Cloud Native Application Protection Platforms

Cloud Native Application Protection Platforms

by Russ Miles, Stephen Giguere, Taylor Smith
Released September 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098141707

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

Cloud native security isn't a game for individual players. It requires team collaboration with a platform that can help cloud security engineers, developers, and operations people do their best work. That's what the cloud native application protection platform (CNAPP) delivers. With this practical guide, you'll learn how CNAPPs can help you consolidate security through DevSecOps across cloud native technologies, practices, and application lifecycles.

Through real-life attack scenarios, authors Russ Miles, Steve Giguere, and Taylor Smith help you explore how CNAPP not only mitigates multidimensional threats, but also reduces complexity and helps your team stay one step ahead of attackers. CNAPP provides a holistic approach to your cloud native development across identities, workloads, networks, and infrastructure.

With this book, you will:

  • Examine threats to different parts of the cloud native stack, including pipelines, supply chains, infrastructure, workloads, and applications
  • Learn what CNAPP is and how it enables the context-sharing and collaboration necessary to secure your applications from development to runtime
  • Assess your own attack surface from a code and runtime standpoint
  • Identify blind spots in your existing cloud native security coverage
  • Leverage CNAPP to achieve a holistic, collaborative security environment

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Who Should Read This Book
    2. Why We Wrote This Book
    3. Navigating This Book
    4. What’s Not in This Book
    5. Important Terms
    6. A Brief Cloud Native and CNAPP Primer
      1. Cloud Native
      2. DevOps, IaC, and Bears, Oh My!
      3. Securing the Whole Deal Is Hard!
      4. Enter the Cloud Native Application Protection Platform
    7. Conventions Used in This Book
    8. O’Reilly Online Learning
    9. How to Contact Us
    10. Acknowledgements
  2. 1. Cloud Security, the Collaborative Game
    1. The Cloud Native Security Game
    2. How a Play Is Made: The Anatomy of an Attack
      1. Meet the Attackers: Actors and Vectors
      2. The Attacker’s Moves
    3. Broad, Deep, and Complex: The Cloud Native Security Game Board
      1. First, a Pinch of Structure: The Cloud Native Stack
      2. Second, a Smattering of Speed: Lifecycles
      3. To Season, Add Some Open Source
      4. Open Source: Easy Button for Growth, but at What Risk?
      5. Your (Insecure) Dish Is Ready: From Shallow to Defense in Depth
      6. The Attack Surface Is Broad
    4. Your Team: Cloud Security, Operations Security, and Development Security
      1. From Code to Cloud: Cloud Security Engineers + Security-Aware Developers + Security Operations
      2. Your Team, Siloed
    5. DevSecOps: Whoever Collaborates Best and Learns Fastest, Wins
    6. Collaboration and Emergence
    7. Who OODAs Best, Wins
    8. Your CNAPP Enables Your Cloud Native Security OODA Loop
    9. Losing Our Cloud Native Security Game
  3. 2. Playing to Win with Context and Collaboration
    1. Surfacing and Observing Your Security
      1. Observing Your System
      2. Combining Observing with Security Advice
    2. CNAPP Policies: From Observing to Orienting, Deciding, and Acting
      1. Orient Through CNAPP Policy Pattern-Matching
      2. Triggering Cross-Team Decisions and Actions
    3. Acronyms, Assemble! Key Terms and Definitions
    4. Back to Our Security Breach
      1. Lost in Translation
      2. Winning with Shared Security Context and Collaboration
  4. 3. A Shadow Cloud Emerges: Immediate Visibility, Maintaining Control
    1. Notable by Its Absence
    2. Characteristics of a Shadow Cloud
    3. Cloud Security Posture
    4. Surfacing Your Cloud of Curiosities
      1. Observe: Identifying the Assets
      2. Orient: Identifying Threats and Vulnerabilities
      3. Decide: Analyzing, Categorizing, and Prioritizing the Risks
      4. Act: Connecting Your CNAPP to the Action Through Integrations
      5. Learn: New Problems, New Policies, New Controls—New Loops
    5. Rinse and Repeat, Continuously
    6. From Continuously Reacting, to Continuously “Proacting”
  5. 4. Preventing Risk Early
    1. The Interface Between Security and Development Work
      1. Comparing the Developer and Security Domain Languages
      2. CNAPP as an Anti-Corruption Layer
      3. Respecting the Goals of Effective Security and Development Teams
      4. Team Interaction Modes
    2. CNAPP as a Development Collaborator
      1. Inspecting Your CNAPP Policies
      2. Surfacing Security Where You Work
      3. Security Awareness and Immediate Fixes in the IDE
      4. When a PR Is Born
      5. Checks and Balances in the Build
      6. Scope, Feedback, and (Helpful) Blame
      7. Automatically Updating Your Security Posture
  6. 5. Securing Your Supply Chain
    1. Introducing Your Cloud Native Supply Chain
      1. Your House of (Cards) Supply Chains
      2. How Supply Chain Attacks Work
      3. Rapid Release, Rapid Vulnerabilities
      4. From Trust, Through Fear and Suspicion, to Proactive Exploration and Resolution
    2. Fear and Loathing in Dependencies
    3. Making the Invisible Visible: CNAPP Software Composition Analysis
    4. Building a Cloud Native SBOM (Software Bill of Materials)
    5. Completing the SCA OODA Loop
    6. From the Packages to the Packager
  7. 6. Continuous Delivery, Continuous Insecurity
    1. CI/CD Pipelines: The Arteries of Production
    2. The Purpose of a CI/CD Pipeline
      1. Understanding CI/CD
      2. Where Are My Risks?
      3. Real-World Examples
    3. CI/CD Under the Lens of Your CNAPP
    4. From Pipelines to Production
  8. 7. Protecting Your Runtime
    1. What Are My Risks?
    2. Cloud Security Posture Management
    3. Cloud Workload Protection Platforms
    4. Cloud Infrastructure Entitlement Management
    5. Runtime Security Requirements in a CNAPP
    6. All for One and One for All Runtime Security
    7. What’s Under the Hood?
      1. Agent-Based Security
      2. Agentless Security
      3. Better Together
      4. What Is an Attack Path?
    8. From Breadth and Depth to (Data) Depth
  9. 8. Data Security Posture Management
    1. Introduction to DSPM
      1. What Is Sensitive Data?
      2. The Evolution of Data Security in Cloud Environments
    2. How Does DSPM Work?
      1. Data Discovery
      2. Data Classification
      3. Establishment and Application of Security Policies
    3. AI and DSPM Sittin’ in a Tree…
    4. How Much Better Could It Have Been?
      1. Equifax Breach (2017)
      2. Marriott International (2018)
      3. Capital One (2019)
    5. DSPM Is a Platform Solution
    6. Isn’t an LLM Also Data?
    7. Exposing the Heart of Our Problems: Data Theft and Data Laundering
  10. 9. Building a CNAPP Culture
    1. From Slow Culture War to Fast Culture Collaboration
      1. Gene Kim’s Contributions
      2. Insights from Team Topologies
      3. Determining Root Causes
      4. A CNAPP Is the Doctor
      5. A CNAPP Is Cost-Centric Security
      6. Security Chaos Engineering
      7. Disparate Tools Lead to Security Theater
    2. A CNAPP Makes the (Security) Team Work
  11. Index
  12. About the Authors

Product information

  • Title: Cloud Native Application Protection Platforms
  • Author(s): Russ Miles, Stephen Giguere, Taylor Smith
  • Release date: September 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098141707