@shinyaz

Security Agent sourceCode and documents use fundamentally different processing pipelines

1 min read
#aws#security-agent#penetration-testing

Tested both sourceCode and documents for providing source code to Security Agent pentests. The internal tasks during STATIC_ANALYSIS were completely different.

With documents:

Output (list-pentest-job-tasks)
DOCUMENTS        → COMPLETED
SCANNER          → COMPLETED
TLS SCANNER      → COMPLETED
CRAWLER          → IN_PROGRESS

With sourceCode:

Output (list-pentest-job-tasks)
CODE SCANNER [BUSINESS LOGIC]      → IN_PROGRESS
CODE SCANNER [IMPORTANT FLOWS]     → IN_PROGRESS
CODE SCANNER [FRAMEWORKS]          → IN_PROGRESS
SCANNER                            → COMPLETED
TLS SCANNER                        → COMPLETED

sourceCode runs three CODE SCANNER tasks in parallel for systematic static analysis, detecting vulnerabilities before the PENTEST phase even starts. VALIDATOR TASKs then dynamically verify each finding before proceeding to CRAWLER → PENTEST. Result: sourceCode produced 28 findings (more than double documents' 13). The broader static analysis did produce 4 FALSE_POSITIVEs (auto-classified by VALIDATOR).

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more