Cloud-native application protection platforms are a promising approach to securing cloud-based applications without sacrificing development speed. Credit: Getty Images These days cloud application developers are also security engineers. Who did not see this coming, given that application-level security is no longer an option? Also, we are pushing developers to build applications at scale, meaning they are becoming ops engineers and database engineers as well as security engineers, which is scary. The fact that most developers are not security experts is not lost on me. This has led to devsecops practices where developers are given training, tools, and processes to build and deploy more secure cloud-based applications. Of course, anyone who has attempted to implement that kind of cultural change has found that it can’t be done in weeks. It takes months and sometimes years. Emerging concepts out there may help things along. Cloud-native application protection (CNAP) platforms can continuously scan workloads and configurations to find and resolve security issues. They do this during application development, application testing, and application deployment. CNAP, at its core, aggregates two types of security platforms. The first is cloud security posture management (CSPM) platforms, which development organizations already employ to find surface misconfigurations and other vulnerabilities. The second is cloud workload protection platforms (CWPP), which use agent software to protect workloads. CNAP security policies are applied to any workload centrally. This includes microservices-based applications, container-based ones, or legacy applications, which are all in redevelopment or development these days. Centralized security processes make use of agent software to enforce predefined security policies. Moreover, they continuously scan applications and application environments for security concerns that fall outside of set policies. These policies typically are not defined by the developers but by the core enterprise security team. What does all this mean? More simply put, this is continuous scanning for security issues using centralized policies that are directly related to both security and governance. A continuous security scan might identify APIs that remain open but should be closed for security reasons, for example. Or encryption that is not being carried out when data is moving from applications to databases. Usually, small things can lead to big problems. It’s well understood that the faster you build and deploy applications, the larger the attack surface they typically have. Continuous security scanning should allow you to still crank out cloud-based applications yet remain secure—at least, secure in terms of how the policies are set. My advice is to look at this technology if you’re doing cloud-based development and want to do it at speed. In these days of the post-pandemic rush to cloud platforms, this may be something you’re overlooking or have yet to understand the associated risk. I’m never impressed by acronyms (CSPM, CNAP, etc.) that appear on the scene. They are typically built on existing well-understood concepts, and these are no different. I am, however, always willing to leverage a good idea no matter what it’s called. Policy-based security scanning is a reality and your development team should consider it. Related content analysis Generative AI won’t fix cloud migration You’ve probably heard how generative AI will solve all cloud migration problems. It’s not that simple. Generative AI could actually make it harder and more costly. By David Linthicum Jul 12, 2024 5 mins Generative AI Artificial Intelligence Cloud Computing analysis All the brilliance of AI on minimalist platforms Buy all the processing and storage you can or go with a minimum viable platform? AI developers and designers are dividing into two camps. By David Linthicum Jul 09, 2024 5 mins Generative AI Cloud Architecture Artificial Intelligence analysis The next 10 years for cloud computing Despite AI's explosive growth, the industry still needs to face facts that customers are unhappy about costs and vendor lock-in. By David Linthicum Jul 05, 2024 5 mins Amazon Web Services Google Cloud Platform Microsoft Azure analysis Serverless cloud technology fades away Serverless was a big deal for a hot minute, but now it seems old-fashioned, even though its basic elements, agility and scalability, are still relevant. By David Linthicum Jul 02, 2024 4 mins Serverless Computing Cloud Computing Software Development Resources Videos