In an increasingly digital world, staying safe online is becoming more important than ever. To help users protect their digital spaces, last week at its re:Inforce 2023 event, Amazon Web Services (AWS) recently made several updates to its cloud security offerings.
The first significant update is to Amazon Inspector, a digital detective that hunts for security weaknesses in AWS workloads. Now there’s a new feature in Inspector that creates a detailed software bill of materials (SBOMs), which is a comprehensive list of all Inspector-monitored resources across the organization. Knowing all the resources and where they come from can help organizations better understand potential security risks.
Once the SBOM is created, it’s stored in Amazon S3, a service that stores data as objects within buckets. Organizations can then download the buckets and use other AWS tools, Amazon Athena, or Amazon QuickSight, to further analyze their software usage and spot trends. This feature is available at no additional cost and can be accessed via the Inspector interface or APIs. Over the past few years, AWS has been doing a better job of cross-product integration, and this is another example where AWS is trying to create a “1+1 = 3” value proposition.
AWS also enhanced Inspector to support Lambda functions. Lambda is a service that allows organizations to run pieces of code (functions) without managing servers. The functions are kind of mini tasks that run only when an administrator needs them to. Now, Inspector can check these mini-tasks for security issues. Not only can it find problems in the packages the code depends on, but it can also inspect custom code inside a Lambda function. In fact, it can spot various types of security issues, such as weak or missing encryption and data leaks.
Once Lambda pinpoints an issue, Inspector provides important information like the name of the detector that found the issue, the piece of code that’s impacted, and suggestions on how to fix it. All the information is presented in one place, the Inspector console. The findings are also sent to AWS Security Hub and Amazon EventBridge to help automate the process.
Third, AWS rolled out an update for Amazon Detective, a tool that aids in finding and fixing security issues. The update combines and displays information from Amazon Inspector and Amazon GuardDuty, two other tools that spot vulnerabilities. This means organizations can see potential issues with network communication and software vulnerabilities, along with findings from GuardDuty.
With the update, administrators can understand whether a computer was compromised because of a software weakness or whether a problem occurred because of a network exposure. Detective uses machine learning (ML), which helps the tool group related security events together. As a result, organizations can investigate problems faster, figure out the cause, and find the best solution.
Lastly, AWS launched a preview release of Amazon CodeGuru Security, a tool that uses ML to identify vulnerabilities in code. But it doesn’t just stop at finding problems, it also suggests how to fix them and it can even provide ready-made patches for certain types of vulnerabilities. The tool can be integrated into different stages of the code writing process, making it an ever-present guard that watches over the code as it’s being created.
Although CodeGuru is currently in the testing phase, it’s already showing promise, according to AWS. By analyzing their code deeply, organizations can address real problems and avoid wasting time on false alarms. CodeGuru Security can spot a wide range of issues like log injection (code that can be used to trick a system), hardcoded credentials (code that contains passwords and other secrets), and resource leaks (code that doesn’t clean up after itself, leading to potential problems).
Zeus Kerravala is the founder and principal analyst with ZK Research. He provides a mix of tactical advice to help his clients in the current business climate and long-term strategic advice. Kerravala provides research and advice to end-user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers. He can be reached at [email protected], and follow him @zkerravala and on YouTube.
Industry Voices are opinion columns written by outside contributors — often industry experts or analysts — who are invited to the conversation by Silverlinings' editors. They do not represent the opinions of Silverlinings.