Shifting Left Securely with Amazon Inspector
There were lots of really cool announcements that came out of #reInvent2023.? One of my favorites was the release of three new capabilities for Amazon Inspector. These feature releases broaden what’s possible when it comes to scanning for software vulnerabilities in cloud code.
Cloud native is becoming the new normal.? A report from the Cloud Native Computing Foundation shows that 30% of companies are using cloud native solutions.
There are projections that the Infrastructure as Code market is projected to reach more than $2 billion in 2027
If you are building Infrastructure as code in AWS, you are probably familiar with Inspector. Amazon Inspector is a vulnerability management service that continually scans your AWS workloads for known software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running EC2 instances, container images in?Amazon Elastic Container Registry (Amazon ECR) and within your CI/CD tools, and Lambda functions.
Three New Amazon Inspector Capabilities
First—There is a new set of open source plugins as well as an API that allows for assessment of container images for software vulnerabilities right at the time of build and right from the CI/CD pipeline?
Let’s get to the plugins first which are for Jenkins and JetBrain’s TeamCity with more to follow. The new API is accessible through both an AWS SDK and the AWS Command Line Interface (AWS CLI).? The API allows for the incorporation of Amazon Inspector into your CI/CD pipeline
Second—Inspector use GenAI and automated reasoning to provide code assisted remediation for AWS Lambda
Third—Continuous monitoring—Inspector will monitor EC2 instances without installing an agent or additional software.? This feature is in preview
Scanning Lambda code just got easier.
AWS Lambda is a preferred choice for many developers. Many organizations use Lambda to build serverless API backends using Amazon API Gateway. Another common use case is Chatbots and NLP.? File and data processing as well as image and video processing are a couple other use cases.? There are some market estimates that indicate that 50% of AWS customers use Lambda.?
Amazon Inspector offers two types of scanning for Lambda. These scan types look for different types of vulnerabilities.
Amazon Inspector Lambda standard scanning--This is the default Lambda scan type. Lambda standard scanning scans application dependencies within a Lambda function and its layers for package vulnerabilities
Amazon Inspector Lambda code scanning--This scan type scans the custom application code in your functions and layers for?code vulnerabilities.
领英推荐
The automated reason and code assisted remediation comes in the form of in-context code patches for vulnerabilities detected during the scan.? Inspector is looking for security issues like data leaks, missing encryption, injection flaws etc.?
Inspector discovers the vulnerabilities and includes code snippets and remediation suggestions.
If we think about why this matters, its because it allows teams to prioritize security on the front end of the process instead of needing to choose between security and a tight release deadline.?
Inspector provides Continuous Monitoring for CI/CD pipelines
Did you know that a business today can spend an average of 250 days to remediate a high severity risk? ?It’s really crucial to identify a potential security issue early in the development lifecycle.? This practice prevents the risk being deployed in a prod environment
But this addition isn’t just about reducing vulnerability backlogs, its really about increasing productivity and bettering time to market via automation.? It also creates more of a partnership between the Dev team and the Security team. The security team establishes threshold limits for the scans.? This approach ensures that all container images meet a set of predefined criteria before moving to the next phase of deployment.? The Dev team knows what the parameters are early and can adjust the workflow to better meet expectations ahead of time instead of redoing work.
Inspector’s recommendations actually streamline the security review process.? Developers are automatically integrating security into their CI/CD pipelines. It allows for a proactive approach that enables the developer to deliver secure software.?
This approach is also cost effective. AWS charges $0.03 per image scanned using their CI/CD solution.? Because the cost is on demand, security teams can align expense with actual usage.? This model provides costs that actually represent developer activity.
cc: Al Sadowski | Mary McCahon
#cloud #cloudsecurity #aisecurity
Every Minute We Deliver Proactive IT & Security For Finance and Hospitality Ensuring Your Business Remains Protected & Confidential 24/7.
1 年These new Amazon Inspector capabilities are game-changers for cloud security!
Internationally Known AI and Cloud Computing Thought Leader and Influencer, Enterprise Technology Innovator, Educator, Best Selling Author, Speaker, GenAI Architecture Mentor, Over the Hill Mountain Biker.
1 年I’ve watched the evolution of this service, and it’s clearly moving in more valuable and meaningful directions.