Manage vulnerabilities in your applications

Application Security Testing

It is recommended to use vulnerability scanning tools both for applications (Dynamic Application Security Testing - DAST), and code (Static Application Security Testing, SAST) and perform penetration testing on critical company applications and ideally on all of them.

Where to scan

Application vulnerabilities are easier (and more cost efficient) to remediate when the developers are writing the code, but following the criteria of Defense in depth, it’s also important to scan in the pipeline, to ensure that code that was not developed using solutions code companions checking for vulnerabilities, can be pushed into the pipeline and introduce risks. Finally it’s advisable to scan the applications deployed as applications may have been deployed before we added the scan on the pipeline, or new vulnerabilities may be discovered after the scan (such as a dependancy with a recently discovered vulnerability).

  1. In the Development UI: Amazon Q for developers (pka Codewhisperer) detects vulnerabilities as the developer is writing the code, and provides fix recommendations.
  2. In the Pipeline: Amazon CodeGuru Security can perform code scans (SAST).
  3. In the Image repository: Amazon Inspector can scan images on Amazon Elastic Container Registry.
  4. Once deployed:: Amazon Inspector can scan AWS Lambda function’s code.

DAST/SAST Solutions on AWS Marketplace

There are many solutions from our partners on AWS Marketplace (such as Checkmarx y Veracode) to review application vulnerabilities.

Open Source

There are many Open Source solutions (such as Nikto, Vega, or Burp Suite) that can help you scan your applications. AWS teams created and shared the Automated Security Helper (ASH, an Open Source code available at AWS Samples). It will find keys, vulnerabilities and bad practices:

  • It currently supports the following frameworks: Git, Python, Javascript, Cloudformation, Terraform and Jupyter Notebooks.
  • It will identify the framework, and use the relevant tool to scan the code in an isolated Docker environment
  • Leverages multiple open source tools (such as git-secrets, bandit, nbconvert, npm-audit, checkov, cfn_nag, cdk-nag)

While it is a good practice to deploy a Web Application Firewall (such as AWS WAF) to block attacks on applications, this does not mean that no application vulnerability check is required. Following the defense in depth principle, both controls must be performed to reduce the risk of exploitation of a vulnerability.

In later phases are other recommendations related to this one:

Risk Mitigation

  • Many web applications require to be exposed to provide services, therefore vulnerabilities on the applications are accessible by adversaries.
  • Most development teams are not experts in security, or do not have time to prioritize secure code practices.

Guidance for assessments

  • Are you scanning your application for security vulnerabilties? How ?
    • Dynamic application security testing (DAST) - live application ?
    • Static application security testing (SAST) - code scan ?
  • What is the coverage for scans? Are you covering critical application only ? most ? all applications?
  • Are you scanning for secrets / credentials in code ? (i.e.: if a developer puts an access key in code, do you detect it?)
  • Are you stoping pass to production if critical vulnerabilities are found ?

Pricing

Amazon Inspector: https://aws.amazon.com/inspector/pricing

Amazon Codeguru: https://aws.amazon.com/codeguru/pricing

Amazon Q Developer: https://aws.amazon.com/codewhisperer/pricing