Introductions

In the recent re:Invent 2023, AWS made significant improvements to Amazon Inspector, adding features such as agentless vulnerability assessments for Amazon EC2 and expanding AWS Lambda code scanning with AI-powered remediation. These changes position Amazon Inspector as a strong contender for a leading security tool. As a DevSecOps enthusiast, I'm especially excited about its improved integration with CI/CD pipelines for container image assessments.

This latest update fits perfectly with the basic idea of DevSecOps. In DevSecOps, we follow a 'shift-left' approach to security. This means we add security measures early in the development process. It helps us catch problems and mistakes earlier, making our development work better and faster. If you want to learn more about DevSecOps, you can find more information here

For the latest updates on Amazon Inspector itself, there are some features that deserve our attention and consideration:

Seamless Integration with Jenkins and TeamCity Through Plugins

In organizations using CI/CD, tools like Jenkins and TeamCity are popular choices for integrating into development lifecycles. Recent native plugins now make it easy for those already using Jenkins and TeamCity to incorporate Amazon Inspector seamlessly. This streamlined integration brings a significant change for these organizations, providing more tool choices to enhance their DevSecOps practices and strengthen their security posture.

Generate SBOM with Amazon Inspector

We typically use a Software Bill of Materials (SBOM) to create a list of all open-source and third-party software components in our codebase, services, or applications.

In the latest update, Amazon Inspector helps us generate SBOMs to simplify our understanding of the installed software composition inside our container images.

The composition result report will be available in formats like CycloneDX 1.4 and SPDX 2.3, conveniently presented in JSON format, and can be accessed in the S3 bucket.

Understand finding better with amazon inspector

Understanding our security is crucial, and having an informative dashboard is a blessing. In the latest update, Amazon Inspector has a dashboard that will help display all the issues detected in our system.

In Amazon Inspector, a "finding" is a detailed report that reveals vulnerabilities affecting AWS resources. These findings contain important information like the vulnerability's name, severity rating, details about the affected resource, and step-by-step instructions for fixing the issues.
The findings are systematically categorized as follows:

• Active Findings: These are vulnerabilities identified by Amazon Inspector but not yet remediated. They are subject to suppression rules for efficient management.
• Suppressed Findings: Meeting specific criteria outlined in suppression rules, these findings are strategically hidden. They remain accessible only within the Suppressed findings list.
• Closed Findings: Once a vulnerability is successfully addressed, Amazon Inspector automatically marks the finding as closed. These closed findings are efficiently managed and automatically purged after a 30-day period.

This structured approach in Amazon Inspector helps manage vulnerabilities effectively, offering clear insights into the status of each issue and making the remediation process more efficient.

Conclusion

With the latest updates from re:Invent 2023, Amazon Inspector has become a stronger and more complete security solution. It now integrates better with developer tools for securing container images, and additional improvements such as agentless assessments in EC2 (Infra part) and utilizing generative AI for remediation in Lambda Code make it even more appealing.

The ease of integration with CI/CD makes Amazon Inspector even more useful, helping organizations improve their security and DevSecOps practices.

Stay tuned for more articles where I'll explain how to use Amazon Inspector in CI/CD pipelines for DevSecOps. I'm excited to share insights on its real-world impact and effectiveness, contributing to better security practices in DevSecOps in general.

I think that's it for now for this article comparison. Leave a comment below about your thoughts! Thanks.