www.gartner.com Open in urlscan Pro
65.9.86.34  Public Scan

Submitted URL: https://webitcinsights.com/31854-249988/126435?uid=2Kfe92gve9E6vkgWhMnLj8xAvLUTicc64NHPQT2BiG2F6Naf&prom_type=regular&prom_...
Effective URL: https://www.gartner.com/doc/reprints?id=1-2CZE3HKZ&ct=230320&st=sb
Submission: On January 03 via api from ES — Scanned from ES

Form analysis 0 forms found in the DOM

Text Content

 

Licensed for Distribution

Licensed for Distribution

This research note is restricted to the personal use of ().


MARKET GUIDE FOR CLOUD-NATIVE APPLICATION PROTECTION PLATFORMS

14 March 2023 - ID G00785751 - 28 min read
By Neil MacDonald, Charlie Winckless, and 1 more

--------------------------------------------------------------------------------

CNAPPs address the full life cycle protection requirements of cloud-native
applications from development to production. Security and risk management
leaders responsible for cloud security strategies should use this research to
analyze and evaluate emerging CNAPP offerings.

ADDITIONAL PERSPECTIVES

 * Summary Translation: Market Guide for Cloud-Native Application Protection
   Platforms(24 April 2023)


OVERVIEW




KEY FINDINGS

 * CNAPP offerings bring together multiple disparate security and protection
   capabilities into a single platform focused on identifying and prioritizing
   excessive risk of the entire cloud-native application and its associated
   infrastructure.
 * The attack surface of cloud-native applications is increasing. Attackers are
   targeting the misconfiguration of cloud infrastructure (network, compute,
   storage, identities and permissions), APIs and the software supply chain
   itself.
 * Developers are increasingly responsible for operational tasks, such as
   addressing vulnerabilities, deploying infrastructure as code, and deploying
   and tearing down implementations in production, thus requiring tools that
   address this expanded scope.
 * Because security is often viewed as an obstacle to developers, it is
   absolutely critical to prioritize risks identified and provide sufficient
   context for the developer to remediate it.
 * Multiple providers market CNAPP capabilities — some starting with runtime
   expertise and some starting with development expertise. Few offer the
   required breadth and depth of functionality with integration between all
   components across development and operations.
 * Agentless workload scanning has become a popular approach and an expected
   core CNAPP capability, although in-workload approaches provide the best
   protection.




RECOMMENDATIONS

Security leaders responsible for cloud security strategies should:

 * Reduce complexity and improve the developer experience by choosing integrated
   CNAPP offerings that provide complete life cycle visibility and protection of
   cloud-native applications across development and staging and into runtime
   operation.
 * Ensure the right person/team is tasked with remediating an identified risk,
   by requiring CNAPP offerings to understand ownership and provenance of
   development artifacts. At a minimum, the CNAPP offering must understand what
   developer/development team created the artifact, when it was scanned, when it
   was deployed, and who has since changed or modified it.
 * Build a team for the evaluation and selection of CNAPP offerings with skills
   spanning cloud security, workload security (including containers),
   application and middleware security, development security and developers.
 * To ensure a successful evaluation, rank the CNAPP offering requirements. No
   single vendor offers best-of-breed capabilities across all capabilities.
 * Favor CNAPP vendors that provide a variety of runtime visibility techniques,
   including traditional agents, Extended Berkeley Packet Filter (eBPF) support,
   snapshotting, privileged containers and Kubernetes (K8s) integration to
   provide the most flexibility at deployment.




STRATEGIC PLANNING ASSUMPTIONS

By 2025, 60% of enterprises will have consolidated cloud workload protection
platform (CWPP) and cloud security posture management (CSPM) capabilities to a
single vendor, up from 25% in 2022.

By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering.

By 2025, 80% of enterprises will have adopted multiple public cloud
infrastructure as a service (IaaS) offerings — including multiple K8s offerings.

By 2026, 80% of enterprises will have consolidated security tooling for the life
cycle protection of cloud-native applications to three or fewer vendors, down
from an average of 10 in 2022.


MARKET DEFINITION

This document was revised on 17 March 2023. The document you are viewing is the
corrected version. For more information, see the Corrections page on
gartner.com.
Cloud-native application protection platforms (CNAPPs) are a unified and tightly
integrated set of security and compliance capabilities designed to secure and
protect cloud-native applications across development and production. CNAPPs
consolidate a large number of previously siloed capabilities, including
container scanning, cloud security posture management, infrastructure as code
scanning, cloud infrastructure entitlement management, runtime cloud workload
protection and runtime vulnerability/configuration scanning.


MARKET DESCRIPTION

CNAPP offerings integrate visibility, configuration and testing across
development and operations in a modern DevOps-style development organization to
address unknown and unexpected risks that result from the increased complexity
in the development and deployment of cloud-native applications (see Note 1).

CNAPP offerings are typically sold and delivered as a service, with integration
into the runtime cloud environments and development pipeline tools used by the
development organization. CNAPP offerings deliver an integrated set of
capabilities spanning runtime visibility and control, CSPM capabilities,
software composition analysis (SCA) capabilities and container scanning.
Additional capabilities may include API testing and monitoring, traditional
static application security testing (SAST)/dynamic application security testing
(DAST), and runtime web application and API protection. While information
security is typically the primary buyer, the user ultimately is the development
team/product team responsible for the cloud-native application.

A cloud-native application typically has these characteristics:
 * Applications architected using loosely coupled microservices, often
   interacting via application programming interfaces,
 * developed within a DevOps-style continuous integration (CI)/continuous
   delivery (CD) pipeline supporting frequent updates,
 * using a majority of the code and libraries from open source,
 * often built using Linux containers using Kubernetes-based orchestration,
   supplemented with serverless functions and platform as a service (PaaS)
   services from the cloud provider,
 * deployed onto programmatic cloud infrastructure,
 * updated more frequently, making the workloads more ephemeral,
 * and managed with a bias toward immutability such that few or no changes to
   production workloads are allowed — all changes in production are driven
   through the development pipeline.


Until recently, comprehensively securing cloud-native applications required the
use of multiple tools from multiple vendors that are rarely well-integrated and
often only designed for security professionals, not in collaboration with
developers. This lack of integration creates fragmented views of risk with
insufficient context individually making it difficult to prioritize the actual
risk. As a result, fragmented tools create excessive alerts, wasting developers’
time and making remediation efforts confusing to target roles.

CNAPP offerings allow an organization to use a single integrated offering to
identify risk across the entire life cycle and disparate elements of a
cloud-native application, and one that collaboratively puts the developer at the
core of the application risk responsibility (see Figure 1).



Figure 1: CNAPP Simplified View






CNAPP offerings bring together multiple disparate security and protection
capabilities into a single platform that most importantly is able to identify,
prioritize, enable collaboration and help remediate excessive risk across the
extremely complex logical boundary of a modern cloud-native application (see
Figure 2).


Figure 2: Explosion in the Risk Surface Area of a Cloud-Native Application






However, runtime risk visibility is only a part of the risk equation. Developers
are increasingly responsible for building more of the cloud infrastructure shown
in Figure 2, including the containers and cloud infrastructure setup using
infrastructure as code scripts (see Figure 3).

Figure 3: Developers’ Expanded Scope of Responsibility for Cloud-Native
Applications






Because developers are creating containers, serverless functions and cloud
infrastructure, CNAPP tooling needs to “shift left” into the development life
cycle — in addition to the comprehensive runtime visibility shown in Figure 2.
Shifting risk visibility left requires a deep understanding of the development
pipeline and artifacts and extending vulnerability scanning earlier into the
development pipeline as these artifacts are being created (see Figure 4 and Note
2).


Figure 4: Code-to-Cloud Risk Visibility, Prioritization and Remediation






Combining the need for runtime risk visibility, cloud risk visibility and
development artifact risk visibility results in a robust integrated set of
capabilities needed for a complete CNAPP platform (see Figure 5).


Figure 5: CNAPP Detailed View






No single vendor delivers all of the capabilities shown in Figure 5 today. CNAPP
offerings are emerging from multiple providers, often from different starting
points.

 * Many CNAPP offerings are from vendors that started with runtime workload
   visibility and protection, a market referred to as cloud workload protection
   platforms (see Market Guide for Cloud Workload Protection Platforms). As the
   development model shifted to cloud-native applications, these vendors
   “shifted left” with container scanning capabilities and later cloud security
   posture management (CSPM) capabilities (see Innovation Insight for Cloud
   Security Posture Management).
 * Several CNAPP offerings are from vendors that started first with CSPM, but
   also were asked by customers to shift left to scan for cloud configuration
   before the clouds were deployed by scanning infrastructure as code scripts.
 * A few vendors started first by addressing artifact scanning early in the
   development life cycle (for example, with software composition analysis and
   API security testing) but were asked by customers to broaden their platform
   to adjacent capabilities.


The budget for a CNAPP typically comes from the chief information security
officer (CISO) organization, with specific buying centers of cloud security
operations, cloud security architects, DevSecOps architects, cloud-native
application architects and application security. There is also an emerging role
of platform engineering team leaders, architects and security (see Adopt
Platform Engineering to Improve the Developer Experience) that will also be
interested in CNAPP capabilities.


MARKET DIRECTION

Since identifying the convergence between CWPP, CSPM, cloud infrastructure
entitlement management (CIEM) and other cloud security technologies in early
2021, client interest as indicated by inbound inquiries with inquiry growth has
grown significantly.1 The number of end-user calls on CNAPPs grew 70% from 2021
to 2022 with an emphasis on CSPM due to compliance drivers and ease of
deployment via APIs.

There are several factors driving client interest in CNAPPs.

 * The most significant driver is the need to unify risk visibility across the
   entire hybrid application and across the entire application life cycle. This
   simply cannot be achieved using separate and siloed security and legacy
   application testing offerings. CNAPP offerings operationalize cloud-native
   application risk (a concept referred to as RiskOps and introduced in Seven
   Imperatives to Adopt a CARTA Strategic Approach) by “connecting the dots” to
   help understand the effective risk across the multiple layers of a modern
   cloud-native application. Risk-prioritizing the findings is critical as
   developers and security professionals are overloaded with alerts and findings
   of siloed tools.
 * Another driver is the desire to reduce complexity by consolidating the number
   of security vendors (see Infographic: Top Trends in Cybersecurity 2022 —
   Vendor Consolidation). Data from the 2022 Gartner CISO: Security Vendor
   Consolidation XDR and SASE Trends Survey indicates a clear customer
   preference to consolidate vendors in the security space, with 92% of
   enterprises indicating they will be actively pursuing a vendor consolidation
   strategy by year-end 2022.2
 * There is a desire to integrate security and compliance testing seamlessly and
   transparently into modern DevOps (referred to as DevSecOps) in a manner that
   balances security and speed and doesn’t unnecessarily slow down digital
   innovation. Information security’s role shifts to one of providing the
   guardrails across the entire development pipeline, not gates. An analogy
   would be a racetrack where the guardrails are encountered by the driver only
   if there is a serious issue. Likewise, developers are allowed to innovate at
   their desired speed with little or no friction from security, unless a
   critical risk issue is identified. CNAPP offerings enable the construction of
   guardrails for a modern cloud-native application development pipeline.


All of this is expected to lead to significant growth in the CNAPP market over
the next several years. While Gartner has not yet sized the CNAPP market, it
overlaps capabilities and will pull revenue from several stand-alone markets
that make up the core of CNAPP functionality (see Table 1 and Forecast:
Information Security and Risk Management, Worldwide, 2020-2026, 4Q22 Update).



TABLE 1: SPENDING ON CNAPPS WILL PULL FROM THESE MARKET SEGMENTS

Enlarge Table
Gartner Market Forecast
Estimated Market Size at Year-End 2022, Billions of U.S. Dollars in Constant
Currency
Estimated Market Percentage Growth in 2022 in Constant Currency
Application Security Testing Software3
3.1
24.8
CWPPs
3.8
26.4
Vulnerability Assessment
2.3
24.6
Web Application and API Protection
1.7
25.3
Cloud Access Security Brokers (see Note 3)
1.6
30.4
Other Information Security Software
2.1
19.0



Source: Gartner (March 2023)

CNAPPs will also pull spending from several point solution areas that Gartner
included in the above table, which Gartner has not yet broken out and sized
separately. These areas include the CSPM market (currently spread across the
CWPP and cloud access security broker [CASB] segments above and “other security
software” in Gartner’s market forecast) and spending on software composition
analysis tools (see Market Guide for Software Composition Analysis).


MARKET ANALYSIS

As with any emerging technology category and especially as CNAPPs near the Peak
of Inflated Expectations in multiple Gartner Hype Cycles (see Hype Cycle for
Application Security, 2022 and Hype Cycle for Workload and Network Security,
2022), CNAPPs have been subject to an immense amount of marketing hype and
abuse. We frequently see vendors that market CNAPPs but don’t meet Gartner’s
minimum requirements. Since the complete listing of CNAPP capabilities is quite
broad, we have broken the capabilities into three categories: core, recommended
and optional (see Table 2).



TABLE 2: CNAPP CORE, RECOMMENDED AND OPTIONAL CAPABILITIES

Enlarge Table
CNAPP Core Capabilities
CNAPP Recommended Capabilities
CNAPP Optional Capabilities
 * Runtime visibility into virtual machine (VM) and container workloads
 * Cloud security posture management, including all leading hyperscale providers
   and their managed Kubernetes offerings (Kubernetes security posture
   management [KSPM])
 * Infrastructure as code (IaC) scanning, including for major IaC scripting
   languages and YAML/Helm for Kubernetes
 * Cloud infrastructure entitlement management
 * Network connectivity mapping
 * Scanning of containers and container registries for risk*
 * Software composition analysis, including software bill of materials (SBOM)
   creation






 * Real-time workload visibility from the inside for critical VMs and containers
   including workload detection/response
 * API discovery and scanning for correct configuration in development
 * API discovery in development and monitoring at runtime
 * Scanning of unstructured IaaS data repositories for risk*
 * Network monitoring capabilities
 * Workload detection and response
 * Expanded cloud detection and response (CDR) capabilities beyond just workload
   monitoring (for example, looking at event logs, network logs and DNS lookups)
 * Drift detection from expected state
 * Support for other common clouds — Oracle, IBM, Alibaba Cloud, Tencent
 * Scanning of other application artifacts for risk*

 * VMs
 * Serverless functions

 * Application runtime self-protection (RASP)
 * Serverless function instrumentation and monitoring
 * Application layer observability/monitoring
 * Support for VMware-based infrastructure (on-premises and public-cloud-based)
 * Support for other cloud and container environments such as Red Hat OpenShift
   and SUSE’s Rancher
 * Support for policy-as-code scanning
 * Support for Open Policy Agent
 * MicroWAF/web application and API protection (WAAP) at runtime
 * Scanning of IaaS structured data repositories for risk* (combined with
   unstructured data scanning, delivers a data security posture management
   [DSPM] capability)
 * Traditional static analysis of custom code for unknown vulnerabilities
 * Traditional dynamic scanning for unknown vulnerabilities
 * API scanning for unknown vulnerabilities
 * Development pipeline/software supply chain security beyond SCA (see Note 4)
 * Development pipeline hardening

*Risk scanning includes
 * Configuration scanning
 * Vulnerability scanning for known vulnerabilities
 * Secrets scanning
 * Attack path analysis

*Risk scanning expands to also include
 * Sensitive data in unstructured data repositories
 * Malware scanning

*Risk scanning expands to include
 * Sensitive data in structured data repositories
 * Scanning custom code for unknown vulnerabilities




Source: Gartner (March 2023)

The capabilities in Table 2 should be cohesive. A well-architected single-vendor
CNAPP offering should have the following characteristics:

 * All services should be fully integrated, not loosely coupled independent
   modules (typically resulting from a vendor’s internal silos, poorly
   integrated OEM components or those added from an acquisition). Integration
   should include the front-end console, unified policy across multiple points
   of inspection and a unified back-end data model.
 * Deep understanding of relationships between the elements of an application
   (VMs, containers, service functions and storage), security posture,
   permissions and connectivity, typically enabled by underlying graph database
   technology.
 * Deep understanding of the relationship between development artifacts (custom
   code, libraries, container images, VMs and IaC scripts), who created them and
   when they were created, who deployed them and when they were deployed, and
   who changed them and when they were changed.
 * Integrated advanced analytics that are combined with the graph relationships
   to risk-prioritize findings both in development and at runtime.
 * A single unified management plane to reduce switching between multiple
   consoles, not disparate management systems loosely integrated via API.
 * Primary management console is delivered as a service. Optionally, support for
   customer-hosted management consoles is provided to address security and
   risk-sensitive environments, such as air-gapped environments or regulatory
   domains.
 * Single security policy for risk inspection across all artifacts — containers,
   VMs, serverless functions and data storage.
 * Simple consumption-based pricing model based on major cloud-native
   application assets, such as virtual machines, container hosts, serverless
   functions and unstructured/structured storage repositories.
 * Inspection of artifacts can be cloud-based SaaS or in the customer’s control
   and let the customer choose the location of the inspection, including
   on-premises for security-sensitive use cases.
 * The option for single tenancy even if delivery is cloud-based (for
   security-sensitive use cases).
 * Integration with key management systems to allow scanning of encrypted
   storage objects for risk.
 * Integration into CI/CD common development toolsets including code
   repositories, build servers and container registries and their audit/logging
   telemetry.
 * Predefined templates for reporting against common compliance standards — for
   example, CIS, NIST, PCI, GDPR and HIPAA.
 * Support for all three major hyperscale providers: Amazon Web Services (AWS),
   Microsoft Azure and Google Cloud Platform (GCP). Some organizations may
   require integration with additional clouds, such as Oracle, IBM, Alibaba
   Cloud, VMware and others.


Even in this early phase of the market, there are multiple CNAPP offerings in
the market that meet these core requirements. Vendors of these offerings are
listed in Table 3.

Since integrated CNAPP vendors have different starting points (some were CWPP
vendors adding CNAPP capabilities, some were SCA vendors adding CSPM, and others
were CIEM vendors that have expanded their portfolio), no single vendor is
best-of-breed in every capability. For this reason, it is critical that the
joint team evaluating CNAPP capabilities prioritize and rank their requirements
for mandatory, recommended and optional prior to the evaluation of offerings.

Deep understanding of the relationships between the different elements of a
cloud-native application (see Figure 2) is critical in order to deliver against
the vision of RiskOps. In other words, to make risk identification remediation
operational, CNAPP tools must be able to build a model (similar conceptually to
a digital twin) of the application code, libraries, containers, scripts,
configuration and vulnerabilities to identify where the effective risk resides.
Since risk-free applications are impossible, the challenge for information
security shifts to risk-prioritizing findings according to business context,
identifying the root cause and getting developers to focus first on the findings
that are of the highest risk and the highest confidence of potential impact to
the business. Likewise, a deep understanding of the relationship between
developers/development teams across the life cycle of an application (see Figure
3) is critical to identifying the right developer/development team or
engineering team to remediate the risks identified (and to provide them with
sufficient context to understand and remediate the risks quickly and
effectively).

With cloud-native applications, rarely is IT or information security responsible
for remediating the issue identified.

CNAPP offerings focus the majority of their scanning efforts identifying known
types of vulnerabilities, misconfigurations, and hard-coded secrets in
development artifacts using a combination of static and dynamic techniques. In
contrast, traditional static and dynamic analysis application security testing
tools focus on using a combination of static and dynamic techniques to find
unknown vulnerabilities in custom code. As such, CNAPP offerings and application
security testing (AST) offerings are complementary, but will increasingly
overlap. For the most complete view of risk, both CNAPP and AST tools would be
used. Over the next several years, we expect several CNAPP offerings to expand
into traditional SAST/DAST use cases, as well as some traditional SAST/DAST and
API testing tools to expand into CNAPP.

With modern cloud-native applications, it can be difficult if not impossible to
use a traditional host-OS-based agent approach. In some cases, the DevOps
product teams won’t accept them, and in other cases, the value of runtime
visibility into ephemeral workloads is not offset by the operational overhead of
deploying and managing agents. To address this, leading CNAPP offerings provide
a variety of agent and agentless alternatives for runtime visibility into
workloads, including:

 * Snapshots of running workloads and analyzing the snapshot created
 * Privileged containers
 * DaemonSets
 * Kubernetes sidecars
 * Libraries for inclusion in the development pipeline
 * EBPF-based instrumentation for Linux
 * LD_PRELOAD Linux system call interception (see  What Is the LD_PRELOAD
   Trick?, Baeldung)
 * Envoy or F5 NGNX proxy integration
 * Service mesh integration
 * Cloud control plane API-based integration to inspect configuration and
   activity logs
 * Kubernetes API controller integration to inspect configuration and activity
   logs
 * Copies of workloads that are mounted and dynamically observed in an isolated
   environment (application sandboxing)
 * Language-specific runtime instrumentation (sometimes referred to as RASP)
 * Serverless function instrumentation layering techniques (e.g., AWS Lambda
   layers)


BENEFITS OF SINGLE-VENDOR CNAPP OFFERINGS

An organization could implement 10 or more tools to deliver fully against the
capabilities shown in Figure 4. However, there are reasons that organizations
are moving toward consolidation to a CNAPP offering:
 * Better identification, prioritization and remediation of cloud-native
   application risk.
 * Reduces operational complexity through consolidation of vendors, consoles,
   policies and contracts, thereby reducing chances of misconfiguration or
   mistakes. This enables:
   * A single place to define consistent security policies across development
     and operations.
   * Consistent enforcement of security policy across all application artifacts
     — code, containers, VMs and serverless functions.
   * Elimination of overlapping policies of disparate products and
     standardization of application policies and policy objects across all
     development artifacts.
 * A single vendor should implement a single data lake, data model and unified
   graph database for all event logging, reporting, alerting and relationship
   mappings. This enables the vendor to deliver against the vision of RiskOps —
   finding the root cause of the risk, identifying the person/team responsible
   for fixing it and risk-prioritizing the remediation efforts. This reduces the
   attack surface and shortens remediation times.
 * By having consistently enforced policies and by risk-prioritizing remediation
   efforts, a single-vendor CNAPP offering should reduce developer friction and
   improve developer experience.
   * By integrating security testing throughout the life cycle and directly into
     the developer’s toolset versus one large test prior to production, CNAPP
     offerings enable fixing problems earlier and speeding application
     deployment.

 * Eliminates redundant capabilities (for example, most cloud providers offer
   container vulnerability scanning).
 * More easily enables visibility from runtime so that it can be used to feed
   back into development. Likewise, a single platform more easily enables
   visibility from development used to strengthen runtime protection (see Figure
   6).



Figure 6: Bidirectional Integration Between Development and Runtime







CHALLENGES TO CNAPP ADOPTION

 * Security organizational silos: There are multiple teams that have a part of
   the responsibility for cloud-native application security. Today, these are
   spread across data center security teams, application security teams, and
   cloud security teams. Each of these teams has tools that solve a part of the
   cloud risk puzzle, but rarely do these teams cooperate in product evaluation
   and selection.
 * Adversarial relationship between developers and security: Security teams are
   perceived as slowing down modern DevOps style development. Security controls
   weren’t designed for the speed and scale of cloud-native applications and
   weren’t designed with the developer as the central customer (not security).
   The result historically has been poorly integrated testing that required the
   developer to leave their development environment, slowed development and
   often wasted developer time with false positives or asking them to remediate
   low-risk vulnerabilities.
 * Existing investments: Most organizations already have some form of runtime
   CWPP in their virtual machines. Many have also selected a scanning tool for
   containers in development and a solution for CSPM. Most organizations have
   several vendors for different (or sometimes similar overlapping) functions,
   creating silos of users and findings, making it difficult to create a unified
   picture of risk. As organizations shift to a CNAPP-based approach, the
   synergy of an integrated platform will provide more benefits than a
   best-of-breed strategy that is difficult to scale.
 * Mindset changes: Security teams must understand and acknowledge that a
   perfect, risk-free application is not possible. Perfect is the enemy of good
   enough. Instead, security teams should focus on an approach that identifies
   the highest severity, highest confidence risk and risk-prioritizing
   remediation efforts to the responsible developer. Cloud-native security
   becomes a risk-prioritized set of guardrails, replacing the former model of
   security “gates” in the development process.
 * Architecture: Some CNAPP offerings are built to be provided as a SaaS-only
   offering. Others were designed to be run entirely by the customer. The best
   offerings will use a distributed cloud architecture with a cloud-managed
   control plane and decentralized inspection under the customer’s control (for
   example, scanning containers or snapshots locally without requiring them to
   be uploaded to a SaaS service).
 * Maturity: For the next several years, CNAPP capabilities will vary widely,
   and some vendors are immature in multiple areas. For example, sensitive-data
   visibility and control is often a priority capability, but it is difficult
   for many CNAPP vendors to address. Understanding of data context in
   unstructured and structured storage repositories is necessary to fully
   understand and risk-prioritize issues identified, but many CNAPP vendors
   don’t yet offer this. Another example is agentless snapshot-based inspection
   to augment traditional agents.
 * Legacy applications: Older applications that aren’t fully cloud-native may
   require specialized tooling and rely more heavily on traditional approaches,
   such as SAST and monolithic web application firewalls (WAFs).


REPRESENTATIVE VENDORS

The vendors listed in this Market Guide do not imply an exhaustive list. This
section is intended to provide more understanding of the market and its
offerings.



MARKET INTRODUCTION

Cloud security leaders looking to secure the rapid development needs of
cloud-native applications should consider CNAPP offerings as an integrated,
developer-centric solution. CNAPPs can improve the developer experience by
integrating into their native development toolset as seamlessly and
transparently as possible by reducing false positives and noise, by
risk-prioritizing their remediation efforts and by providing specific
remediation guidance to resolve the identified risk. CNAPP offerings can also
help organizations adopt a stronger security posture in their development
pipeline throughout the entire development life cycle (code to cloud).

Table 3 lists representative CNAPP vendors. To develop the list of
representative vendors, we used the core and recommended capabilities and
characteristics described in the Market Analysis section of this research. Some
vendors sell multiple modules to build out the full set of CNAPP capabilities.
In this early stage of the market, no single vendor has all capabilities.



TABLE 3: REPRESENTATIVE CNAPP VENDORS

Enlarge Table
Vendor
Offering
 Aqua Security Software
 Aqua Cloud Security Platform
 Caveonix
 Caveonix Cloud-Native Application Protection Platform
 Check Point Software Technologies
 CloudGuard CNAPP
 CrowdStrike
 CrowdStrike Falcon Horizon
 CrowdStrike Falcon Cloud Workload Protection
 Cloud Infrastructure Entitlement Management
 CrowdStrike Falcon Container Security
 Data Theorem
 Cloud Secure
 DoSec XIAOYOU TECH (China only, containers only)
 Container Security
 Ermetic
 Cloud Native Application Protection Platform
 Lacework
 Polygraph Data Platform
 Lightspin
 Lightspin
 Microsoft
 Microsoft Defender for Cloud
 GitHub
 Orca Security
 Orca Cloud Security Platform
 Palo Alto Networks
 Prisma Cloud
 Qualys
 Qualys TotalCloud with FlexScan
 Rapid7
 InsightCloudSec
 Red Hat (containers only)
 Red Hat Advanced Cluster Security for Kubernetes
 Safedog (China only)
 Cloud Native Application Protection
 Sonatype (with OEM of NeuVector, containers only)
 Nexus Container
 Sonrai Security
 Sonrai Cloud Security Platform
 Sysdig
Sysdig  Secure
 Tenable
 Tenable.cs
 Tencent Cloud (China only)
 Cloud Workload Protection Platform
 Tencent Container Security Service
 Security Operations Center (CSPM)
 Tigera
 Calico Cloud
 Calico Enterprise
 Trend Micro
 Trend Cloud One:
 Workload Security
 Container Security
 Application Security
 Network Security
 Conformity
 File Storage Security
 Open Source Security by Snyk
 Trend Cloud Sentry
 Uptycs
 Uptycs Unified CNAPP and XDR
 Wiz
 Wiz
 Zscaler
 Zscaler Posture Control



Source: Gartner (March 2023)




MARKET RECOMMENDATIONS


STRATEGY AND PLANNING

 * Whether a CNAPP is adopted or not, establish a vision for DevSecOps that puts
   developer experience as the primary goal. Aim for reduced friction, better
   risk identification and reducing false positives. Don’t make them leave their
   native tools, and provide specific context and recommendations for
   remediation.
 * Create a unified CNAPP strategy and evaluation team spanning cloud security,
   container security and application security. Because the developer is the
   ultimate persona that will be asked to remediate the identified risk, the
   team should include representatives from DevSecOps/development. Inventory the
   organization’s CI/CD pipeline tools as this will be a critical input into the
   evaluation process.
 * Use adoption of a CNAPP offering to consolidate vendors to cut complexity,
   simplify security policy enforcement, provide better context and
   prioritization, and improve the developer experience. There is also the
   potential to reduce duplicative costs of point solutions as contracts renew
   for CWPP, CSPM, SCA and container security offerings.


EVALUATION

 * Have the joint development/security team identify and rank the enterprise
   functionality requirements into required, preferred and optional before
   sending out requests for information/purchase, as no single vendor is
   best-of-breed in all CNAPP capabilities.
 * Prioritize CNAPP offerings with deep relationship graph analytics expertise.
   The ability to deliver against the vision of RiskOps requires the ability to
   understand the relationships of the different elements of a cloud-native
   application and to understand the risk of each element. This requires an
   understanding of cloud control plane risk and artifact risk and then
   combining these together to understand, prioritize and remediate the
   resultant risk of the entire system.
 * Run a functional pilot with real developers and applications before selecting
   a single-vendor CNAPP offering to ensure that functionality and developer
   experience meet your requirements.


DEPLOYMENT

 * Focus the CNAPP rollout on cloud-native applications first — where
   development speed is paramount and risk identification is imperative. Even if
   a full CNAPP deployment is not possible, deploy a CSPM capability if you
   haven’t already as most cloud-native application risk is caused by
   misconfiguration and mismanagement.
 * Make software composition analysis and scanning containers, OSS libraries and
   dependencies for known risks (common vulnerabilities and exposures [CVEs],
   hard-coded secrets, passwords, API keys, etc.) a high priority as this is
   another common source of risk in cloud-native applications.
 * Be pragmatic, not dogmatic in the CNAPP deployment. Agents may provide the
   best visibility, but aren’t always possible. Use inside-out workload runtime
   visibility where you can, agentless snapshots where you can’t, because some
   visibility into risk is better than nothing.


EVIDENCE

1 Hundreds of Gartner inquiries on the topic of CNAPPs with end-user
organizations were analyzed for the 12 months of 2021 and compared to the 12
months of 2022 with a year-over-year increase of 70%.


2 2022 Gartner CISO: Security Vendor Consolidation XDR and SASE Trends Survey:
This study was conducted to determine how many organizations are pursuing vendor
consolidation efforts, what the primary drivers are for consolidation, expected
or realized benefits of vendor consolidation, and how those who are
consolidating are prioritizing their consolidation efforts. A primary purpose of
this survey was to collect objective data on extended detection and response
(XDR) and secure access service edge (SASE) for consolidation of megatrend
analysis. The research was conducted online during March and April 2022 among
418 respondents from North America (n = 277; U.S., Canada), Asia/Pacific (n =
37; Australia, Singapore) and EMEA (n = 104; France, Germany, U.K.). Results
were from respondents with $50 million or more in 2021 enterprisewide annual
revenue. Industries surveyed included manufacturing, communications and media,
information technology, government, education, retail, wholesale trade, banking
and financial services, insurance, healthcare providers, services,
transportation, utilities, natural resources, and pharmaceuticals, biotechnology
and life sciences. Respondents were screened for job title, company size, job
responsibilities to include information security/cybersecurity and IT roles, and
primary involvement in information security. Disclaimer: Results of this survey
do not represent global findings or the market as a whole, but reflect the
sentiments of the respondents and companies surveyed.
3 The estimated market size for application security spending was taken from
Magic Quadrant for Application Security Testing.


NOTE 1: GARTNER’S INITIAL MARKET COVERAGE

This Market Guide provides Gartner’s initial coverage of the market and focuses
on the market definition, rationale for the market and market dynamics.


NOTE 2: DEVELOPMENT ARTIFACTS THAT SHOULD BE SCANNED FOR VULNERABILITIES,
MISCONFIGURATION, MALWARE AND SECRETS

The following artifacts should be scanned to ensure they are secure, configured
correctly and free from malware, vulnerabilities or inappropriately exposed
sensitive information:
 * OSS modules, libraries and frameworks
 * Third-party software development kits
 * Container layers and containers
 * Serverless functions
 * APIs and declarative API schemas
 * Custom application code
 * Compiled code/binaries
 * Infrastructure as code scripts
 * YAML Ain’t Markup Language (YAML) and other cloud configuration files, such
   as Kubernetes Helm charts
 * Virtual machine images


NOTE 3: CASB AND CNAPP OVERLAP

Most stand-alone CASB revenue will migrate to the security service edge market.
However, several CASB vendors also have CSPM capabilities (and some of these
also have CWPP capabilities) that will overlap with CNAPP and be sold to buyers
targeting the CNAPP use case.


NOTE 4: APPLICATION AND SOFTWARE SUPPLY CHAIN SECURITY TOOLS ADJACENT TO CNAPP

Several vendors focus only on identifying the relationship between development
tools, developers and the artifacts they create. These vendors aren’t full CNAPP
providers, but do add value to a CNAPP deployment in several ways. Most
importantly, by having a deep understanding of the provenance of artifacts
created in development by multiple developer/development teams, the offerings
help to identify the person or team responsible for remediating the identified
risk, speeding the time to remediate. Some of these offerings will also identify
the tools used in the code pipeline and the security posture of the code
pipeline. Some offer a more intelligent risk-based approach to software
composition analysis or application security posture management. Others
deduplicate risk findings of multiple security and risk scanners to help
prioritize remediation efforts. Example vendors here include Apiiro, Cycode,
Dazz, Deepfactor, DevOcean, Enso Security, Oligo, Ox Security, Oxeye, Rezilion
and Tromzo.

Over time, these types of capabilities will be incorporated by larger CNAPP
offerings. For example, one of the vendors here, Cider Security, was acquired by
Palo Alto Networks (see  Palo Alto Networks Signs Definitive Agreement to
Acquire Cider Security) to add to its CNAPP portfolio after its intended
acquisition of Apiiro fell through.
 

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a
registered trademark of Gartner, Inc. and its affiliates. This publication may
not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization,
which should not be construed as statements of fact. While the information
contained in this publication has been obtained from sources believed to be
reliable, Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information. Although Gartner research may address legal and
financial issues, Gartner does not provide legal or investment advice and its
research should not be construed or used as such. Your access and use of this
publication are governed by Gartner’s Usage Policy. Gartner prides itself on its
reputation for independence and objectivity. Its research is produced
independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence
and Objectivity." Gartner research may not be used as input into or for the
training or development of generative artificial intelligence, machine learning,
algorithms, software, or related technologies.

 * About
 * Careers
 * Newsroom
 * Policies
 * Site Index
 * IT Glossary
 * Gartner Blog Network
 * Contact
 * Send Feedback

© 2024 Gartner, Inc. and/or its Affiliates. All Rights Reserved.



SWITCHING TO SIMPLIFIED SITE

Your browser version is not supported by Gartner.com. Switching to the
simplified version of the site some features will no longer be available to you,
but overall experience will be improved.

Your browser version is currently supported by Gartner.com. If you change to the
simplified version of the site, some features will no longer be available to
you.


YOUR PRIVACY IS IMPORTANT TO US


By clicking “Accept all,” you agree to the storing of cookies on your device to
enhance site navigation, analyze site usage and assist in our marketing efforts.
To learn more, visit our Privacy Policy and Cookie Notice.

Customize Accept all