Cloud native applications do more than just run on a different platform. The entire scope of these applications is different, including the methodologies and skills used to build them. Security practices for these applications need a transformation of equal magnitude. With this report, you'll learn how to adapt your practices to this new organizational reality by adopting a developer-first cloud native application security (CNAS) approach.

Author Guy Podjarny explains this market transition and guides you through the organizational changes required to succeed, including alterations to security practices and tooling. Concrete examples not only help you learn the concepts but also act as an ideal way to get started in the process. By the end of this report, you'll understand why and how to embrace a CNAS approach.

  • Initiate dev-first security by equipping developers with the mandate and tools to secure what they build during the development process
  • Expand the scope of application security for cloud native apps to include controls that IT security previously handled
  • Learn how adopting CNAS requires significant changes to the way you secure applications and infrastructure
  • Adapt your organization to a dev-first CNAS approach by rethinking your security organizational structure, tooling, and priorities

Table of Contents

  1. Preface
    1. Why I Wrote This Book
    2. Who Is This Book For?
  2. 1. Digital Transformation
    1. Becoming a Technology Company
    2. Accelerating Technology Delivery
    3. The Cloud
    4. DevOps
    5. Cloud Native
    6. Security and Cloud Native Development
    7. Conclusion
  3. 2. Dev-First Security
    1. What Is Dev-First Security?
    2. Developer Context and Expertise
    3. Developer Experience and Affinity
    4. Security Audits, Developers Fix
    5. Shift Left Is Not Enough
    6. DevSecOps Versus Dev-First Security
    7. Conclusion
  4. 3. Securing the Entire Cloud Native App
    1. From IT Security to Cloud Security
    2. From Cloud Security to Cloud Native Application Security
    3. Container Application Security
    4. Runtime Security for Containers Versus Cloud VMs
    5. Securing Container Images Versus Cloud VMs
    6. Container Security Ownership
    7. Securing Containers as Apps
    8. IaC Application Security
    9. Securing Infrastructure as Applications
    10. Helping Developers Secure Infrastructure
    11. Conclusion
  5. 4. Adapting to Dev-First CNAS
    1. Rethinking the Security Org Structure
    2. Core Application Security Team
    3. Security Engineering/Platform Team
    4. Product Security/Cloud Native AppSec Team
    5. What About the DevSecOps Team?
    6. Rethinking Tooling
    7. Developer Tooling Caliber
    8. Platform Scope
    9. Governance and Empowerment Approach
    10. Rethinking Priorities
    11. Conclusion
  6. Summary