The assumption with cloud-native companies is that all of their applications and infrastructure are designed for, built in, and run on public cloud providers. Security for these business-critical applications is paramount and requires a unique approach. Hence, the market for what Gartner dubs cloud-native application protection platforms (CNAPPs).
The catch is that even the most cloud-first organizations still have developers working on laptops, crafting their company’s “crown jewels” — the application code that wins in the market share from competitors. Truly innovative companies are using technology as a differentiator and are developing their crown jewel application code in house. Today, this is as true of banks and traditional logistics companies as it is of Software as a Service (SaaS) or Silicon Valley tech companies.
A recent ForgePoint survey of chief information security officers (CISOs) found that 54% of CISOs view application development security as a priority, but few are taking appropriate steps to fully secure the entire development process.
Most (80%) of the endpoints we observe are used for software development — or building the crown jewels. The laptop is just the first step in the innovation supply chain, which stretches from the developer laptop through to the cloud instances running the finished software. When it comes to securing cloud applications, security teams need to consider how they can secure the entire arc of application development and innovation.
Along this arc, there are several steps, each of which is traditionally defended with a point solution or tool. It begins when a developer signs into an identity provider using their laptop, then pulls open-source code from a public Git repository. They use Chrome extensions for development tasks and then push the code out through their build, test, and deploy processes using automation servers, Kubernetes and cloud services like AWS. At each stage, there are multiple points an attacker can target.
Currently, security teams use endpoint detection and response (EDR) to secure laptops, but solutions such as CWPP to secure workloads in the cloud and a host of other point solutions for all the tests in between. This patchwork of tooling creates visibility gaps that introduce risk across the innovation process. As digital supply chain risks like Sunburst or RAT and the recent SolarWinds breach have shown, a holistic approach is needed to close gaps and protect against software supply-chain attacks.
It is imperative that organizations increase visibility across their entire innovation supply chain in order to shine a light into the hidden places and shadowy gaps where the risk from issues like over-privileging or misconfigurations may lurk. As we’ve established, endpoints are more likely now than ever to interact almost exclusively with the cloud and SaaS, which means that organizations need to embrace a laptop-to-cloud security strategy that involves getting visibility from the operating system endpoint to the server, and cloud.
The cybersecurity industry is starting to recognize the need for this sort of visibility with the transition to CNAPP, but most of these fall short. CNAPP offerings from most vendors effectively bundle Cloud Workload Protection Platforms (CWPP), Cloud Security Posture Management (CSPM), and Kubernetes security products. Depending on the feature set offered, most CNAPP tooling will offer decent visibility and protection in the cloud but will still force an organization to rely on a standalone EDR or XDR to defend the endpoint, creating gaps in both coverage, visibility and defenses. Additionally, tools need to provide open access to data to empower threat hunters and defenders to proactively lower the risk to the organization.
While most security strategies attempt to be outcomes-based, too often, they are constrained by budgets and traditional notions of tooling. Security leaders need to embrace strategies that can provide end-to-end visibility with open access to data across the entire innovation supply chain, allowing for the answer to any security question, about any part of the laptop to cloud infrastructure, to be quickly and easily answered.
For many organizations and security leaders, this will require them to re-evaluate their strategies, staffing, investments and procurement processes. However, until both broad and deep visibility across the innovation ecosystem is achieved, the development process will continue to have entrenched risks arising from gaps in visibility.