Alex - stock.adobe.com

AWS shuffles DevSecOps deck with CodeGuru Security SAST

A new DevSecOps service links AWS security code scanning to third-party pipeline tools, potentially a shot at GitHub Copilot that increases overlap with AWS SAST partners.

A new DevSecOps service from AWS expands third-party integrations for its existing AI-driven security scanning tool, setting the stage for heightened competition with Microsoft Copilot and AWS's SAST partners.

Amazon CodeGuru Security, released in preview this week, is positioned as a static application security testing (SAST) tool that automatically detects security vulnerabilities in Java, Python and JavaScript code and offers remediation suggestions. It's based on the same CodeGuru Detector Library already integrated with AWS CodeWhisperer, an IDE-based tool for developers, and -- as of this week -- the runtime security service Amazon Inspector, for AWS Lambda security scans.

While CodeGuru security scans for CodeWhisperer deliver results through the AWS Toolkit for Visual Studio or JetBrains IDEs, Amazon CodeGuru Security integrates with GitHub, GitLab, Atlassian Bitbucket and JupyterLab in addition to AWS DevOps tools, according to AWS documentation. An AWS website for Amazon CodeGuru Security and a livestream keynote at this week's AWS RE:Inforce both emphasized an API-based design for the new service and its ability to plug in at any stage of the development lifecycle.

"It's targeting a different part of the pipeline," said Keith Townsend, principal of The CTO Advisor LLC and a TechTarget contributor. "As a CISO organization, how do you audit code if the detection is done at the IDE level? How do you deal with layered security concerns? There might not be a problem with code within the siloed application of that code at the IDE level, but what about [in] the context of a larger app pipeline? It's a different tool for a different area of focus."

CJ Moses AWS Re:Inforce 2023 keynote
AWS Chief Information Security Officer CJ Moses unveils Amazon CodeGuru Security during the AWS Re:Inforce conference keynote Tuesday.

AWS shifts DevSecOps competitive dynamic

With this shift in focus for Amazon CodeGuru, industry watchers also saw potential shifts in the competitive landscape between AWS and rivals such as Microsoft as well as third-party SAST partners.

One industry observer said CodeGuru Security shows evidence of pressure on AWS from Microsoft, particularly its widely used GitHub Copilot, a counterpart to the Amazon CodeWhisperer AI-generated code tool.

"Microsoft is calling all its [generative AI] plugins to all its products Copilot -- one for GitHub, one for Office, etcetera," said Rob Strechay, founder of Smuget Consulting. "This seems to be a [statement that], 'Hey, we have those types of things, but we bury them in another AWS service, so let's expose them and use them to compete against GitHub Copilot in particular.'"

Moreover, Strechay said, integrating CodeGuru security with more third-party DevSecOps tools might reflect a lack of demand for AWS-native tools such as the IDE Toolkit, CodeCommit, CodeBuild and CodeDeploy.

"It's [AWS] admitting no one uses its dev stack, so [it must] be more where the customers are, which it should have done the first place versus building an IDE," he said.

Townsend said he isn't sure about the actual adoption of AWS developer tools.

"But it would make sense that AWS offers a SaaS platform that you can plug into your pipeline as the IDE-level product doesn't have mass adoption," he said.

Positioning Amazon CodeGuru Security as a SAST tool also puts it into potential competition with third-party security partners such as Snyk, said Larry Carvalho, an independent analyst at RobustCloud.

Whether the announcement ruffles some feathers in the partner community remains to be seen. However, it gives customers choices and keeps the third-party vendors on their toes to continually innovate and stay ahead.
Larry CarvalhoIndependent consultant, RobustCloud

"Whether the announcement ruffles some feathers in the partner community remains to be seen," he said. "However, it gives customers choices and keeps the third-party vendors on their toes to continually innovate and stay ahead."

Like other DevSecOps vendors over the last year, including GitHub, AWS added a software bill of materials (SBOM) export function to Amazon Inspector this week. After Inspector exports SBOM data to an S3 bucket, users can analyze and query it using the Amazon Athena serverless SQL query service or Amazon QuickSight business intelligence.

"On the surface, it sounds compelling," Townsend said. "[It could be a] serious enabler for empowering builders to focus on value versus tracking the details of SBOM."

Finally, AWS beefed up another AI-driven DevSecOps service with the addition of Amazon Inspector network reachability and software vulnerability findings to its Amazon Detective findings groups. These findings groups aim to speed security investigations by automatically prioritizing the results of security scans, identifying the root cause of security issues and mapping them to the Mitre ATT&CK cybersecurity framework. Amazon Detective findings groups previously included Amazon GuardDuty threat detection findings.

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on DevOps