What does CNAPP (really) mean?\n\nFirst termed in the Gartner Hype Cycle for Cloud Security, 2021, a cloud-native application protection platform (CNAPP) is, as the name implies, a platform approach for securing applications that are cloud-native across the span of the software development lifecycle (SDLC) of the applications. The need for CNAPP originates from the proliferation of the ease of access to cloud resources and the spectacular adoption of agile development frameworks for applications. Each step across the lifecycle has security concerns and implications, including artifact and exposure scanning of code, cloud infrastructure configuration, runtime protection, and exposure scanning of assets. Any step along this development journey has the potential to lead to exploitation, which is exacerbated by the speed of development and release schedules moving to a continuous integration\/continuous delivery (CI\/CD) format. Additionally, a burgeoning vector of potential threats is the development platforms and tools being used around these SDLC flows to facilitate faster and better delivery of applications.\n\nHow did It originate?\n\nGartner originated the term CNAPP in response to the explosive popularity of cloud computing coupled with agile development. Security programs struggle to meet the need of keeping these ephemeral, \u00adshifting, and exceptionally quick workflows secure across every step of the development lifecycle.\n\nWhy is it important in cybersecurity?\n\nCNAPP, much like the SASE concept and Zero Trust, again moves security functionality closer to the assets being protected. Focus is brought to the key areas for all of the stages of an SDLC program, such as code being scanned for misconfigurations, secrets, and other dangerous artifacts, all the way to cloud workloads, services, and IAM profiles being scanned and protected from exploitations, \u00admisconfigurations, and vulnerable packages. The ultimate vision of this protection strategy is to be consolidated into a single technology platform that follows the entire SDLC as historical security practices have proven that using disparate products for the different steps leads to too much loss of effectiveness and efficiency of the security program. The long-standing friction between development and security must be properly handled to satisfy both parties as well, which necessitates a level of ease of use that flows with the lifecycle as opposed to interrupting it.\n\nWhat is the spin around this CNAPP buzzword?\n\nAs the last 5 to 10 years have shown us, anything \u201ccloud-related\u201d becomes hyped pretty quickly. In this hyped-up state, just claiming \u201cWe do CNAPP\u201d is going to catch attention, even if the underlying truths are much less exciting. Additionally, with the term being so nascent, there is a level of confusion about what CNAPP even entails. This leads to vendors who have a single coverage type, or maybe an area of coverage, claiming they are fully CNAPP. Vendors who are only covering runtime exposure scanning or merely artifact scans in code will have customers believing that they are a full CNAPP platform. These vendors then hope the customers are happy long enough to stay with them while they develop the rest of an actual CNAPP product, or potentially just never realize they are exposed to the other areas of their SDLC process.\n\nOur advice: What executives should consider when adopting CNAPP\n\nCNAPP is about securing all the steps in the convergence of development and cloud infrastructure. Every step along the lifecycle contains a business\u2019s most critical and sensitive technology assets. This necessitates having security involved in all of these steps and should be a primary focus for companies that need to maintain the integrity of these assets in a manner that does not degrade the \u00adeffectiveness or speed of agile frameworks. The secondary focus then becomes ease of operating\/administering the entire platform to validate that security effectiveness and updates to known vulnerabilities, \u00admisconfigurations, threats, and other errata being assessed are all properly occurring. This brings us to a tertiary focus that involves considering all of the development platforms being used as potential new vectors of attack, after which a full platform would have a company facilitating security in, of, and around the code\/application.\n\nHere are some questions to ask your team for a successful CNAPP adoption:\n\nLearn more about CNAPP.