Cloud Sentry
Uptycs
Uptycs Unified CNAPP and XDR
Wiz
Wiz
Zscaler
Zscaler Posture Control
Source: Gartner (March 2023)
MARKET RECOMMENDATIONS
STRATEGY AND PLANNING
* Whether a CNAPP is adopted or not, establish a vision for DevSecOps that puts
developer experience as the primary goal. Aim for reduced friction, better
risk identification and reducing false positives. Don’t make them leave their
native tools, and provide specific context and recommendations for
remediation.
* Create a unified CNAPP strategy and evaluation team spanning cloud security,
container security and application security. Because the developer is the
ultimate persona that will be asked to remediate the identified risk, the
team should include representatives from DevSecOps/development. Inventory the
organization’s CI/CD pipeline tools as this will be a critical input into the
evaluation process.
* Use adoption of a CNAPP offering to consolidate vendors to cut complexity,
simplify security policy enforcement, provide better context and
prioritization, and improve the developer experience. There is also the
potential to reduce duplicative costs of point solutions as contracts renew
for CWPP, CSPM, SCA and container security offerings.
EVALUATION
* Have the joint development/security team identify and rank the enterprise
functionality requirements into required, preferred and optional before
sending out requests for information/purchase, as no single vendor is
best-of-breed in all CNAPP capabilities.
* Prioritize CNAPP offerings with deep relationship graph analytics expertise.
The ability to deliver against the vision of RiskOps requires the ability to
understand the relationships of the different elements of a cloud-native
application and to understand the risk of each element. This requires an
understanding of cloud control plane risk and artifact risk and then
combining these together to understand, prioritize and remediate the
resultant risk of the entire system.
* Run a functional pilot with real developers and applications before selecting
a single-vendor CNAPP offering to ensure that functionality and developer
experience meet your requirements.
DEPLOYMENT
* Focus the CNAPP rollout on cloud-native applications first — where
development speed is paramount and risk identification is imperative. Even if
a full CNAPP deployment is not possible, deploy a CSPM capability if you
haven’t already as most cloud-native application risk is caused by
misconfiguration and mismanagement.
* Make software composition analysis and scanning containers, OSS libraries and
dependencies for known risks (common vulnerabilities and exposures [CVEs],
hard-coded secrets, passwords, API keys, etc.) a high priority as this is
another common source of risk in cloud-native applications.
* Be pragmatic, not dogmatic in the CNAPP deployment. Agents may provide the
best visibility, but aren’t always possible. Use inside-out workload runtime
visibility where you can, agentless snapshots where you can’t, because some
visibility into risk is better than nothing.
EVIDENCE
1 Hundreds of Gartner inquiries on the topic of CNAPPs with end-user
organizations were analyzed for the 12 months of 2021 and compared to the 12
months of 2022 with a year-over-year increase of 70%.
2 2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey:
This study was conducted to determine how many organizations are pursuing vendor
consolidation efforts, what the primary drivers are for consolidation, expected
or realized benefits of vendor consolidation, and how those who are
consolidating are prioritizing their consolidation efforts. A primary purpose of
this survey was to collect objective data on extended detection and response
(XDR) and secure access service edge (SASE) for consolidation of megatrend
analysis. The research was conducted online during March and April 2022 among
418 respondents from North America (n = 277; U.S., Canada), Asia/Pacific (n =
37; Australia, Singapore) and EMEA (n = 104; France, Germany, U.K.). Results
were from respondents with $50 million or more in 2021 enterprisewide annual
revenue. Industries surveyed included manufacturing, communications and media,
information technology, government, education, retail, wholesale trade, banking
and financial services, insurance, healthcare providers, services,
transportation, utilities, natural resources, and pharmaceuticals, biotechnology
and life sciences. Respondents were screened for job title, company size, job
responsibilities to include information security/cybersecurity and IT roles, and
primary involvement in information security. Disclaimer: Results of this survey
do not represent global findings or the market as a whole, but reflect the
sentiments of the respondents and companies surveyed.
3 The estimated market size for application security spending was taken from
Magic Quadrant for Application Security Testing.
NOTE 1: GARTNER’S INITIAL MARKET COVERAGE
This Market Guide provides Gartner’s initial coverage of the market and focuses
on the market definition, rationale for the market and market dynamics.
NOTE 2: DEVELOPMENT ARTIFACTS THAT SHOULD BE SCANNED FOR VULNERABILITIES,
MISCONFIGURATION, MALWARE AND SECRETS
The following artifacts should be scanned to ensure they are secure, configured
correctly and free from malware, vulnerabilities or inappropriately exposed
sensitive information:
* OSS modules, libraries and frameworks
* Third-party software development kits
* Container layers and containers
* Serverless functions
* APIs and declarative API schemas
* Custom application code
* Compiled code/binaries
* Infrastructure as code scripts
* YAML Ain’t Markup Language (YAML) and other cloud configuration files, such
as Kubernetes Helm charts
* Virtual machine images
NOTE 3: CASB AND CNAPP OVERLAP
Most stand-alone CASB revenue will migrate to the security service edge market.
However, several CASB vendors also have CSPM capabilities (and some of these
also have CWPP capabilities) that will overlap with CNAPP and be sold to buyers
targeting the CNAPP use case.
NOTE 4: APPLICATION AND SOFTWARE SUPPLY CHAIN SECURITY TOOLS ADJACENT TO CNAPP
Several vendors focus only on identifying the relationship between development
tools, developers and the artifacts they create. These vendors aren’t full CNAPP
providers, but do add value to a CNAPP deployment in several ways. Most
importantly, by having a deep understanding of the provenance of artifacts
created in development by multiple developer/development teams, the offerings
help to identify the person or team responsible for remediating the identified
risk, speeding the time to remediate. Some of these offerings will also identify
the tools used in the code pipeline and the security posture of the code
pipeline. Some offer a more intelligent risk-based approach to software
composition analysis or application security posture management. Others
deduplicate risk findings of multiple security and risk scanners to help
prioritize remediation efforts. Example vendors here include Apiiro, Cycode,
Dazz, Deepfactor, DevOcean, Enso Security, Oligo, Ox Security, Oxeye, Rezilion
and Tromzo.
Over time, these types of capabilities will be incorporated by larger CNAPP
offerings. For example, one of the vendors here, Cider Security, was acquired by
Palo Alto Networks (see Palo Alto Networks Signs Definitive Agreement to
Acquire Cider Security) to add to its CNAPP portfolio after its intended
acquisition of Apiiro fell through.
© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a
registered trademark of Gartner, Inc. and its affiliates. This publication may
not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization,
which should not be construed as statements of fact. While the information
contained in this publication has been obtained from sources believed to be
reliable, Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information. Although Gartner research may address legal and
financial issues, Gartner does not provide legal or investment advice and its
research should not be construed or used as such. Your access and use of this
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its
reputation for independence and objectivity. Its research is produced
independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence
and Objectivity." Gartner research may not be used as input into or for the
training or development of generative artificial intelligence, machine learning,
algorithms, software, or related technologies.
* About
* Careers
* Newsroom
* Policies
* Site Index
* IT Glossary
* Gartner Blog Network
* Contact
* Send Feedback
© 2024 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
SWITCHING TO SIMPLIFIED SITE
Your browser version is not supported by Gartner.com. Switching to the
simplified version of the site some features will no longer be available to you,
but overall experience will be improved.
Your browser version is currently supported by Gartner.com. If you change to the
simplified version of the site, some features will no longer be available to
you.
YOUR PRIVACY IS IMPORTANT TO US
By clicking “Accept all,” you agree to the storing of cookies on your device to
enhance site navigation, analyze site usage and assist in our marketing efforts.
To learn more, visit our Privacy Policy and Cookie Notice.
Customize Accept all