AWS DevSecOps tools build in advanced features

Industry observers expect that enhanced features for native AWS DevSecOps tools will spur innovation and keep prices competitive throughout the tech industry.

DevSecOps refers to an emerging organizational practice that builds IT security into the application development process in its early stages. Vendor specialists such as GitLab, GitHub, CloudBees, JFrog and Atlassian offer DevSecOps features such as secrets detection and security vulnerability tie-ins built into DevOps toolchains.

The updates to AWS DevSecOps tools this week came amid a flood of news releases during the cloud hyperscaler's annual re:Invent conference. The AWS CodeGuru Reviewer tool, which uses machine learning to identify bugs in Java and Python code, can now automatically detect secrets such as passwords and API keys when they appear in code, and guide developers on how to move that sensitive data to AWS Secrets Manager instead. This feature, CodeGuru Reviewer Secrets Detector, is available free for existing CodeGuru users.

AWS also rolled out a revamped AWS Inspector security monitoring tool this week, which uses the familiar AWS Systems Manager agent rather than a separate deployment mechanism to simplify administration. The overhauled AWS Inspector adds automatic resource discovery for Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Container Registry repositories and can trigger automated security vulnerability remediation on AWS resources through Systems Manager and EC2 Image Builder.

The new version of the tool also integrates with DevSecOps workflow tools such as Atlassian Jira via the Amazon EventBridge serverless event bus. The new AWS Inspector includes a 15-day free trial; pricing after that varies according to the number of EC2 instances and containers users scan each month, starting at $1.25 per instance.

None of these updates is an industry-first, but for companies committed to AWS as a cloud provider, these changes could help IT teams consolidate the number of separate tools they must manage and get a faster start on DevSecOps.

"Most new AWS services are behind in features and functionality compared to DevOps vendors who solely focus on one product," said Larry Carvalho, an independent cloud computing consultant. "However, for those needing a quick start, AWS DevOps services provide quick time to value."

Stephen Elliot

Even for users that stick with third-party products that offer multi-cloud support, an increasingly crucial feature for independent DevOps software vendors, the fact that more advanced DevSecOps features are now available natively -- and relatively cheaply -- from a cloud platform will hold specialist vendors' feet to the fire on pricing and innovation, analysts said.

"Any time cloud providers release new solutions, it sets the bar for commoditization in the industry," said Stephen Elliot, an analyst at IDC. "If you're a vendor in those markets, you have to be 10 times better than that."

For many large enterprises, it won't necessarily be a zero-sum decision between different DevSecOps tools and vendors, Elliot added. Most companies will use multiple tools, and teams focused on AWS deployments may find AWS-native DevSecOps tools easier to use than third-party software, he said.

However, increased competition is also generally good news for IT buyers when it comes to pricing, Carvalho said.

"Competition makes sure that customers have options while keeping the vendors on their toes to stay ahead of AWS both in price and functionality," he said.

AWS shifts both left and right with DevSecOps updates

This week's Secrets Detector launch seems in line with AWS's overall strategy for CodeGuru, which the cloud provider launched in 2019, said one DevSecOps expert.

Daniel Kennedy

"Adding secrets detection is an interesting security progression that seemed to be planned for from the start with CodeGuru, which straddles code quality, app performance and application security," said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global.

Making such DevSecOps features natively available for AWS's widely used cloud services could help shore up security best practices in an enterprise IT industry beset by exploding cybersecurity threats, Kennedy added.

"Secrets detection is absolutely part of other tools, and AWS making entry into any market is going to cause some disruption," Kennedy said. "But hard-coded keys continue to be an issue in application security, despite a fairly widespread understanding that doing that is a bad idea. ... Coverage of most of the common problems that emerge, plus environment specific detections, could [help] enterprises that are currently not doing code reviews for what enters production."

Meanwhile, although DevSecOps first focused on helping developers write secure applications from the start, in recent months, DevSecOps vendors such as JFrog have begun to feed production security monitoring data from the "right" side of the DevOps toolchain into developer feedback loops as well.

The revamped AWS Inspector follows that trend, too. AWS infrastructure management tools also fit in with general trends toward consolidation between previously specialized areas of security monitoring and performance-focused monitoring and observability tools under DevSecOps, which analysts expect to grow.

AWS monitoring and observability tools already offer links between these historically separate worlds, including longstanding integrations among AWS Inspector, CloudTrail and CloudWatch. Users can also set up CloudWatch alarms for security-related events such as changes to identity and access management (IAM) policies or whenever new IAM accounts are created or deleted.

However, one analyst said he expects that AWS will add more prepackaged features that merge security and observability in future releases, in areas such as identity and access security.

"Policy changes are one thing but targeting vulnerabilities in IAM architectures or processes have become a feature of attacks, such as [Security Assertion Markup Language (SAML)] token forgery or directory service compromise," said Scott Crawford, an analyst at 451 Research. "It's an area where increased attention is being paid."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.