Aqua Security, the market leader in protecting container-based, serverless and cloud native applications, announced version 4.2 of its cloud native security platform (Aqua CSP). In April this year, Aqua announced that it had raised $62M in Series C funding, led by Insight Partners.
The company has since accelerated its growth, investing heavily in research and development, and increasing its employee headcount by 30%. Aqua CSP 4.2 introduces the innovative Aqua Vulnerability Shield, a technology that detects and prevents attacks targeting known vulnerabilities in containers.
“As organizations increase their use of containers, CI/CD pipelines, and open source components, managing vulnerabilities is increasingly challenging,” notes Fernando Montenegro, Senior Analyst, Information Security at 451 Research.
“Vulnerability scanning has been a key component of container security, and is largely automated. But patching remains a manual process, creating backlogs and leaving organizations running vulnerable applications, for lack of other choices.”
Aqua Vulnerability Shield (Aqua vShield) is a patent-pending technology that uses automated vulnerability and component analysis, combined with expert security research, to generate runtime policies that can detect and block access to vulnerable components in containers.
While the container image code remains unchanged, this form of “virtual patching” acts as a shield against exploitation of the vulnerabilities. Aqua vShield can be activated for vulnerabilities found in scan results, and will automatically enable the relevant targeted runtime controls.
Benefits of Aqua vShield include:
- Mitigating the risk of running vulnerable containers
- Easier prioritization of vulnerable images to be patched by development teams
- Gaining visibility into vulnerability exploit attempts
- Improving compliance posture based on the use of compensating controls
“Aqua is a key component in our security stack to secure our applications from development to production,” said Ross Hosman, Head of Information Security at Recurly, a leading subscription billing platform.
“The new Vulnerability Shield virtual patching capability will allow us to optimize our patching process to reduce exposure to known threats, while providing the flexibility to address the underlying issues when it best fits our development schedule.”
Aqua 4.2 also introduces advanced runtime protection for serverless functions, providing security teams with the ability to detect and prevent potential misuse and abuse of cloud-based serverless functions.
Using the new Aqua NanoEnforcer technology, these runtime controls are suited to the ephemeral nature of functions, with negligible impact on function invocation time or memory footprint.
Key features include:
- Function drift prevention, blocking malicious code injection (“child processes”) from being added to a running function
- Blacklisting of forbidden executables, allowing security teams to control the types of executables that developers are allowed to include in functions
- Protecting serverless “/tmp” directories from unauthorized access and abuse
- Honeypots that detect malicious intent by luring attackers to access functions without any risk or threat to real assets or cloud accounts
“We are committed to continue investing in innovation, expanding our platform and leading the way forward for cloud native security,” said Amir Jerbi, CTO and co-founder of Aqua. “With these new comprehensive serverless protections, Aqua is now the only solution on the market with unified and consistent controls across containerized and serverless applications.”
The new offering rounds out Aqua’s serverless security functionality, which already includes scanning functions for vulnerabilities, permissions, and secrets; usage trend analysis and anomaly detection; and function assurance policies that prevent unapproved functions from running.
Advanced runtime protection is currently available for AWS Lambda, with support for Azure Functions and Google Cloud Functions planned later this year.
Aqua 4.2 includes dozens of other new features and enhancements, among them:
- Container image scanning by layer, allowing developers to more easily isolate the root sources of security issues and vulnerabilities
- New Infrastructure view enables quick identification of unprotected clusters and hosts
- Native integration with Prometheus, the open source monitoring tool, and Harbor, the open source image registry