{"id":16393,"date":"2026-06-22T16:33:17","date_gmt":"2026-06-22T16:33:17","guid":{"rendered":"https:\/\/newestek.com\/?p=16393"},"modified":"2026-06-22T16:33:17","modified_gmt":"2026-06-22T16:33:17","slug":"aws-continuum-offers-devs-help-with-securing-code","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16393","title":{"rendered":"AWS Continuum offers devs help with securing code"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>AI coding agents are making it easier than ever to produce software. Ensuring that software is secure before deployment is another matter \u2014 one that AWS thinks AI should help with too.<\/p>\n<p>As enterprises adopt <a href=\"https:\/\/www.infoworld.com\/article\/4142019\/coding-for-agents.html\">agentic development<\/a> workflows, the volume of first-party code being created and modified is rising rapidly. Yet the process of validating vulnerabilities, determining whether they are exploitable, and fixing them often still depends on developers and security teams working through findings manually.<\/p>\n<p>AWS is aiming to address that imbalance with Continuum, a new service designed to continuously discover, investigate, and remediate vulnerabilities in enterprise environments, whether the code is their own or from third parties.<\/p>\n<p>Rather than simply generating alerts, the service is intended to help enterprises move findings through the entire remediation lifecycle, AWS VP of Security and Observability <a href=\"https:\/\/www.linkedin.com\/in\/chetkapoor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Chet Kapoor<\/a> wrote in a <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/introducing-aws-continuum-security-at-machine-speed\/\" target=\"_blank\" rel=\"noreferrer noopener\">blog post<\/a>.<\/p>\n<p>For first-party applications, Continuum can analyze code, validate whether vulnerabilities are exploitable, generate remediation recommendations, and propose fixes that can be reviewed through existing software development workflows, helping developers address security issues without requiring security teams to manually investigate every finding, Kapoor said.<\/p>\n<p>Once users think Continuum has learned enough about their environment and understands their guardrails, they can put it in what AWS calls \u201cenforce mode\u201d to autonomously fix any code lapses, Kapoor said.<\/p>\n<p>Continuum borrows some of its capabilities, penetration testing and code scanning features, from an existing service, Security Agent.<\/p>\n<p>Other capabilities are all-new, including threat modeling, which is designed to automatically generate threat models from source code or design documents and output them in STRIDE format.<\/p>\n<h2 class=\"wp-block-heading\" id=\"keeping-pace-with-ai-driven-software-development\">Keeping pace with AI-driven software development<\/h2>\n<p>Analysts see Continuum helping enterprise developer teams ship more secure code while keeping pace with <a href=\"https:\/\/www.infoworld.com\/article\/4176534\/ai-coding-agents-need-good-software-engineers.html\">AI coding tools<\/a>.<\/p>\n<p>\u201cThe harder problem is no longer just finding issues, it is knowing which ones are real, which ones matter in their environment, and which ones need to be fixed first,\u201d said <a href=\"https:\/\/www.hfsresearch.com\/team\/akshat-tyagi\/\" target=\"_blank\" rel=\"noreferrer noopener\">Akshat Tyagi<\/a>, associate practice leader at HFS Research. \u201cTraditional workflows built around dashboards and manual triage struggle with that volume. A dashboard can show the backlog, but it does not validate the finding, assess business impact, or help remediate it.\u201d<\/p>\n<p>Continuum\u2019s value, according to Tyagi, \u201cis not just more detection, but using AI to prioritize risk findings, suggest mitigations, and support faster action while keeping humans in control of high-risk decisions.\u201d<\/p>\n<p>Taking faster action is becoming increasingly important as attackers are gaining access to many of the same AI capabilities that enterprises are using to accelerate software development and security testing, according to <a href=\"https:\/\/www.linkedin.com\/in\/amitchandak78\/\" target=\"_blank\" rel=\"noreferrer noopener\">Amit Chandak<\/a>, chief analytics officer at IT consulting firm Kanerika. \u201cThe gap between a flaw being disclosed and a working exploit is shrinking rapidly from months to hours,\u201d he said.<\/p>\n<p>While Continuum may reduce repetitive work for developers and SREs, it could also create new responsibilities for CISOs around governance, oversight, testing, and maintaining guardrails for automated actions.<\/p>\n<p>\u201cContinuum changes the CISO\u2019s role from managing findings to governing how findings are handled. The focus moves to setting rules: what can be automated, what needs human approval, and what level of risk is acceptable in production,\u201d Tyagi said. \u201cStaffing will shift too. There may be less manual triage, but more need for people who can review AI-generated fixes, set guardrails, and know when not to trust the system.\u201d<\/p>\n<p>Even so, Chandak does not expect the offering to lead to immediate headcount reductions, particularly given that Continuum is only available as a gated preview.<\/p>\n<p>Continuum could change how CISOs measure work, Tyagi said: \u201cTicket count matters less. Better measures are how quickly real risks are validated and fixed, how many false positives are removed, and whether automation is reducing risk without causing new problems.\u201d<\/p>\n<p>Those same metrics could also become a yardstick for CISOs determining how much autonomy to give tools like Continuum, said Chandak. Most enterprises\u2019 data and governance practices are not yet ready for fully autonomous remediation, said Chandak, adding that, \u201cAWS\u2019 graduated trust design, under which enterprises have the option of choosing the degree of autonomy, from human in the loop to fully automatic remediation, is an admission of that fact.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"beyond-first-party-code\">Beyond first-party code<\/h2>\n<p>Continuum could also help CISOs with third-party code vulnerability analysis, where enterprises often have less visibility and control.<\/p>\n<p>\u201cMost third party vulnerability alerts are noise. A tool may flag a vulnerable library, but the real question is whether that vulnerable code is actually used in production. If Continuum can answer that, it helps teams focus on the few issues that matter,\u201d Tyagi said. \u201cThis is especially useful for open-source and software supply chain risk, where enterprises depend on packages and hidden transitive dependencies they may not fully track. It also helps when no patch is available yet.\u201d<\/p>\n<p>However, he warned, Continuum might not offer a direct fix to third-party code: \u201cYou usually cannot patch third-party code yourself as you don\u2019t own it, so remediation there means version pinning or compensating controls.\u201d<\/p>\n<p><em>This article first appeared on <a href=\"https:\/\/www.infoworld.com\/article\/4187916\/aws-continuum-offers-devs-help-with-securing-code.html\">InfoWorld<\/a>.<\/em><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>AI coding agents are making it easier than ever to produce software. Ensuring that software is secure before deployment is another matter \u2014 one that AWS thinks AI should help with too. As enterprises adopt agentic development workflows, the volume of first-party code being created and modified is rising rapidly. Yet the process of validating vulnerabilities, determining whether they are exploitable, and fixing them often&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16393\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16393","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16393"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16393\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}