AWS re:Invent 2025 - Staying Ahead: Smart Strategies for Effective Vulnerability Management (SEC316)

Staying Ahead: Smart Strategies for Effective Vulnerability Management

Challenges with Traditional Vulnerability Management

• Traditional solutions not built for the dynamic, elastic nature of the cloud
• Difficulty managing and scanning rapidly scaling and changing cloud resources
• Overwhelming volume of vulnerability findings, making prioritization challenging

Introduction to Amazon Inspector

• Automated, continuous vulnerability management service for cloud workloads
• Supports virtual machines (EC2), containers (ECR), serverless (Lambda), and managed code repositories

Key Capabilities of Amazon Inspector

1. Enablement and Visibility

• Enable Inspector at the account or organization level
• Centralized view of findings across the entire organization

2. Continuous Monitoring and Scanning

• Discovers and scans all resources in near real-time
• Automatically rescans when new vulnerabilities are discovered or resources change

3. Vulnerability Prioritization

• Amazon Inspector Score combines severity, exploitability, and other context to prioritize findings
• Leverages advanced vulnerability intelligence from partners like Recorded Future

4. Remediation and Integration

• View and manage findings directly in Inspector or integrate with Security Hub
• Export software bill of materials (SBOM) in standard formats for further analysis

Malicious Package Detection

• Partnership with Open Source Security Foundation (OSSF) to detect malicious packages in real-time
• Contributed over 150,000 malicious package detections to OSSF database

Expanding Capabilities: Code Security

Shifting Left to Catch Vulnerabilities Earlier

• Scanning code repositories (GitHub, GitLab) for vulnerabilities in dependencies and custom code
• Integrating security findings directly into developer workflows through native IDE integrations

Improved Governance and Collaboration

• Embedding security guardrails and recommendations within the developer's tools and processes
• Enabling security and development teams to work together more effectively

Business Impact and Key Takeaways

• Proactive, automated vulnerability management reduces risk and improves security posture
• Shifting left to catch vulnerabilities earlier in the development lifecycle saves time and money
• Tight integration with developer workflows and tools enables secure software development at scale
• Comprehensive vulnerability management across production workloads, dependencies, and custom code

Technical Details and Examples

• Hybrid scanning mode for EC2 instances leverages both agent-based and agentless approaches
• Lambda scanning supports both package vulnerabilities and custom code analysis
• ECR image scanning tracks deployed containers to prioritize findings based on usage
• Detailed demos showcased real-time malicious package detection and code security integrations