PCG logo
Article

Vulnerability Scanning Solution

Many companies are affected by availability and security vulnerability issues regarding their applications and infrastructure. This blog describes how we at PCG combine scanning, monitoring and communication tools to identify and mitigate security findings in order to avoid exploits, compromised systems and unintended network exposure, which could potentially cause extensive financial and business damage to our customers.

Problem

During a well-architected framework review (WAFR), different severity findings were identified, prompting the customer to reach out to us to shape their security journey. Security is now more essential than ever. During the last few years, the trend of global attacks has increased exponentially, causing huge costs for the affected companies.

Our approach

Our first step was to combine Amazon Inspector and Security Hub in order to provide a stable and continuous vulnerability scanning solution. In the second stage, we designed the notification workflows to send warning and critical alerts respectively to our Slack channel and monitoring platform, Datadog. This ensures centralized monitoring of all infrastructure components, efficient analyses, quick reaction and mitigation.

image-4f5ea64e529a

Amazon Inspector automatically discovers workloads such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure. For instance, HTTP service on TCP port 80 open to the world or AWS Internet Gateway.

image-ed4fb736a0d9

Our daily approach to each finding starts with analyzing the infrastructure and application impact. Each vulnerability is already scored by the global authorities, but this doesn’t take into consideration the network and application restriction rules. Therefore, we:

  • Evaluate the security and compliance of our customer’s AWS infrastructure
  • Help the customer to have a clear understanding of the impact the findings have in their environment
  • Advise what actions to take
  • Mitigate if a fix is not yet available
  • Remediate vulnerabilities.

After enabling the Inspector service, every newly created EC2 instance will be discovered and scanned automatically. On the other side, network reachability scans automatically take place every 24 hours.

Example case 1

For instance, CVE-2023-4863External Link has recently been identified in Windows instances. More precisely, heap buffer overflow in libwebp on Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. (Chromium security severity: Critical).

image-2b7bba57f473

Solution

Since the implementation phase, we have employed SSM to shape the patch baselines, get latest patches automatically and maintenance windows based on customer’s requirements. This ensured automated OS updates and remediation.

image-c01e32c6b7c7

Example case 2

Apart from CVE findings, network scanning are triggered regularly to identify overly permissive rules. For instance, we have been warned in Slack of unrestricted access to ports with high risk. This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control fails if any of the rules in a security group allow ingress traffic from 0.0.0.0/0 or ::/0 for those ports. In order to optimally protect the infrastructure from network exploits, we advised the customer to remove such permissive rules in the security group.

image-310d2268192c
image-4cad1fb7983a

Conclusions

PCG leverages the benefits of Amazon Inspector, Systems Manager, Datadog and Slack to detect, notify and remediate security vulnerabilities.

We combine application security services with Terraform to provide versioning history, quick rollout and rollback. Each instance is automatically detected and scanned. Inspector triggers rescans of the instances just after the installation of new packages or after introducing new CVEs. Last but not least, this solution scans network reachability to identify any insecure port opened to the world, or for example, from the Internet Gateway:

image-5facebbda1a5




Services Used

Continue Reading

Case Study
Software
DevOps
Accounting Accelerates

What began as a start-up in their parents' basement has developed into a leading provider of cloud-based accounting and financial software within just a few years: sevDesk.

Learn more
Case Study
Media & Entertainment
Big data platform supports publishing house with data processing

Axel Springer adopts modern, big data technology to manage a substantial amount of operational data.

Learn more
Case Study
Energy & Utilities
Cloud Migration
Energy (over)Flow

"Fish" that generate energy: This is how Energyminer envisions the future of hydropower. PCG was responsible for setting up their data platform in the AWS cloud.

Learn more
Case Study
Software
Quicker Deals: idealo & AWS

How idealo & PCG's collaborate, and what advantages this achievement brings for retailers and customers of the Berlin-based price comparison platform.

Learn more
See all

Let's work together

United Kingdom
Arrow Down