AWS re:Invent 2024 - Amazon Q Developer, Amazon Inspector & AI remediation for secure SDLC (DOP213)

AWS re:Invent 2024 - Amazon Q Developer, Amazon Inspector & AI remediation for secure SDLC (DOP213)

Show Video

hello everyone um my name is Emil Lurch um and today I want to talk to you about uh securing your software development life cycle uh with combination of tools that we have at AWS so uh Amazon Q developer uh inspector code coverer security um to be able to bring uh AI into uh detecting uh and fixing your uh anything with your software as you develop it and deploy it and operate it um in production so um we're really looking at how we can improve our U our um security posture as we uh as we look across the software development uh life cycle so uh my name is Amil Lurch uh I'm a principal go to market specialist with uh AWS focused on uh our development tools and on Q developers specifically um and uh with me today uh later you'll see Casey Lee uh who is a a development engineer uh within uh AWS so there's a number of things we're going to cover today uh first and foremost uh just want to kind of uh level set everybody on the software development life cycle and how um we can add security into that um then we'll talk uh I'll talk a lot about Q developer um provide an overview there's been a number of announcements this week uh that I will also um kind of go over and um how that uh how we see that Q developer assisting you throughout the software development life cycle um next we'll talk about uh code security scanning so uh within the IDE and outside the IDE U as we move code from uh the the core development uh piece into uh our CI systems uh our source Control Systems uh and into production and then uh Casey will talk uh a lot about uh maintaining that secure code uh with inspector um after uh after deployment has actually happened so um so let's get started uh first um software development life cycle so um there's a number of ways that our customers uh put together uh a set of uh pipelines to move code into production uh we also have to uh you know ideate on that code uh we have to uh you know figure out exactly what we want to do and then uh write the code um put that into a source control system uh and then have our pipelines um you know measure inspect test it and uh put it into uh production so um all of this uh really starts with the uh the human element planning on how we're going to uh approach a particular problem what is it that we actually want to do uh with our applications um and uh as we think about security we want to U shift as it were as as much as we can so um physically on on the slide you'll see this is on the left but U you know as we're thinking about our requirements for uh for our software we want to think about that with a security uh first mindset um and then as we uh do the actual uh design architecture design and development uh we want to also have security um as top of Mind U as we go through those particular oper ations so this is where Q developer first uh really comes in is in that uh stage of um requirements Gathering design um and then uh building uh directly within uh the IDE um if uh folks are Security Professionals here U you you can say well you know this is a developer on their laptop um I don't have full control over that environment um and so I want more uh more control to be able to make sure that uh the code that is going into our company's systems uh into production is secure so um after it the code leaves the laptop um you know that's where I really want to take over and that's where we have um assistance that uh help with the rest of uh this process so code goes into our source code repository um and then at that point uh we want to apply our uh Security checks so uh code Guru security Amazon inspector um to do software composition analysis um static application software U analysis and U make sure that the code is uh that we've been writing and the code that we're dependent upon in terms of uh libraries dependencies um is secure at that point so uh the codes now in the source code uh repository we want to deploy that into production right so we might use uh AWS code pipeline AWS code build we might be using um gitlab cicd we might be using GitHub actions but we have some process uh that we want to use to uh to take this code build it um and then deploy it and we want that uh process to uh to be secure and when we deploy it we're not done uh because even though we've tested the uh the code as we did the authoring we tested the code after it's been authored um and through the PIP line um now we're in production and uh there might be things that come up after it gets deployed in production uh we have software that's dependent upon libraries uh those libraries uh may have vulnerabilities that are um that are discovered after the fact um and so we want to make sure that we're continuously scanning um our code even after it's been deployed such that when uh a new vulnerability is discovered we have some visibility into to that and that's where Amazon inspector comes in um to have uh that uh continuous scanning um and then surface those uh any findings that um that it discovers um through a central management infrastructure that our security teams um can be looking at right so uh you can see here we have AWS security Hub uh with the security teams uh that are are viewing those particular findings so um that's the full overview um and the rest of this uh hour is really going to be getting into the details uh of each one of those so um starting with the uh with the authoring the um ideation uh learning what we want to change um and how we change it um this is where Amazon Q uh really gets started so um our goal for Amazon Q developer is to assist in across the sdlc the software development life cycle um as a whole is really what we're uh focused on um some folks think about uh Q developer and uh we talk a lot about all the capabilities that Q developer has in the IDE uh but the Northstar for AWS is really accelerating the entire process um so uh that that begins with that planning phase where a q developer uh can come in and you've uh you have an an understand understanding of what it is that you that the change that you want to make to the system or the new system that you want to build uh we need to be able to architect that uh with best practices in mind um create our detailed level designs again with best practices and so we have q developer there uh within the uh AWS documentation within the AWS console which is nice because it has the context uh within the console of the AWS account that you have um and the infrastructure uh that's there so you can ask it uh account specific questions that uh are um uh you know gerine to the the problem that you're uh you're trying to solve uh we uh released uh last week or two uh some uh enhancements for Q developer for billing for instance uh we've got uh the ability to ask about um particular pieces of your infrastructure and so you can start to now ask questions about um um okay so you know how many ec2 instances are we using versus uh containers versus Lambda like let's conform to uh the way that our uh company is building uh software other pieces of software um to have a consistent architecture uh we can use that as as input if we're using ec2 um maybe we uh look at uh what instance sizes are are appropriate and so Q developer can help uh with that uh type of activity as well and uh then outside the console uh now we have an understanding of um you know where we want to take this um let's look at the existing code uh that we have in front of us if we're making a modification uh maybe I'm a new employee or maybe uh this is a new codebase uh for me or maybe the last change that we made to this code base was a year ago um I need some Refreshers on exactly what's going on in here what patterns were being used um how has the software been architected so I can use Q at that point uh to really um dig into the details and explain to me uh what it is that I have in front of me so that I can um be effective when I'm ready to make that uh that change so um getting into the creation phase q developer um you know at that point we in most often in the IDE um but we might also be using uh the command line interface and uh with uh Q developer in uh the the CLI uh we can have suggestions for how to do things um directly in um in that area and uh there's a number of different things some of which uh were were announced uh even two days ago in Matt garmin's ke keynote um around uh being able to do things uh like uh creation of read Mees with uh with Slash do right so I can um as part of that explanation uh phase um we might need a this might be a codebase that doesn't even have a readme um maybe there is U an existing readme but it's not up todate uh so I can update uh that file as well um so there's new things that we're bringing in uh to Q developer all the time um to help us with uh with that Act of Creation and um with uh in multiple different styles uh so as I'm writing code uh in the IDE it can be providing me with suggestions um I can also have um engage in conversational coding uh by engaging with the chat interface that's um you know on the left hand side of my IDE U or maybe the inline chat that we uh released a little while ago um to be able to um U ask questions um and then get to some code that I want to uh insert directly at the place where I'm uh where I'm having that uh that Jack conversation um last but certainly not least is the uh feature development aspect so um within Q developer uh you can go into the chat and actually uh invoke when the command is slev uh you type slev and then you provide it with a set of requirements um once you uh provide those requirements uh and you can have it um create the entire feature U the code the documentation the tests um all as uh as a single unit um to really accelerate uh your development so this is really uh helpful for uh brand new features uh or new applications um to give you a jump start on uh on that creation process once code is there uh we need to test it we need to make sure it's secure so Q developer is there uh doing continuous scans of that code to make sure uh that we are writing secure code U along the way um we have a a new command uh that we introduced uh and on at the keynote on Tuesday uh called slash test uh which is specialized in unit test Generation Um but there's a number of different ways within Q developer that you can create unit tests you can um create them uh through the uh inline suggestions as you're uh as you're typing you start to describe your test and it will create that test for you uh the inline chat the uh the chat on the that's on the side of the uh of the IDE um or you can actually use the uh software development agent the feature creation um to instead of creating a feature create me all the tests for this project and it can uh it can kind of do that as well unit test generation features spe specific to uh to test generation and so uh that's a a great way to um to engage with Q um for that particular uh aspect once your code is written um and uh tested you also want to do a full code review and we'll see a demo of that uh a little later uh in this hour um and how that looks when you're uh when you're reviewing it reviews for both for security but it also reviews for um you know a suboptimal code um code that might be confusing or hard to read um maybe there's um you know logic errors in in the code that it can also um start to help you find and uh and more importantly uh fix um so when you run into uh reported issues through the uh the code review feature again announced on Tuesday was um uh when you see those issues uh you can generate fixes um directly within that interface we'll we'll see that today we write the code we get it uh we get it deployed um but we also need to operate that code and so um Q developer is uh there to help out with uh troubleshooting errors uh this is uh most often in the console uh where you you see uh maybe one ec2 instance can't reach another ec2 instance and so we might be asking the question why uh why is that help me debug that um or we might see issues with running Lambda functions um and Q developer can suggest uh fixes there as well uh so we have uh Q developer embedded throughout the console um to be able to help you in in various areas um S3 uh Lambda as I mentioned uh ec2 eks um to uh to be able to uh help with that on Tuesday we announced a preview of Amazon Q developer investigations so investigations uh is a way that um we can use the power of generative AI to uh review your operational logs um and then be able to provide hypothesis on uh root cause uh for operational issues uh that U that have occurred and so uh as an operator um or as a developer that's uh looking at my running system I can go ahead and uh and use investigations um to quickly kind of summarize what I'm seeing in production uh and uh be able to respond uh to that so um this is a really powerful feature that I'm uh I'm excited to uh uh to uh see our customers have some success with um well we're not done because once we have a uh operational code it's been there for a while uh we may need to upgrade it to a new version of a framework or uh a new version of a language um so Q developer is there in terms of uh trans uh transform uh so Q transforms uh for uh Java to go from java 8 to Java 17 um today and um our announcement on Tuesday for uhet um to um upgrade our net code uh that's in preview uh these are the types of things that we're looking at um and and um trying to offer for um customers to be able to quickly um upgrade their systems uh maintain modernize U their code base as uh time moves on take away some of that undifferentiated heavy lifting of something like a Java 8 uh to Java 17 all right uh so that's a quick overview of kind of where we're going for uh for Q developer um specifically um but I mentioned uh this uh Slash review that uh we announced on Tuesday and um we've all been busy at the conference uh many of us have probably not seen this um so this is kind of this is what it looks like uh so after um in this case I've done uh a review on uh on a project uh I'm looking at a particular uh issue and I see that um Q developer is actually telling me you know a lot of details about uh the issue that uh that I've seen um this isn't my code um I maybe there's a bug every time I run it on my code it comes out perfect but um I guess that's just my code I'm not sure but uh um but this is open suduku which is an open source project on on GitHub that I've ran uh SL review on um and it actually didn't find too much and it's older um um several versions back so um you know I'm sure that a lot of these have been uh addressed but uh in this uh in this code base I ran it on uh ran Q developer review on on this and uh we saw a couple different um different issues in this particular case uh we see that um in Android development you start up an application and Androids work Android software works on intents uh there may not be a default intent so this is basically you're not handling null um but we can uh generate the fix and I actually have a a video demo of of this um that I'll I'll show in a in a minute but I thought it was useful um to provide kind of uh the the end result here so uh we're we're providing kind of a summary of uh all the things that uh Q developer review has found uh in this codebase uh there's a mix here of some uh things that are you know um pretty uh deterministic like you know you're missing this particular kind of check um there's some things that are hey my cyclomatic complexity um is too high and uh if you are familiar with uh that particular metric it's um effectively cyclomatic complexity is effectively a measure of how confusing your code is you've got a bunch of different if statements and conditions and that uh those conditions um can be confusing to a developer as they're reading and then trying to um make a change um to a particular co uh code base so Q developer can uh can detect those types of things and then suggest ways to make your code simpler uh while still uh while still accomplishing the end goal um so there's a number of different things that uh that review is actually checking for um in terms of uh optimizing and securing the code uh we've got a summary that uh that we have in the chat on the on the bottom left and then uh in the in the middle is our code base right which um I I've uh left the code there U because uh it's actually highlighting uh the particular issue that uh that review found um in the details uh on the right so um I've got my code I've got the details I can read through a a clear explanation of exactly what Q developer found um and then I've got action buttons on the bottom to be able to um generate the fix regenerate a fix um if you know we want a different opinion from uh from the llm on um on how this uh this should be addressed um I can do do that regeneration I can also explain more about uh what's going on and that will uh that will be in the in the video that I I show in a minute um or I can say Hey you know I think this is actually okay um I'm going to go ahead and accept it so um I'll I'll ignore this particular issue okay um all right so uh here's the video so uh when I start this you'll see um you know I'm going to go in and um uh I've got the project loaded um in the workspace I don't have anything open though um I'm going to uh start to engage with Q developer uh we have these slash commands so I'll use slash review U to um instantiate the review process uh it's asking me here uh if I want a generator for the whole project or just the open file I'm looking at the whole project so um I'll go ahead and ask it to do the review of the of the workspace as a whole um and it'll uh take a little while um I clipped out a little bit of time in this uh particular video but um uh it can take a minute or two um or a few seconds and then um it's going to provide me with that summary that we saw on the screenshot um showing you some of the some of the issues here one of them is a resource leak um here I've got a database that um I'm opening up and then you'll see uh a few lines down there's a close but in the middle there's a condition where I could return it uh return from the function without without closing that database so this is what Q developer is trying to tell me like hey there's a problem here so I've um I've asked it to explain what's going on so it's generating um on uh in this chat um an explanation of all the uh of of this entire problem and what to do about it um so I get a quick overview of like you know resource management and why it's important to close things um and then a couple different options because there there could be more more than one way depending on the design of the um of this uh database object that that I'm interacting with there could be more than one way to make sure that the uh that the resources always closed out um and then a few key points uh at the uh at the end uh to continue so we're trying to teach the developer um as we move forward uh like you know as you're creating more code like you just keep this stuff in mind um when uh when the new code is written so looking at a couple different um uh other issues uh this is the one that we kind of started with uh this is my intent that might be null um I'm going to go ahead and view the details uh which pops up that uh that other uh screen that we saw earlier um and then go ahead and uh and generate the fix um I did not clip anything out from from this so this is um exactly how long uh this particular generation takes um we'll see it's only a few seconds um in in this case and we'll see a um a potential fix and then at that point um I can accept the fix ignore it regenerate um or I can open up the diff uh which is going to show me exactly what will happen uh when I hit accept the fix so um this is kind of U you know the the yellow highlights are uh the new code that it's proposing I put in um I will go ahead and accept that fix and when I scroll down um on the file I'll see that um sure enough um my files modified those two new lines are are now there um to put uh some an all check basically um in that particular area um so that's what um the Q developer uh review looks like in the IDE uh but there's one other announcement that I haven't talked about in um that was done on Tuesday and it was uh a fairly momentous announcement for uh for Q developer um because uh of what I showed earlier in terms of the soft this secure sdlc uh we want to be able to uh also initiate these reviews um inside our source source Control Systems so uh our partnership with uh gitlab now enables us to have q developer in uh the gitlab environment so that uh whether it's a developer uh or some other project member maybe a a security analyst uh wants to do a review uh they can uh using Q developer they can initiate that directly in gitlab and have a similar experience um to uh to what we just saw so um have to apologize uh a little bit for the uh this video flashes a little bit so just uh if you're a little photo sensitive uh you might be aware of that um but um this is in the gitlab environment uh we've got a a merge request um at this point the developer has written code um and wants to uh issue this merge request if you're not familiar with gitlab um get uh and you are familiar with GitHub uh merge request and a pool request are uh from GitHub are are fairly synonymous um so I'm going to create that merge request once I create the merge request um at that point um just as in uh many other source Control Systems uh I have the ability to comment on that merge request and so what we'll see um in a second when I play the video is that uh we will comment on the merge request and then try to assign that um that comment to Q um to hey I'm commenting here um to ask Q to uh to do a review so um we I'll go ahead and play this we'll uh now create the merge request and then uh after I click this button uh we'll see the the screen with the merge request come up uh and then that screen will'll have U the activity uh where I can now go in and ask you uh to do a review uh of the code so um by typing slq I'm now um kind of engaging with the Amazon Q service um I'll ask for that review again and after I hit the comment um we'll let some passage of time happen and then we'll see uh the the Q Service uh comment with kind of status so you'll see several comments kind of come in here uh to say hey i' I've received your request I'm reviewing the code the re uh the the review is complete and I found an issue um in this case it's a potential SQL injection uh Vector that we you really don't want to concatenate strings I want to use uh prepared statements so um it's again giving me kind of that uh that description but now this is like captured for uh anybody in the project team to see at any time um it's part of the projectt history and so we can see kind of the provence of um all the changes that have been made and why they were made so um in this case okay now I agree with uh Q developers assessment I'm going to invoke Q again and say can you go fix this for me like that'd be nice um so we're going to fix that or ask Q to fix it um and when we um add that comment uh the Q service will go back and um generate that fix and suggest changes directly to the merge request that again we can um we can review and decide whether or not we uh we want to accept um so uh we'll scroll down here we'll see uh the the diff it's going to take out that string concatenation that we saw earlier um and it's going to uh replace it with um the uh the the new code that's using a SQL prepared statement that um and for those that aren't familiar if you use a SQL prepared statement um that those are not vulnerable uh to uh SQL injection attacks um so we've got the user ID equals question mark That's our parameter and then down below uh we see the uh set string statement. set string uh which is assigning the uh user variable into uh into that statement so um this looks good we're going to apply that suggestion um and then uh at that point uh we're free to accept the uh the merge request uh or you know continue with other uh human AED reviews so once we get through the uh the creation and into our source control system um now we want to deploy that code and that's where we start turning from Amazon Q developer um to some of the other um some of the other tools that uh AWS provides uh for uh secure uh scanning of code um predominantly this is code Guru security um as the next stage um in uh that secure software development life cycle um so here's the same picture we saw earlier um but code Guru security is embedded throughout that code Guru security is actually one of uh the the components that uh we're leveraging uh within Q developer for that review it's not the only thing um but it is part of that um and so a q developer is using it inspector is using it um and then we can uh use it directly within our cicd pipelines uh within code build within code pipeline if you have GitHub actions or you're using gitlab CI uh we have um documented integration for code Guru security into each one of those um and then uh we can see a full visibility of uh these uh security vulnerabilities specifically um for static analysis of our of our code throughout um the entire uh entire life cycle code Guru security um when you uh you can invoke it on a specific code that's in a repository or an S3 um and when you do that you can see uh your fi any of your findings on the code Guru uh dashboard that uh is within the AWS console so um here is a picture of what that looks like uh we have uh here a some hard-coded credentials we found in our code um and uh at that point we can uh we can um get an explanation of uh of what that looks like U and then go back into uh into our uh editor of choice and uh and take care of that uh that issue within cicd uh we want to uh be able to potentially block on uh different um uh different finding levels so um in this particular ular case I've got uh gitlab CI uh this is an example of our of gitlab CI um and uh here we're using the code Guru security um image and uh we've decided to fail on uh security level critical um so that's super useful for uh for test environments U but when you get into staging and uh production environments um you might want to crank that down so now I'm failing on different security levels um so I don't want uh any medium or higher um uh vulnerabilities um being um pushed into uh production for instance uh but maybe staging I relax that a little bit and allow medium but not higher critical um I have the flexibility um to do that within uh Code G security so uh We've written the code we've uh reviewed the code in our source control system um and then uh we've had U security review views throughout the uh throughout the pipeline to push this um into production um so once we get into production now we want to start talking about Amazon inspector and for Amazon inspector I'll invite my colleague Casey Lee up here um and he'll um take you through what that looks like you all right so uh Emil gave us some some great uh techniques that we can use to secure our software development life cycle early on in the developers uh workstation in their IDE get very fast feedback uh early and often uh we also saw how we could secure inside the cicd pipeline inside our source management system uh and so the these are great techniques that help give us confidence that our software is ready to deploy and operate but the problem is our software development life cycle does not end at uh deploy time right it's only just getting started most of the time is now going to be running this software and so what we really need is a a mechanism where we can continuously validate that our software is still meeting our uh security requirements and is free of vulnerabilities and this is where Amazon inspector comes in Amazon inspector is a service that continuously monitors your software in your account in your organization continuously looking for vulnerabilities new vulnerabilities get found all the time and uh even though your software was free of vulnerabilities when you deploy it days weeks months later new vulnerabilities could come out either with packages that you're running in your infrastructure or in thirdparty libraries that your software is using and so what we have now is this ability to continuously monitor wherever you run compute this could be in ec2 this could be in Lambda this could be in uh containerized workloads with ECS or eeks and so all of these cases we're able to quickly and easily turn on inspector uh and point and configure it for which of those different uh computes that we like to run our workloads in and the other nice thing is that uh once you once you turn this on in your uh organization or in your account um you get you get very clear contextualized details on when a vulnerability is found it's going to tell you which account the resources in which region which type of resource we're talking about is this a uh a Docker image in an ECR repository is this a Lambda function uh is this an ec2 instance that has a vulnerability in it you'll also get detailed information about the severity of the vulnerability details about uh the the the package that has the vulnerability and uh details on the CV that's included with it uh the other nice thing that inspector offers is the ability to generate a software build of materials or an sbom we want to be able to know where all of these dependencies exist inside of our workloads across all of our accounts so once inspector turned on we could then request a generate an s bomb be generated and the es bomb can be generated across our whole organization targeted to a specific account or targeted all the way down to a specific resource like one Lambda function or one ec2 instance the sbom will be in one of two formats your choice either Cyclone DX or spdx the two leading uh standards for spom generation and uh that will include all of the uh dependencies both the OS packages and the software packages for example if you're using Java these would be the the jar files that you're dependent on if you're using JavaScript the uh dependencies in your package Json and so forth all of those dependencies would be with the versions would be clearly uh enumerated in that es bombb that gets generated uh the other nice thing is uh the the es bomb is put in an ES3 bucket that you own which then gives you the ability to interrogate that and and a common pattern is to use something like quick site or Athena to query these sbom files to to answer the question where in my organization is this specific uh third party dependency being run and and so if you have something you're trying to find there's some concerning cve that you became aware of you could run the query against the esoms that you generated and know exactly where in your organization those resources are running the the last nice thing about this is there's no additional charge for usom Generation it's included with uh the use of Inspector we can also uh add inspector esom generation into our cicd pipelines so here's an example of a GitHub workflow there a specific job that is uh um going to generate the esom for us and and the first thing that we'll see is that uh we need to configure our AWS credentials we need to be able to talk to whichever account inspector is currently configured in so that we have a place to send those vulnerabilities to and so in this case we're using the uh the prepackaged uh configure AWS credentials GitHub action provided and managed by AWS it's using open ID connect to assume a role that you manage inside your account and you just need to make sure that that role in this case called sample role that that role has the necessary access into uh um inspector to be able to send those vulnerabilities and run the scan the next step in the job is to actually run the uh the scan with inspector and and it's using this uh action provided by ads called vulnerability scan GitHub action for Amazon inspector you'll want to copy and paste that um and that that action is going to take the code uh send it up to inspector uh generate the s bomb with all of the the uh dependencies included in it and then make that available to other steps in the job you'll also notice that there's a couple specific configurations with this action the first is we configure the artifact type as repository what that's saying is scan all of the code in the current git rep that this action is running for you have a couple other options here you could choose archive in which case you could point it at a specific file like a zip file or a war file or a jar file and it would perform the scan against that artifact uh and looking at what dependencies ex exist inside of it you could also choose a container if you want to point it at a uh an oci image that was just created in this build process and it would look at the uh dependencies that are defined inside that oci image uh and you can also choose binary if you're using goang or rust you can point it at the binary that you just built and it generate an s bomb for the dependencies that were used to build that uh binary the other nice thing that we have here is this is another chance to fail the build if vulnerabilities are found and so I've configured the thresholds for critical high and medium of one and what that means is if we have one or or more critical high or medium level cve that's found in any of the dependencies that were found in this sbom generation then the build would fail right there so we we'll get the es bomb but then we'll also uh fail the build stop the line and U and end there uh and then you could see in the other steps here we're just going to we're just going to Output the sbom uh to to to review inside of the the log file but you probably want to do something uh more more permanent with that store the es bomb for later for later consumption uh and then one last thing that's kind of nice with this action is it will generate an action summary inside of GitHub workflow with a nice uh display of all of the different vulnerabilities that were found during the use of that action that's visible on the the the right there okay so let's talk about how we actually enable inspector in our organization so the first thing that's nice is this could be done at the organization level we could have a single delegated account that is responsible for all the configuration across our accounts in that account we would then be able to turn on scanning of whichever compute we're interested in whether that's um Amazon ec2 AWS Lambda or uh or container services on ECS or eks assuming they're using ECR so let's dig into the ec2 scenario first when when we when we want to do uh we want to run continuous scans with inspector on ec2 we have two options there's the the the classic option which is an agent based scan and with this mode you have to install the uh SSM uh agent on your ec2 instance and then you have to configure the SSM agent to be sending uh to be uh connected to Amazon systems manager and sending inventory data to systems manager so this requires a few things we got to install the agent we have to make sure the agent's running we have to make sure the ec2 instance has an instance profile with a role that has permissions to talk to SSM and we need to make sure there's network connectivity between the instance and the SSM service assuming all that's good then uh the agent-based mode works great and uh has been for quite some time but recently there's a there's another option uh the hybrid scan mode and and and this is pretty cool because it helps with certain workloads that maybe uh customers don't want to give that IM permissions to or they don't want network connectivity or they don't even want to install the SSM agent on in any of those scenarios you can enable the hybrid scan mode in the uh inspector console and when it does that the first thing is it tries the agent mode if there's already an agent running on your ec2 instance it continues with that approach no change however however if the ec2 instance is not registered in sending inventory data to SSM then uh inspector will fall back to this um agentless mode and in the agentless mode what happens is inspector will create a snapshot of your EBS volume and it will then perform the scan against that snapshot the snapshot never leaves your account and the snapshot is snap snapshot is cleaned up after the scan is complete but this is a really nice way for customers to be able to use inspector in situations where they don't want to install the agent they don't want to configure the IM permissions or they don't want the network connectivity back to the SSM service in both cases we have inspector continuously scanning the inventory on the instance if the if the inventory changes there's a new package installed or if a new cve is registered with the inspector's service then insector would create a uh a finding for us NE next let's talk about Amazon ECR which is the service that stores oci images for other services like ECS or eks to run container s workloads ECR we have two options here for scanning our images first there's the basic scanning and this this has nothing to do with inspector this comes with ECR it's included and uh even inside the basic scanning you have two options there was the the the uh the long-standing open- source implementation of the scanning uh which was based on the open source project CLA um or there's the newer AWS native method on the basic scanning uh both of those again are included with ECR and available now uh those only scan packages at the operating system level so you have an oci image uh you install some packages inside that image those will get scanned with either of those options in the basic scanning however any uh any thirdparty dependencies that your programming language depends on whether that's Java python JavaScript whatever those would not get scanned and and detected in the basic scanning option the other thing to call out here is that the basic scanning only has two frequencies that you can run the scan on you can only run it when you first push the image or you can run it manually at any point but you don't have that Contin uh scanning that we were talking about with inspector and that's where enhanced scanning comes in with enhanced scanning you go into the inspector console and you turn on enhanced scanning at which point all uh images in your ECR repositories would be scanned by inspector rather than the included scanning uh technology that's with ECR the inspector scanning will scan both the operating system packages and it will scan the third party dependencies that your programming language uses you also have an additional option for scan frequency with inspector and that is continuous you will continuously run scans against your ECR repositories anytime either the image changes or new cves are registered with Inspector Inspector will then rescan your images you also have a nice feature with this uh enhanced scanning where you can configure the frequency to only rescan images based on either the push or pull date of the image and this is helpful to limit how many rescans you're doing inside of your account so we could say I only want to rescan images that have been pushed up to ECR within the last 90 days maybe older than that I don't know I don't care about it but likewise I could also say only scan images that have been pulled within the last week only pull images that are actively being pulled and run inside my environment so these are two different configurations that customers have to be able to control the frequency of these rescans uh the last compute platform we need to talk about is Lambda with Lambda we also have a couple options here on on the scanning uh methods that we choose both of these options again are configured inside the inspector console across our organization we we turn these on you have the standard scanning which is only detecting package vulnerabilities in your Lambda function so it's looking inside the um the the zip file or the oci image that you're using for running your your lambdas and it's only detecting uh issues at the package level what your dependencies are for your software whereas code scanning uh which includes standard scanning if you turn on code scanning you're getting both code scanning and standard scanning if I turn on code scanning I'm also getting uh detection of code vulnerabilities in my actual software for example the example that Emil was showing earlier with um SQL injection would get caught with code scanning as opposed to standard scanning which is just going to detect vulnerabilities in my third party dependencies another example could be if I'm injecting secrets into my if I'm hardcoding secrets into my application uh um inspector would warn on that in the code scanning method and give me uh advice on how to fix it um in both of these mode we have suggestions generated and in the codes scanning approach uh we see generative AI being used to propose changes to our source code to uh uh mitigate the findings that it has um in both cases we see inspector is running these scans when we first create the Lambda function anytime we update the function with like a new version of the Lambda or also if any new cves or any new code detectors are registered with Inspector Inspector will automatically rerun against our Lambda function another nice thing that inspector offers is uh simple integration with security Hub and by simple I mean if you have security Hub turned on in your organization then you're done inspector will automatically send any findings back up to security Hub and so like in this example here we're looking at uh seven different findings in security Hub that came from inspector we've got uh four highs and three mediums and so we have visibility into what's the severity of these findings what's the actual cve that it was linked to and then we have that context data that's super important which account is it in the accounts um blocked out in this but there's a column there that says account just pretend like you see account numbers in there uh which which uh region and which resource is this an ECR image is this a Lambda function is this an ec2 instance so we have that details and then we could click in and see those details and then work them as an incident just like you would in any other uh security Hub finding um and then last we have this view into uh the the the sdlc feeding back on itself right we've got these generative AI powered recommendations coming out of uh Amazon inspector in this case there's a hard Cod coded Secret in some python code and uh Amazon inspector is proposing this change to your code to replace that with a environment variable to keep the the credentials out of your source code and so now we have in our operate stage we're actually generating new code that feedbacks into our create stage so that we can continuously operate uh our our software securely okay okay so we covered a lot today we talked about how we're we we want to start the sdlc all the way we want to start securing the sdlc all the way to the right as far right as possible on the developers workstation we want to be in the IDE and providing feedback early and offen to the developers through Amazon Q developer so that they have confidence that the code on their laptop is secure we talked about how we want to then scan after the code leaves the developer's laptop in our cicd pipelines against our git Repose uh using tools like uh code Guru and Amazon inspector inside whatever cicd tool we're using we saw some gitlab today we saw some GitHub today um and we've talked about the Integrations that exist with code pipeline um we we also then want to continuously scan our software right our stlc does not end when you deploy it it's only just getting started unfortunately so you've got to continuously scan for vulnerabilities as they continue to be detected and inspector then helps provide uh not just visibility into what those vulnerabilities are but provides recommendations on how to quickly uh mitigate those and resolve those through changes to your code and uh with that we've got a little bit of time left so um we're than happy to answer some questions in the next five minutes

2024-12-29 13:49

Show Video

Other news

The Ryoko Scam is Back (and Worse?) - Krazy Ken’s Tech Talk 2025-01-15 23:50
The Extinction of Experience: Christine Rosen on the Impact of Technology on Society 2025-01-10 07:29
B-52 Bomber Astro Tracker - Part 2: Power up and gyro-stabilization 2025-01-08 21:33