Aqua Security Announces Vulnerability Shield

Aqua Security, the market leader in protecting container-based, serverless and cloud native applications, announced today version 4.2 of its cloud native security platform (Aqua CSP). In April this year, Aqua announced that it had raised $62M in Series C funding, led by Insight Partners. The company has since accelerated its growth, investing heavily in research and development, and increasing its employee headcount by 30%. Aqua CSP 4.2 introduces the innovative Aqua Vulnerability Shield, a technology that detects and prevents attacks targeting known vulnerabilities in containers.

“As organisations increase their use of containers, CI/CD pipelines, and open source components, managing vulnerabilities is increasingly challenging,” notes Fernando Montenegro, Senior Analyst, Information Security at 451 Research. “Vulnerability scanning has been a key component of container security, and is largely automated. But patching remains a manual process, creating backlogs and leaving organisations running vulnerable applications, for lack of other choices.”

Aqua Vulnerability Shield (Aqua vShield) is a patent-pending technology that uses automated vulnerability and component analysis, combined with expert security research, to generate runtime policies that can detect and block access to vulnerable components in containers. While the container image code remains unchanged, this form of “virtual patching” acts as a shield against exploitation of the vulnerabilities. Aqua vShield can be activated for vulnerabilities found in scan results, and will automatically enable the relevant targeted runtime controls. Benefits of Aqua vShield include:

  • Mitigating the risk of running vulnerable containers
  • Easier prioritisation of vulnerable images to be patched by development teams
  • Gaining visibility into vulnerability exploit attempts
  • Improving compliance posture based on the use of compensating controls

“Aqua is a key component in our security stack to secure our applications from development to production,” said Ross Hosman, Head of Information Security at Recurly, a leading subscription billing platform. “The new Vulnerability Shield virtual patching capability will allow us to optimise our patching process to reduce exposure to known threats, while providing the flexibility to address the underlying issues when it best fits our development schedule.”

Aqua 4.2 also introduces advanced runtime protection for serverless functions, providing security teams with the ability to detect and prevent potential misuse and abuse of cloud-based serverless functions. Using the new Aqua NanoEnforcer technology, these runtime controls are suited to the ephemeral nature of functions, with negligible impact on function invocation time or memory footprint. Key features include:

  • Function drift prevention, blocking malicious code injection (“child processes”) from being added to a running function
  • Blacklisting of forbidden executables, allowing security teams to control the types of executables that developers are allowed to include in functions
  • Protecting serverless “/tmp” directories from unauthorised access and abuse
  • Honeypots that detect malicious intent by luring attackers to access functions without any risk or threat to real assets or cloud accounts

“We are committed to continue investing in innovation, expanding our platform and leading the way forward for cloud native security,” said Amir Jerbi, CTO and co-founder of Aqua. “With these new comprehensive serverless protections, Aqua is now the only solution on the market with unified and consistent controls across containerised and serverless applications.”