Cloud Security Club
Posts
My 5-Minute CSPM Evaluation Hack

My 5-Minute CSPM Evaluation Hack

Chandrapal Badshah
June 19, 2024

“The more that you read, the more things you will know. The more that you learn, the more places you’ll go.” ― Dr. Seuss

Photo by Ben White on Unsplash

Let’s talk about CSPM.

There are quite a few CSPM vendors out there. Most often, they try to sell their products with features outside the core CSPM functionality.

Gartner, the creator of many cloud security jargon, defines CSPM as follows:

CSPM consists of offerings that continuously manage IaaS and PaaS security posture through prevention, detection, and response to cloud infrastructure risks. The core of CSPM applies common frameworks, regulatory requirements, and enterprise policies to proactively and reactively discover and assess risk/trust of cloud services configuration and security settings. If an issue is identified, remediation options (automated or human-driven) are provided.

Gartner

This highly generalized statement leads to different interpretations - both by customers and vendors.

Some consider CSPM as just misconfigurations on the Cloud side, and some increase the scope by including Kubernetes checks, IaC scanning, vulnerability management, etc.

In a nutshell, CSPM comparison is not an Apples vs. Apples comparison. It’s more like Apples vs. Oranges vs. Mangoes.

When a commercial CSPM vendor asks me to evaluate their product, my first question is: What does it do better than Prowler?

Pros and Cons of Prowler

Prowler (Open Source) has nailed it when it comes common cloud misconfigurations. Out of the box, it does:

Most common misconfiguration checks (along with its fair share of checks outside core CSPM like checking IPs on Shodan).
It has its dashboard (finally).
Allows muting false positives/exceptions needed as per business requirements.
Supports multiple regulatory frameworks and generates reports.
Supports multi cloud - AWS, Azure and GCP.
Extensible and allows you to bring write your own checks.
Recommends remediation steps for misconfigurations. It also has Fixer that allows fixing misconfigurations automatically.

Also, it's cheaper than enabling Security Hub + Config if you have multiple accounts and many changes (auto-scaling, spot instances, etc.).

However, Prowler doesn't:

Do real-time scanning - You can run it multiple times a day. It's a continuous scan but not necessarily real-time.
Connect with Jira tickets directly - There’s a way to connect Prowler to Security Hub and then to Jira Service Management. Still, Jira Service Management is a paid offering that is different from Jira.
Give an asset inventory out of the box - Prowler offers quick inventory, but it doesn’t provide 100% visibility into existing assets.

Like any open-source project, hosting Prowler means maintaining, updating, and ensuring it's working correctly. It won't take a considerable effort, but it still requires some effort.

Let's come back to our CSPM vendor discussion.

If the CSPM vendor answers what problem statement they are solving that Prowler doesn't solve, then I can go ahead evaluating the product and see if it fits my list of requirements.

If the commercial tool is just about misconfiguration checks and all the problems they solve are maintaining and updating the tool while charging you a fee based on resources evaluated, maybe it’s time to rethink if you want to go with the tool.

I hope this email helps you save time during your CSPM evaluation process!

If you found this email useful, please forward it to your friends and colleagues who are interested in cloud security.

Until next time 👋

Reply

or to participate.