TalksAWS re:Invent 2025 - Staying Ahead: Smart Strategies for Effective Vulnerability Management (SEC316)

AWS re:Invent 2025 - Staying Ahead: Smart Strategies for Effective Vulnerability Management (SEC316)

Staying Ahead: Smart Strategies for Effective Vulnerability Management

Challenges with Traditional Vulnerability Management

  • Traditional solutions not built for the dynamic, elastic nature of the cloud
  • Difficulty managing and scanning rapidly scaling and changing cloud resources
  • Overwhelming volume of vulnerability findings, making prioritization challenging

Introduction to Amazon Inspector

  • Automated, continuous vulnerability management service for cloud workloads
  • Supports virtual machines (EC2), containers (ECR), serverless (Lambda), and managed code repositories

Key Capabilities of Amazon Inspector

1. Enablement and Visibility

  • Enable Inspector at the account or organization level
  • Centralized view of findings across the entire organization

2. Continuous Monitoring and Scanning

  • Discovers and scans all resources in near real-time
  • Automatically rescans when new vulnerabilities are discovered or resources change

3. Vulnerability Prioritization

  • Amazon Inspector Score combines severity, exploitability, and other context to prioritize findings
  • Leverages advanced vulnerability intelligence from partners like Recorded Future

4. Remediation and Integration

  • View and manage findings directly in Inspector or integrate with Security Hub
  • Export software bill of materials (SBOM) in standard formats for further analysis

Malicious Package Detection

  • Partnership with Open Source Security Foundation (OSSF) to detect malicious packages in real-time
  • Contributed over 150,000 malicious package detections to OSSF database

Expanding Capabilities: Code Security

Shifting Left to Catch Vulnerabilities Earlier

  • Scanning code repositories (GitHub, GitLab) for vulnerabilities in dependencies and custom code
  • Integrating security findings directly into developer workflows through native IDE integrations

Improved Governance and Collaboration

  • Embedding security guardrails and recommendations within the developer's tools and processes
  • Enabling security and development teams to work together more effectively

Business Impact and Key Takeaways

  • Proactive, automated vulnerability management reduces risk and improves security posture
  • Shifting left to catch vulnerabilities earlier in the development lifecycle saves time and money
  • Tight integration with developer workflows and tools enables secure software development at scale
  • Comprehensive vulnerability management across production workloads, dependencies, and custom code

Technical Details and Examples

  • Hybrid scanning mode for EC2 instances leverages both agent-based and agentless approaches
  • Lambda scanning supports both package vulnerabilities and custom code analysis
  • ECR image scanning tracks deployed containers to prioritize findings based on usage
  • Detailed demos showcased real-time malicious package detection and code security integrations

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.