Amazon Web Services (AWS) has updated “detectors” in its CodeGuru Reviewer tool to look for log injection flaws like the recently disclosed Log4Shell bug in the popular Log4J Java logging library.
Critical Log4J bugs, collectively dubbed Log4Shell after their disclosure in December, have rocked the tech industry and end-user organizations in mass remediation efforts that may have avoided major attacks to date, but should hide in systems for years.
At the time, AWS released several tools to help customers protect assets, such as new web application firewall rules and updates to its Inspector tool to detect vulnerability in machine instances. virtual EC2.
TO SEE: Cybersecurity: let’s get tactical (ZDNet special report)
AWS has now announced two new features for CodeGuru Reviewer, AWS’ scanner that uses machine learning to check code for bug reviews and to suggest improvements for security issues. The tool aims to improve code reviews in the context of continuous integration and development (CI/CD) processes for developers with code. Once developers have committed the code to say, GitHub or Bitbucket, they can add CodeGuru Reviewer as a code reviewer.
The new features help flesh out the service’s security controls. Last year, it added the CodeGuru Reviewer Secret Detector, which detects risky hard-coded secrets in source code and configuration files for Java and Python applications, such as passwords and login keys. API access.
Brand new features in CodeGuru Review are a new library of detectors for several common security vulnerabilities affecting Java and Python web applications, as well as several new security detectors specifically aimed at Log4Shell-like log injection vulnerabilities.
The Detectors Library contains a list of several detectors for various common defects in Java and Python programming, such as unauthenticated LDAP requests in Java code. It provides details about each security issue, their severity, and their impact on an application, as well as a case of non-compliant and compliant code for each issue. The library currently contains 91 Java detectors and 69 Python detectors.
AWS notes that CodeGuru “uses machine learning and automated reasoning” to identify possible issues, so each detector can find a range of defects in addition to the example on the detector’s description page.
In response to Log4Shell, AWS introduced a more general detector for similar flaws that checks to see if developers are logging data that “is not sanitized and possibly executable”.
If it finds an example of such code, it warns that “user-provided entries must be sanitized before being saved. An attacker can use an unsanitized entry to break the integrity of a log, forge log entries or bypass log monitors”. It then provides examples of non-compliant and compliant code.
“These detectors work with Java and Python code and, for Java, are not limited to the Log4j library,” AWS notes.
“They don’t work by looking at the version of libraries you’re using, but checking what you’re actually saving. That way they can protect you if similar bugs occur in the future.”
The service comes at a cost, but could help alleviate issues for organizations facing shortages of developers or security skills.
New features are available where CodeGuru Reviewer is available, which includes certain US, European, and Asia-Pacific AWS Regions. Pricing for CodeGuru Reviewer starts at $10 per month for the first 100,000 lines of code in the built-in repositories and charges $30 per month for every additional 100,000 lines of code.