Blog

Introducing the Future of Cloud-Native Security

9 min.

June 10, 2024

It’s 2024 and 67% of applications are now deployed in the cloud. However, there’s a difference between simply moving an application to the cloud and designing for it. Many organizations started their cloud journey with a “lift and shift” migration that got them into the cloud, only to discover that they still can’t take advantage of its benefits. That’s why, in 2024, the industry is now focused on building applications in a cloud-native way.

At Checkmarx, we’ve been building to this point for a long time. While we’re best known for SAST and SCA, we released KICS (Keep Infrastructure as Code Secure) as a free open-source tool in 2021 (also available on Checkmarx One) and partied like it was 2024 when it recently hit(and now well over 4 million). We launched Container Security in 2020 as well as the industry’s only shift-left API Security solution in 2022. We introduced our own cloud-native platform (Checkmarx One) in 2021 as a key milestone in our own cloud journey. We know what it means to be cloud-native, and we know what’s required to secure cloud-native applications.

That’s why we’re super excited about this launch. Checkmarx is already the #1 provider of cloud-native application security. This launch is a feather in the cap of everything we’ve done up to this point, but also a stepping stone for where we want to go next, helping organizations secure your applications wherever they are, whether they’re on-premises applications running in your data center or cloud-native applications deployed in the cloud.

But first…what does cloud-native mean?

There are a lot of buzzwords and jargon, but the concept is simple. Cloud-native simply means that an application was specifically designed to run in a cloud environment. But what does that mean?

If we start with your traditional monolithic application, you can deploy it on Amazon EC2 and – technically – now you’re in the cloud. But scaling the application is horribly inefficient. Like any complex piece of machinery, your application has many parts – some that have plenty of capacity, and a few that are bottlenecks. But because a monolithic application is a single piece of software, you must deploy another entire instance of that application. You have to scale the entire application as a single unit, even the parts that don’t need it.

In a cloud-native architecture, you would split out the different parts of the application into different software components that you can now deploy and scale independently – these are your microservices. All your microservices then talk to each other (so they can work together as a larger application) via predefined interfaces – these are your APIs. And because you might be deploying each microservice many (many) times, you want to remove the possibility of human error. This means you package a golden copy with everything it needs to run in a container, a technology that enables you to easily spin it up and run it anywhere. And finally, you automate the configuration of all the infrastructure needed to deploy that application with Infrastructure as Code.

CNAPP is not enough; you also need cloud-native application security.

In the past couple of years, Cloud-Native Application Protection Platforms (CNAPP) have emerged as a hot new security technology. It’s not difficult to see why, as it’s right there in the name – cloud-native applications and platform. CNAPP evolved from two sub-markets, Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM) – and you can immediately tell what CNAPP solutions focus on – cloud workloads and cloud security posture (again, it’s right there in the name).

CNAPP solutions secure the cloud runtime environment, including network security (like firewalling and microsegmentation), monitoring application workloads, investigating anomalies in application behavior, and ensuring proper configuration of cloud infrastructure. That’s a lot of ground for a single vendor or platform to cover, and no CNAPP vendor does it all well today. Each vendor has different strengths based on what part of the market it grew out of, CWPP or CSPM. And that’s why many organizations today already have multiple CNAPP solutions.

But runtime environments are only half of the security story. If you have vulnerabilities in your application, you want to close them at the source and that requires shifting left into the development environment. And with everything it has to do already, CNAPP just doesn’t do application security well. That’s where we come in. Checkmarx has always focused on securing application development, with everything you need from the first line of code to packaging it in containers to deploying in the cloud. Not in the cloud? We help you cover your entire application footprint, whether it’s the latest cloud-native applications or a legacy application that you prefer to keep a little closer to home.

Reduce the noise and focus on what really matters

Cloud-native applications are complex, with many steps and moving pieces in the software development process. You need to scan your proprietary code for vulnerabilities and identify vulnerabilities (and malicious code) in open source software. You need to scan your container images to make sure your golden copy is as vulnerability-free as possible. And you need to scan your IaC templates to identify misconfigurations or other security issues. That means that application security has traditionally required a lot of tools, and lots of tools means lots of noise. This has been a major challenge for application security teams and the developers they serve.

At Checkmarx, we put a lot of effort into reducing noise. We start by making each solution as accurate as possible. You can see it in the results of our recent comparative testing, showing significantly higher accuracy for Checkmarx SAST and SCA vs. one of our “developer-focused” competitors – out of the box with no tuning (which means it gets even better with tuning). We also launched our next-generation SAST engine in January, with a new lightweight scan and super-low false positives with no tuning required, ever. And finally, we just announced our in-IDE, real-time code scanning in AI Security, providing immediate feedback to developers as they’re writing their code.

We also correlate data between solutions wherever possible with our correlation layer, which we launched back in 2022. An example of this is our exploitable path feature, which correlates findings between SAST and SCA to identify the vulnerabilities in open source libraries that are actually in functions or methods called by your source code, and therefore exploitable in your application. We tested our exploitable path feature in the Tolly report, and the results show that it’s easy for anybody to claim to have a feature like correlation, but there’s a difference between having it and doing it well (hint: we do it well).

Finally, we announced Application Risk Management last June. Application Risk Management builds on our correlation, with the ability to see risk across all your applications at a glance. This allows you to focus on the most critical applications first, or those with the highest amount of risk. Its very premise is reducing the noise and helping you focus on what really matters, i.e., “If you have only 30 minutes to do something right now, what would you do and where would you focus?”

Introducing Checkmarx ASPM

Until now, the focus of Fusion and Application Risk Management has been helping you get more out of your Checkmarx solutions. But we know that you have other AppSec tools in your environment that you need to manage as well. That’s why we’re introducing Checkmarx ASPM. ASPM builds on our existing correlation, prioritization, and risk management capabilities with Bring Your Own Results (BYOR). You can take advantage of all the correlation special sauce (like exploitable path) that we build into our products, as well as ingest data from using industry-standard SARIF files. This allows you to manage your entire AppSec posture with Checkmarx One, across both Checkmarx and any other solution you may have (including our competitors). One dashboard, one correlation engine, one risk management view, and one workflow for analyzing and triaging vulnerabilities for your developers to remediate.

Read the blog post to learn more about Checkmarx ASPM.

Correlating runtime data from CNAPP partners

This launch also builds on two partnership capabilities that we previously announced. Our integrations between Container Security and Sysdig and Wiz really highlight the potential of code to cloud security to reduce the noise. Just as exploitable path identifies vulnerabilities in open source libraries that aren’t in functions or methods called by your code, our integrations with Sysdig and Wiz give you additional tools with which to prioritize where you focus:

  • With Sysdig, we help you identify vulnerabilities in open source libraries that aren’t actually called by your application in the runtime environment. This means that, while those vulnerabilities technically exist in your application, the likelihood of them being exploited is far lower than others in libraries that are called by your application at runtime.
  • Our Wiz integration allows us to identify the container images that have been deployed in a cloud environment and are Internet-facing. This means that they can be more easily attacked and have a higher risk than those that cannot, helping you prioritize remediation for projects based on their network exposure in runtime.

Bringing you Cloud Insights

For those of you who may not have a CNAPP solution like Sysdig or Wiz today, we’re launching Cloud Insights. This capability is included with Checkmarx ASPM and connects Checkmarx One directly with your cloud infrastructure, where we can pull data from various infrastructure components to identify the containers running in the cloud. This allows us to identify projects and microservices that are Internet-facing in the runtime environment, similar to our integration with Wiz.

We then correlate this with our own vulnerability data to enhance our risk scoring in Application Risk Management and make it easier for you to understand your holistic application risk. Equally importantly, it helps us connect the dots between containerized microservices running in your cloud environment back through the software development lifecycle (SDLC) and to the specific software projects and code repositories in which they live. This gives you full visibility into your applications from end to end, or from code to cloud. Cloud Insights supports AWS EKS environments today, with other cloud providers to come in the future.

To learn more about Cloud Insights, read the announcement blog post here.

Taking AppSec to the board

And finally, we’re also announcing our new Executive Overview dashboard. Available to all Checkmarx One customers, the Executive Overview dashboard takes all the data available in Checkmarx One and gives you a bird’s-eye view of your entire application security program. You can measure and track your most important application security KPIs in a single place, including mean time to remediate (MTTR), vulnerability density, and  application rating score. It also includes advanced filtering capabilities, such as by , application, or project, to customize your view based on your organization hierarchy, application structure, or other needs. You can track how your application security capabilities are being used across all your applications under development, and identify trends or anomalies in that adoption.

Get all the details about the Executive Overview dashboard here.

How to get started

Like everybody else’s, your SDLC is complex with many steps and many moving pieces, and there’s a lot of noise you must sift through. Checkmarx helps you reduce the noise and focus on what really matters, by correlating data across of your application security solutions (Checkmarx and third-party), prioritizing the most critical vulnerabilities to fix first, and giving you full visibility into your application risk. We’re super excited about how Checkmarx ASPM, Cloud Insights, and Executive Dashboard (along with our integrations with Sysdig and Wiz) can help you secure your cloud-native applications from end to end and code to cloud.

If you’re on Checkmarx One, reach out to your account manager to learn how to get these capabilities today. If you’re new to Checkmarx or Checkmarx One, fill out this form to get started.

Disclaimer: no AI was harmed in the creation of this blog post.