As organizations move to the cloud and implement virtualized infrastructure, IT and security teams need to scan those assets for vulnerabilities. This article will highlight three specialized tools that can be considered for any organization’s vulnerability scanning tool arsenal.
- AWS Vulnerability Scanning Tool: Amazon Inspector
- Cloud & Kubernetes Specialist – Wiz
- Data Lakes and Large-Scale Data Storage Vulnerabilities: IBM Guardium Vulnerability Assessment
Additionally, this article will provide the Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria. That section explains what research went into creating this list of tools and how many other technologies that include vulnerability scanning features did not make the list.
AWS Vulnerability Scanning Tool: Amazon Inspector
Organizations using Amazon Web Services can consider using Amazon Inspector as a specialty tool to scan their AWS workloads.
- Ongoing automated and continuous vulnerability scanning for AWS Elastic Compute Cloud (EC2), Lambda functions, and container images
- Discovers and scans workloads
- Checks for vulnerabilities and network exposure
- Assigns a highly accurate risk score to help prioritize remediation
- Integrates with Amazon EventBridge and AWS Security Hub
- One consolidated scan for an entire AWS infrastructure
- Easy to implement and use
- Does not enable users to ignore findings
- Billing can become tricky when integrated with other AWS tools
- Does not aggregate findings across accounts
- Does not scan other cloud instances
New accounts can try Amazon Inspector for 15 days to evaluate the service and estimate ongoing costs. AWS also provides a cost calculator and potential customers will need to know their region (US East (Ohio), etc.) and the number of instances. As a representative cost, in US East (Ohio):
- $1.2528 / instance for Amazon EC2 instances scanned per month
- $0.09 / image for Amazon ECR container images per month
- $0.01 / rescan for automated rescans of Amazon ECR containers per month
- $0.30 / Lambda function scanned per month
AWS bases the cost on the number of workloads scanned in a given month, with no minimum fees and no upfront commitments. Many instances and functions will be intermittent and AWS prorates the price based on the total time for that month. Container pricing is based on the initial number of containers in the month and the number of rescans made on those images.
Cloud & Kubernetes Specialist: Wiz
Wiz developed their cloud-native Cloud Infrastructure Security Platform to focus on the needs of virtualized infrastructure, containers, and the cloud. Wiz scans multi-cloud, Platform-as-a-Service (PaaS), virtual machine, containers, serverless functions, and other cloud infrastructure without affecting business operations or stealing resources from active workloads and processes.
- Native connections to AWS, Azure, Google Cloud, Oracle Cloud and Alibaba Cloud
- Built-in support for Kubernetes on multiple platforms
- Can scan infrastructure-as-code and cloud infrastructure entitlement management
- Incorporates zero-day risks sourced from the Wiz research team
- Agentless scanning
- Cloud native solution for cloud infrastructure
- 2nd Easiest to Use in Vulnerability Scanner software rankings on G2
- Users report setup can be cumbersome and tedious
- Integrations can be difficult or incomplete
- Actions must be established for each project for scanning they cannot be cloned
Wiz does not list pricing, but does offer custom pricing for customers. A 12-month contract for the Cloud Infrastructure Security Platform is listed on the AWS marketplace as $300,000 for all five product levels (Standard, Essential, Essential Plus, Advanced, Advanced Plus).
Data Lakes and Large-Scale Data Storage Vulnerabilities: IBM Guardium Vulnerability Assessment
IBM developed their portfolio of Guardium products to provide data security for the modern, large-scale data storage environment. Guardium Vulnerability Assessment tool scans the databases, data warehouses, data lakes, and other components of big data infrastructure to detect vulnerabilities based on Security Technical Implementation Guides (STIG), Center for Internet Security (CIS), CVE, and other standards.
- Scans for missing patches, weak passwords, unauthorized changes, misconfigured privileges, excessive administrative logins, and behavioral anomalies such as after-hours activities
- Recommends steps to harden database security
- Discovers databases automatically
- Automatically locates vulnerabilities and suggests remediations
- Sends real time alerts and notifications
- Available as part of Guardium Data Protection or as a stand-alone tool
- Complex to deploy and may require expert consulting to implement
- Error logs can be confusing
IBM does not publish pricing but notes that the cost will vary depending on the environment and configuration. Potential customers are encouraged to contact IBM or IBM resellers for a formal discussion and quotation.
Best Cloud, Container, and Data Lake Vulnerability Scanning Tool Criteria
To create this list, we surveyed a broad array of websites, vendor materials, and customer reviews to create a pool of qualified candidates based upon capabilities and reputation. We then filtered the list specifically for vendors that provide vulnerability scanning for cloud, container, and data lake infrastructure.
A large number of open-source vulnerability scanners exist for containers, however, there does not seem to be much consensus regarding the best tools. Three tools under consideration, Clair, Dagda, and OpenSCAP have only GitHub repositories and basic documentation. All also seem to require heavy programming experience to use them and significant limitations to what and how they scan so we did not select any for this best-of list.
Many highly-reputable or capable tools were excluded from consideration from this list because they did not fit the vulnerability scanner or specialized tool criteria:
- Broad, multi-category vulnerability scanning tools
- DevOps Tools with vulnerability scanning capabilities
- Cloud Infrastructure with vulnerability scanning capabilities
- Security-focused tools with vulnerability scanner capabilities
- Vulnerability scanning tools using other tools built-in
- Microsoft Defender for Cloud with integrated Qualys vuln scan
Each of these tools can deliver vulnerability scanning capabilities, and should be considered for adoption — but only if an organization needs to use the other associated capabilities of these more comprehensive tools. This article assumes that the reader already has capabilities for other infrastructure and is seeking a specialty tool for specialized vulnerability scanning.
Bottom Line: Cloud, Container and Data Lake Vulnerability Scanners
The small number of specialty scanning tools for the cloud, containers, and data lakes suggests that this category may become absorbed as features of other tools in the near future. Still, any organization using this infrastructure will continue to need to scan the assets for potential vulnerabilities.
Regardless of whether an organization determines that a specialty tool or a more comprehensive solution provides the best fit for the organization’s needs, the scans must be performed. Cloud, container, and data lake infrastructure can be more difficult to configure and more easily exposed to remote attack than many other assets. Identifying potential security vulnerabilities before an external attacker provides a foundational step in every security process.
For more information on Vulnerability Scanning Options see:
- What is Vulnerability Scanning & How Does It Work?
- Best Vulnerability Scanner Tools
- 12 Top Vulnerability Management Tools for 2023
- 10 Best Open-Source Vulnerability Scanners for 2023
- Penetration Testing vs. Vulnerability Testing: An Important Difference
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.