Since its inception, Amazon Inspector has been instrumental in automating vulnerability management for workloads running on Amazon Elastic Compute Cloud (Amazon EC2), as well as for container workloads and AWS Lambda functions. Today, we’re advancing towards a more proactive approach to security with the introduction of code security capabilities. This robust feature provides insights into the security health of your code. With seamless integration to source code managers (SCM) such as GitHub and GitLab, Amazon Inspector assists in identifying and prioritizing security vulnerabilities and misconfigurations within your application’s source code, dependencies, and infrastructure as code (IaC).
Even without any alterations to your code, vulnerabilities may exist in the libraries that your application relies upon, posing risks to both you and your users. By scanning repositories, you can maintain a continuous watch over the security of your code and its dependencies. Amazon Inspector allows you to establish consistent security controls throughout your software development lifecycle, fostering effective collaboration between security and development teams while minimizing risk and remediation expenses.
Overview of Amazon Inspector Code Security Features
Amazon Inspector now includes three additional security analysis capabilities: static application security testing (SAST), software composition analysis (SCA), and infrastructure as code (IaC) scanning. To utilize these features, you need to connect to your SCM tool. If you’re using GitHub, you can easily start by installing and configuring the Amazon Inspector App from the GitHub Marketplace, which streamlines automated code analysis and provides security findings directly within pull requests. Alternatively, for those utilizing a self-hosted GitLab, setup is simple with a personal access token that has the necessary permissions.
Static Application Security Testing
Static application security testing (SAST) involves analyzing source code to uncover insecure patterns or methods without needing to compile or execute the code. Amazon Inspector’s SAST scans evaluate your source code to detect potential security vulnerabilities such as hardcoded secrets, cross-site scripting, or injection attacks across a variety of programming languages, including JavaScript, Python, and C#. The service also reviews Bash shell scripts, extending security coverage to deployment and configuration scripts.
Software Composition Analysis
Software composition analysis (SCA) aids in understanding and managing risks associated with software dependencies. Each programming language has a unique approach to finding, importing, and updating contributed libraries—like PyPI for Python, NPM for NodeJS, and Cargo for Rust. Vulnerabilities may arise in libraries distributed through these language-specific package repositories, or a library you employ may rely on another library that is vulnerable. Amazon Inspector supports major environments such as Python, .Net, PHP, JavaScript, Java, Ruby, Rust, and Go. It automatically examines dependencies to identify known vulnerabilities, highlighting which code is impacted. When vulnerabilities are identified, Amazon Inspector offers detailed insights into the potential impact, available fixes, and upgrade paths to expedite issue resolution.
Infrastructure as Code Security
Just as applications are built from code, cloud infrastructure can be deployed and managed through code-centric methods. Amazon Inspector now analyzes IaC templates to uncover potential security misconfigurations, such as using AWS Identity and Access Management (IAM) wildcards in action statements or disabled Glue Data Catalog encryption. This proactive analysis allows you to address identified risks before executing code and deploying faulty infrastructure. The new feature reviews AWS CloudFormation, Terraform, and AWS CDK, ensuring secure infrastructure definitions throughout their development process.
For an engaging read on similar topics, check out this blog post here.
Improved Security Governance and Visibility
Amazon Inspector allows you to select which types of scans to conduct across various repositories. You can initiate scans based on the following options:
- On-demand: Starts an immediate scan of the chosen repository
- Change based: Triggers a scan upon push to the main branch or during a pull request or merge request
- Scheduled: Runs scans weekly or monthly
Amazon Inspector integrates code security findings into a centralized dashboard for managing and enforcing scanning policies across repositories using customizable scan configurations. As part of the integration with the SCM platform, you can establish a default scan configuration applicable to existing or new repositories. Alternatively, custom scan configurations can be created for specific repositories using inclusion tags.
Upon successful completion of scheduled or event-driven scans, Amazon Inspector generates thorough findings that pinpoint specific lines of code within repositories, including commit IDs and file locations of detected vulnerabilities. Security teams benefit from customizable filtering through intelligent suppression rules, allowing you to tailor your security view to match your organization’s priorities, showcasing what’s most significant for your team while preserving findings data for reporting and auditing. Additionally, through native integration with Amazon EventBridge, these detailed security findings can be automatically routed into existing security workflows, enhancing alerting and response capabilities.
Code Fix Recommendations
Amazon Inspector simplifies security remediation by providing precise code fix recommendations directly within the developer’s workflow. The two-way integration with your SCM automatically suggests fixes as comments in pull requests (PRs) and merge requests (MRs) for Critical and High findings, alerting developers to the most pressing vulnerabilities to address without interrupting their workflow. Concurrently, security teams gain a consolidated dashboard in the Amazon Inspector console, aggregating findings from scheduled or event-based scans across relevant repositories. Each finding includes tailored remediation guidance based on the scan type, providing specific code suggestions for IaC and SAST findings, or recommending version upgrades and dependency update paths for SCA findings. For further insights, consider visiting this excellent resource.
Conclusion
These enhanced security capabilities offer comprehensive visibility into the security health of your cloud applications, from initial code development to production deployment. Security teams can utilize the unified dashboard in Amazon Inspector to effectively track and manage vulnerabilities, ensuring that your code remains secure and compliant.
Leave a Reply