As organizations move to the cloud and implement virtualized infrastructure, IT and security teams need to scan those assets for vulnerabilities. This article will highlight three specialized tools that can be considered for any organization’s vulnerability scanning tool arsenal.
- AWS Vulnerability Scanning Tool: Amazon Inspector
- Cloud & Kubernetes Specialist – Wiz
- Data Lakes and Large-Scale Data Storage Vulnerabilities: IBM Guardium Vulnerability Assessment
Additionally, this article will provide the Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria. That section explains what research went into creating this list of tools and how many other technologies that include vulnerability scanning features did not make the list.
AWS Vulnerability Scanning Tool: Amazon Inspector
Organizations using Amazon Web Services can consider using Amazon Inspector as a specialty tool to scan their AWS workloads.
Key Features
- Ongoing automated and continuous vulnerability scanning for AWS Elastic Compute Cloud (EC2), Lambda functions, and container images
- Discovers and scans workloads
- Checks for vulnerabilities and network exposure
- Assigns a highly accurate risk score to help prioritize remediation
- Integrates with Amazon EventBridge and AWS Security Hub
Pros
- One consolidated scan for an entire AWS infrastructure
- Easy to implement and use
Cons
- Does not enable users to ignore findings
- Billing can become tricky when integrated with other AWS tools
- Does not aggregate findings across accounts
- Does not scan other cloud instances
Pricing
New accounts can try Amazon Inspector for 15 days to evaluate the service and estimate ongoing costs. AWS also provides a cost calculator and potential customers will need to know their region (US East (Ohio), etc.) and the number of instances. As a representative cost, in US East (Ohio):
- $1.2528 / instance for Amazon EC2 instances scanned per month
- $0.09 / image for Amazon ECR container images per month
- $0.01 / rescan for automated rescans of Amazon ECR containers per month
- $0.30 / Lambda function scanned per month
AWS bases the cost on the number of workloads scanned in a given month, with no minimum fees and no upfront commitments. Many instances and functions will be intermittent and AWS prorates the price based on the total time for that month. Container pricing is based on the initial number of containers in the month and the number of rescans made on those images.
Cloud & Kubernetes Specialist: Wiz
Wiz developed their cloud-native Cloud Infrastructure Security Platform to focus on the needs of virtualized infrastructure, containers, and the cloud. Wiz scans multi-cloud, Platform-as-a-Service (PaaS), virtual machine, containers, serverless functions, and other cloud infrastructure without affecting business operations or stealing resources from active workloads and processes.
Key Features
- Native connections to AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud
- Built-in support for Kubernetes on multiple platforms
- Can scan infrastructure-as-code and cloud infrastructure entitlement management
- Incorporates zero-day risks sourced from the Wiz research team
Pros
- Agentless scanning
- Cloud native solution for cloud infrastructure
- 2nd Easiest to Use in Vulnerability Scanner software rankings on G2
Cons
- Users report setup can be cumbersome and tedious
- Integrations can be difficult or incomplete
- Actions must be established for each project for scanning they cannot be cloned
Pricing
Wiz does not list pricing, but does offer custom pricing for customers. A 12-month contract for the Cloud Infrastructure Security Platform is listed on the AWS marketplace as $300,000 for all five product levels (Standard, Essential, Essential Plus, Advanced, Advanced Plus).
Data Lakes and Large-Scale Data Storage Vulnerabilities: IBM Guardium Vulnerability Assessment
IBM developed their portfolio of Guardium products to provide data security for the modern, large-scale data storage environment. Guardium Vulnerability Assessment tool scans the databases, data warehouses, data lakes, and other components of big data infrastructure to detect vulnerabilities based on Security Technical Implementation Guides (STIG), Center for Internet Security (CIS), CVE, and other standards.
Key Features
- Scans for missing patches, weak passwords, unauthorized changes, misconfigured privileges, excessive administrative logins, and behavioral anomalies such as after-hours activities
- Recommends steps to harden database security
Pros
- Discovers databases automatically
- Automatically locates vulnerabilities and suggests remediations
- Sends real time alerts and notifications
- Available as part of Guardium Data Protection or as a stand-alone tool
Cons
- Complex to deploy and may require expert consulting to implement
- Error logs can be confusing
Pricing
IBM does not publish pricing but notes that the cost will vary depending on the environment and configuration. Potential customers are encouraged to contact IBM or IBM resellers for a formal discussion and quotation.
Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria
To create this list, we surveyed a broad array of websites, vendor materials, and customer reviews to create a pool of qualified candidates based upon capabilities and reputation. We then filtered the list specifically for vendors that provide vulnerability scanning for cloud, container, and data lake infrastructure.
A large number of open-source vulnerability scanners exist for containers, however, there does not seem to be much consensus regarding the best tools. Three tools under consideration, Clair, Dagda, and OpenSCAP have only GitHub repositories and basic documentation. All also seem to require heavy programming experience to use them and significant limitations to what and how they scan so we did not select any for this best-of list.
Many highly-reputable or capable tools were excluded from consideration from this list because they did not fit the vulnerability scanner or specialized tool criteria:
- Broad, multi-category vulnerability scanning tools
- Intruder cloud vulnerability scanning
- Qualys cloud security solutions
- Rapid7 Container Security with InsightVM
- Tenable Container Security Scanner
- DevOps Tools with vulnerability scanning capabilities
- Cloud Infrastructure with vulnerability scanning capabilities
- BanzaiCloud Pipeline container infrastructure
- Oracle Cloud Security Services
- Security-focused tools with vulnerability scanner capabilities
- Aqua Security for cloud-native scans of containers
- Crowdstrike Cloud Security
- Orca container and Kubernetes security tools
- Astra PenTest Suite
- Vulnerability scanning tools using other tools built-in
- Microsoft Defender for Cloud with integrated Qualys vuln scan
Each of these tools can deliver vulnerability scanning capabilities, and should be considered for adoption — but only if an organization needs to use the other associated capabilities of these more comprehensive tools. This article assumes that the reader already has capabilities for other infrastructure and is seeking a specialty tool for specialized vulnerability scanning.
Bottom Line: Cloud, Container and Data Lake Vulnerability Scanners
The small number of specialty scanning tools for the cloud, containers, and data lakes suggests that this category may become absorbed as features of other tools in the near future. Still, any organization using this infrastructure will continue to need to scan the assets for potential vulnerabilities.
Regardless of whether an organization determines that a specialty tool or a more comprehensive solution provides the best fit for the organization’s needs, the scans must be performed. Cloud, container, and data lake infrastructure can be more difficult to configure and more easily exposed to remote attack than many other assets. Identifying potential security vulnerabilities before an external attacker provides a foundational step in every security process.
For more information on Vulnerability Scanning Options see:
