Container, serverless and cloud native security tooling provider Aqua Security just announced v4.2 of Aqua CSP. This version of the cloud native security platform is the first to offer a so-called Vulnerability Shield to detect and prevent attacks.
The new component uses automated vulnerability and component analysis to come up with runtime policies that give users a way of blocking access to vulnerable container components. This isn’t meant to be used as a permanent solution, but it can take a bit of the load off developers’ shoulders until there’s time to actually patch the pain points in question.
Virtual patching as provided by the Shield isn’t terribly new, but wasn’t really available in the container world before, as Aqua’s VP of Product Marketing Rani Osnat pointed out to DevClass. “Users either needed to update their images as soon as possible (assuming fixes were available for base images), shutdown the vulnerable applications (potentially impacting business operations), or accept the risk of running in a vulnerable state and attempt to monitor for attacks using other methods.”
With the new Shield however, protection can be granted “without requiring any developer intervention, until such time as a permanent fix can be deployed.” Aqua 4.2 also allows developers to scan images by layer to find the root of a vulnerability quicker.
On top of that, it comes with native integration with monitoring tool Prometheus and image registry Harbor and offers an infrastructure view to identify unprotected clusters and hosts.
But Aqua has also been busy securing serverless functions – an area that, according to Aqua Security’s co-founder Dror Davidoff, tends to get overlooked. In a call earlier this year he found similarities to the somewhat “naive way container security was approached in the early days”. This isn’t far fetched, since ‘providers will take care of everything’ is a slogan often heard when it comes to serverless security, making it a non-issue to many.
To make sure Aqua customers don’t fall into that trap, Aqua 4.2 introduces advanced runtime protection for AWS Lambda – support for Azure Functions and Google Cloud Functions is planned for later this year.
It comes in the form of controls to blacklist forbidden executables for example, which lets security set boundaries to what’s allowed to be included in functions, or honeypots, which can be used to lure attackers. Function drift prevention to block code injection to a running function and protection of temporary directories are also amongst the additions aimed at serverless development.