Aqua
Security announced today version 4.2 of its cloud native security
platform (Aqua CSP). In April this year, Aqua announced that it had raised $62M
in Series C funding, led by Insight Partners. The company has since accelerated
its growth, investing heavily in research and development, and increasing its
employee headcount by 30%. Aqua CSP 4.2 introduces the innovative Aqua
Vulnerability Shield, a technology that detects and prevents attacks targeting
known vulnerabilities in containers.
"As
organisations increase their use of containers, CI/CD pipelines, and open
source components, managing vulnerabilities is increasingly challenging," notes
Fernando Montenegro, Senior Analyst, Information Security at 451 Research.
"Vulnerability scanning has been a key component of container security, and is
largely automated. But patching remains a manual process, creating backlogs and
leaving organisations running vulnerable applications, for lack of other
choices."
Aqua
Vulnerability Shield (Aqua vShield) is a patent-pending technology that uses
automated vulnerability and component analysis, combined with expert security
research, to generate runtime policies that can detect and block access to
vulnerable components in containers. While the container image code remains
unchanged, this form of "virtual patching" acts as a shield against
exploitation of the vulnerabilities. Aqua vShield can be activated for
vulnerabilities found in scan results, and will automatically enable the
relevant targeted runtime controls. Benefits of Aqua vShield include:
-
Mitigating
the risk of running vulnerable containers
-
Easier
prioritisation of vulnerable images to be patched by development teams
-
Gaining
visibility into vulnerability exploit attempts
-
Improving
compliance posture based on the use of compensating controls
"Aqua
is a key component in our security stack to secure our applications from
development to production," said Ross Hosman, Head of Information Security at
Recurly, a leading subscription billing platform. "The new Vulnerability Shield
virtual patching capability will allow us to optimise our patching process to
reduce exposure to known threats, while providing the flexibility to address
the underlying issues when it best fits our development schedule."
Aqua
4.2 also introduces advanced runtime protection for serverless functions,
providing security teams with the ability to detect and prevent potential
misuse and abuse of cloud-based serverless functions. Using the new Aqua
NanoEnforcer technology, these runtime controls are suited to the ephemeral
nature of functions, with negligible impact on function invocation time or
memory footprint. Key features include:
-
Function
drift prevention, blocking malicious code injection ("child processes") from
being added to a running function
-
Blacklisting
of forbidden executables, allowing security teams to control the types of
executables that developers are allowed to include in functions
-
Protecting
serverless "/tmp" directories from unauthorised access and abuse
-
Honeypots
that detect malicious intent by luring attackers to access functions without
any risk or threat to real assets or cloud accounts
"We
are committed to continue investing in innovation, expanding our platform and
leading the way forward for cloud native security," said Amir Jerbi, CTO and
co-founder of Aqua. "With these new comprehensive serverless protections, Aqua
is now the only solution on the market with unified and consistent controls
across containerised and serverless applications."
The
new offering rounds out Aqua's serverless security functionality, which already
includes scanning functions for vulnerabilities, permissions, and secrets;
usage trend analysis and anomaly detection; and function assurance policies
that prevent unapproved functions from running. Advanced runtime protection is currently
available for AWS Lambda, with support for Azure Functions and Google Cloud
Functions planned later this year.
Aqua
4.2 includes dozens of other new features and enhancements, among them:
-
Container
image scanning by layer, allowing developers to more easily isolate the root
sources of security issues and vulnerabilities
-
New
Infrastructure view enables quick identification of unprotected clusters and
hosts
- Native integration with Prometheus, the open source monitoring tool, and
Harbor, the open source image registry