When Amazon Web Services (AWS) introduced its Inspector vulnerability detection offering at its re:Invent conference a few weeks ago, there was an audible gasp as a number of AWS partners saw their addressable market evaporate in front of their eyes. It's an often-repeated scenario -- an AWS partner spends time and money building a solution that hangs off AWS's core services only to have AWS introduce a similar product a little later. It's not that AWS is particularly predatory -- it is, however, the nature of platform vendors looking to broaden their platform. (Disclosure: AWS is a Diversity Analysis client but I have not advised them about Inspector.)
One company has decided to be pragmatic and is today announcing that its own vulnerability scanning engine (which comes as part of their broader offering) will now be offered for free. Perhaps sidestepping the obvious commercial realities resulting from AWS's announcement, competitor ScriptRock is positive about what this offering means for customers. "Vulnerability assessment as a concept isn’t new, but historically it could cost a lot both in money or time spent, and the reports generated were nearly incomprehensible. At ScriptRock, our focus has always been on making important, yet complex, information easy to visualize, understand, and take action on. We now do this for vulnerability data as well,” said Alan Sharp-Paul, ScriptRock's co-founder.
Well, yes, but I'd suggest that this move is only happening as a direct result of AWS's own vulnerability announcement, I put this to Sharp-Paul and his co-founder Mike Baukes and questioned the timing and the justification for the announcement, as it relates to AWS's news. The pair had some valid points to make in that regard, perhaps the most justified relating to the fact that AWS Inspector is only a tool of relevance to AWS's own instances and hence has no real value in a hybrid setting. Since most modern organizations utilize hybrid environments, ScripRock's offering that spans across their infrastructure is more valuable. That isn't an issue for pure AWS-shops, but as the duo point out, there are less of them than hybrid ones.
On top of that, ScriptRock pointed out that Inspector doesn't really help with migrations to or from AWS. As they see it, enterprises need visibility and validation/ testing throughout the migration process. AWS tools can only help with the AWS side, that's only half of the battle. As they point out, ScriptRock can help with the rest.
They also highlight that ScriptRock offers a broad discovery, tracking and analysis platform for an organization's entire infrastructure footprint. As such, the vulnerability testing solution is useful, but far more useful in combination with the other parts of the ScriptRock platform.
That is true, but it also a double-edged argument since it could be argued that AWS infrastructure, along with an AWS-native vulnerability offering, is more valuable than a third party vulnerability-testing add-on. Horses for courses, I guess.
Finally, ScriptRock was at pains to point out that everything in ScriptRock is available via their RESTful API -- this means that they can integrate and communicate with AWS via their API. ScriptRock could theoretically trigger scans with the AWS Inspector (via the AWS API), then ingest all that vulnerability data from Inspector and display it back in ScriptRock's UI, along with all the other data the ScriptRock platform offers, thereby giving users a single pane of glass or single console for managing all their systems (AWS + all others).
All that makes sense, but it can't be denied that ScriptRock has lost at least some part of their market opportunity. That said, the part they've lost is relatively low value and should be made up for by the increasing depth of ScripRock's policies features -- once created, a policy can continuously validate any given set of criteria to ensure that any server, or fleet of servers, remain in compliance. Should a compliance test fail, the team receives an alert and is given the option to delegate a remediation task. This ensures configurations cannot drift and misconfiguration errors never result in lost time or money.
ScriptRock's decision is both a pragmatic one and a positive one for customers. More broadly, it is an interesting reflection of the realities of living and dying underneath a platform vendor.