Improve code security with native AWS tooling
A few recent improvements to AWS security tooling can help you improve your software code and gain visibility into key information about your software supply chain.
Amazon Inspector announces the general availability of Code Scans for AWS Lambda function
Amazon Inspector now supports code scanning of Lambda functions, expanding the existing capability to scan Lambda functions and associated layers for software vulnerabilities in application package dependencies. With this expanded capability, Amazon Inspector now also scans your custom proprietary application code within a Lambda function for code security vulnerabilities such as injection flaws, data leaks, weak cryptography, or missing encryption based on AWS security best practices. Upon detecting code vulnerabilities within the Lambda function or layer, Amazon Inspector generates actionable security findings that provide several details, such as security detector name, impacted code snippets, and remediation suggestions to address vulnerabilities. All findings are aggregated in the Amazon Inspector console and seamlessly routed to AWS Security Hub, and pushed to Amazon EventBridge to automate workflows.
Amazon Inspector code scanning of Lambda functions is available in 10 regions including US East (N. Virginia), US West (Oregon), US East (Ohio), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Stockholm), Asia Pacific (Singapore). To learn more, visit the Scanning AWS Lambda functions with Amazon Inspector guide.
AWS announces Software Bill of Materials export capability in Amazon Inspector
Amazon Inspector now offers the ability to export a consolidated Software Bill of Materials (SBOMs) for all Amazon Inspector monitored resources across your organization in industry standard formats, including CycloneDx and SPDX. With this new capability, you can use automated and centrally managed SBOMs to gain visibility into key information about your software supply chain. This includes details about software packages used in the resource, along with associated vulnerabilities. After Amazon Inspector exports the SBOMs to an Amazon S3 bucket, you have the option to download the SBOM artifacts and use Amazon Athena or Amazon QuickSight to analyze and visualize software supply chain trends. This capability in Amazon Inspector is available with a few clicks in the Amazon Inspector console or using Amazon Inspector APIs. SBOM exports are offered at no additional cost.
Amazon Inspector SBOM exports is available in all commercial Regions where Amazon Inspector is available.
Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities, code vulnerabilities, and unintended network exposure across your entire AWS Organization. Once activated, Amazon Inspector automatically discovers all of your Amazon Elastic Compute Cloud (EC2) instances, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions, at scale, and continuously monitors them for known vulnerabilities, giving you a consolidated view of vulnerabilities across your compute environments.
To learn more and get started with continual vulnerability scanning of your workloads, visit:
Recommended by LinkedIn
Amazon CodeGuru Security is now available in preview
AWS announced the preview release of Amazon CodeGuru Security, a static application security testing (SAST) tool that uses Machine Learning to help you identify code vulnerabilities and provide guidance you can use as part of remediation. CodeGuru Security also provides in-context code patches for certain classes of vulnerabilities, helping you reduce the effort required to fix code vulnerabilities.
By performing deep semantic analysis of your application code, CodeGuru Security detects vulnerabilities with a low false positive rate, enabling your engineering and security teams to be more efficient while triaging findings. CodeGuru Security flags a wide range of issues such as log injection, hardcoded credentials, and resource leaks, and is designed to integrate at different stages of the development workflow (code repository, CI/CD pipeline, container registry, etc.).
To learn more and get started with the public preview, visit the Amazon CodeGuru product page.