Parasoft announces the opening of its new office in Northeast Ohio.
Ermetic released a free open source tool for managing AccessDenied Events in Amazon Web Services (AWS) that automates time consuming cloud access policy troubleshooting and correction.
Access Undenied on AWS analyzes AWS CloudTrail AccessDenied events, scans the environment to identify and explain the reasons for the events, and offers actionable least-privilege remediation suggestions.
“Even if you know the policy type causing ‘access denied’, which isn’t always the case, you still need to find the policy and the statement inside the policy causing the denial, and replace it with a least-privilege alternative,” Noam Dahan. “Basically, you give the Access Undenied on AWS tool a CloudTrail event with an “Access Denied” outcome, and it will tell you how to fix it!"
Access Undenied on AWS addresses some of the peskiest Access Denied challenges encountered by DevOps and security teams on a daily basis, including:
- Some AccessDenied messages still do not provide details. Among the services for which some, or even many, messages are lacking in detail are: S3, IAM, STS, CloudWatch, EFS, DynamoDB, Redshift, Opensearch and ACM.
- When the reason for AccessDenied is an explicit deny, users can have difficulty tracking down the specific policy and statement that generated the explicit deny. Specifically, when the reason is an explicit deny in a service control policy (SCP), it is difficult to find and assess every single policy in the organization that applies to the account.
- Meanwhile, when the problem is a missing allow statement, it can still be challenging to create the least-privilege policy that allows the desired access without granting excessive permissions.
Access Undenied on AWS is available, and supports policies for many resources and some of the most common condition keys. This open source project is also soliciting input from the community through contributions of new issues in the repository.
Industry News
Postman released v11, a significant update that speeds up development by reducing collaboration friction on APIs.
Sysdig announced the launch of the company’s Runtime Insights Partner Ecosystem, recognizing the leading security solutions that combine with Sysdig to help customers prioritize and respond to critical security risks.
Nokod Security announced the general availability of the Nokod Security Platform.
Drata has acquired oak9, a cloud native security platform, and released a new capability in beta to seamlessly bring continuous compliance into the software development lifecycle.
Amazon Web Services (AWS) announced the general availability of Amazon Q, a generative artificial intelligence (AI)-powered assistant for accelerating software development and leveraging companies’ internal data.
Red Hat announced the general availability of Red Hat Enterprise Linux 9.4, the latest version of the enterprise Linux platform.
ActiveState unveiled Get Current, Stay Current (GCSC) – a continuous code refactoring service that deals with breaking changes so enterprises can stay current with the pace of open source.
Lineaje released Open-Source Manager (OSM), a solution to bring transparency to open-source software components in applications and proactively manage and mitigate associated risks.
Synopsys announced the availability of Polaris Assist, an AI-powered application security assistant on the Synopsys Polaris Software Integrity Platform®.
Backslash Security announced the findings of its GPT-4 developer simulation exercise, designed and conducted by the Backslash Research Team, to identify security issues associated with LLM-generated code. The Backslash platform offers several core capabilities that address growing security concerns around AI-generated code, including open source code reachability analysis and phantom package visibility capabilities.
Azul announced that Azul Intelligence Cloud, Azul’s cloud analytics solution -- which provides actionable intelligence from production Java runtime data to dramatically boost developer productivity -- now supports Oracle JDK and any OpenJDK-based JVM (Java Virtual Machine) from any vendor or distribution.
F5 announced new security offerings: F5 Distributed Cloud Services Web Application Scanning, BIG-IP Next Web Application Firewall (WAF), and NGINX App Protect for open source deployments.
Code Intelligence announced a new feature to CI Sense, a scalable fuzzing platform for continuous testing.
WSO2 is adding new capabilities for WSO2 API Manager, WSO2 API Platform for Kubernetes (WSO2 APK), and WSO2 Micro Integrator.