What to Know About the Gartner Market Guide for CNAPPs

Gartner Marketing Report on Cloud Native Application Protection Platforms

Gartner produced its first-ever Market Guide for Cloud Native Application Protection Platforms (CNAPPs). In the report, analysts Neil MacDonald, Charlie Winckless, and Dale Koeopen define a CNAPP as “… a unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production. CNAPPs consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection, and runtime vulnerability/configuration scanning.” OX Security, the first end-to-end software supply chain security platform, is proud to be listed by Gartner as a Representative CNAPP-Adjacent Vendor adding tremendous value to Cloud Native Application Protection Platform deployments.

The Value of CNAPPs

Historically, securing the full software supply chain required multiple tools designed specifically for security professionals without any involvement from developers. These tools provided too many alerts and created fragmented workflows. Developers became frustrated and overwhelmed chasing false positives. As a result, they just ignored all notifications — including the important ones.

CNAPPs provide end-to-end security for applications, containers, and microservices that run on cloud infrastructure. CNAPP capabilities may include; container scanning, infrastructure as code (IAC), Cloud Infrastructure Entitlement Management (CIEM), runtime cloud workload protection, and Cloud Security Posture Management (CSPM).

The benefits of a single platform over a multitude of tools are numerous. Here are some of the highlights:

1. Focus on what matters

All vulnerabilities are not created equal. Developers are focused on releasing products quickly and too often product releases are delayed while developers chase false positives. CNAPPs can provide the context needed to focus security teams on remediating the most critical risks. Providing developers with all the information they need to feel confident that time spent remediating risks pre-production is time well spent, drastically increasing the chance that these critical risk notifications will not be ignored. Developer “buy-in” is a critical, and often overlooked, step towards minimizing the attack surface and releasing secure products on time.

2. Manage costs without sacrificing coverage

Security teams are responsible for identifying, provisioning, and integrating the right mix of tools, often juggling multiple security interfaces. This inevitably leads to gaps in tooling and security coverage, leaving blind spots across the software supply chain.

CNAPPs consolidate numerous security capabilities – including static application security testing (SAST), software composition analysis (SCA), container scanning, API protection, IaC (Infrastructure as Code), and container scanning – into a single platform, they can reduce costs without sacrificing coverage.

3. Enhance the Developer Experience

For reasons that may seem obvious, Gartner recommends using a single-vendor CNAPP offering (and not many). For security teams, CNAPPs help enforce consistent policies and prioritize remediation efforts without impeding velocity, giving security teams the confidence that the company is releasing secure products. At the same time, CNAPPs integrate easily into existing dev environments and eliminate fractured workflows and noise created by tool overload. This improves the developer experience and increases the likelihood that they will address critical risks pre-production.

OX Adds Value to CNAPP Deployments

Implementing a successful DevSecOps program is not as easy as snapping your fingers. AppSec teams face a number of challenges. Some challenges are trivial, like running Appsec tools. Some are very difficult, like protecting against new attack vectors.

The DevSecOps Pyramid of Pain

Because it is still early days for CNAPPs, many vendors may not be mature in certain critical areas, like visibility and prioritization. The lack of maturity leaves some of the most difficult challenges facing AppSec teams unaddressed.

CNAPP-adjacent platforms like OX Security, add a lot of value (and capabilities) to a CNAPP deployment. Among the many benefits,

  • OX provides a deep understanding of the lineage of every artifact. Built using the PBOM standard, OX provides a real-time list of software lineage, from the first line of code all the way to release, ensuring the integrity of every build and verifying that all apps in production are secure.


  • OX is able to identify the person or team responsible for remediating an identified critical risk, allowing for faster remediation and more streamlined communication.


  • OX provides visibility into and the security posture of all the tools used in the build pipeline.


  • OX deduplicates risk findings of multiple security and risk scanners to help improve efficacy, manage costs, and prioritize remediation efforts.


Want to learn more about OX Security? Contact us today.


Subscribe for updates