What is our primary use case?
I recently used Prowler for a POC use case rather than a production environment. Prowler enables me to keep my POC environment secure so it is ready for promotion to next environments like production or staging.
I primarily use Prowler on my local machine via CLI to scan my platform, mostly for AWS. I use AWS credentials to scan my entire environment. Previously, I ran Prowler on CI/CD by executing the Prowler command in the GitLab runner to scan the whole environment as a pre-scan before deployment to ensure compliance.
What is most valuable?
I appreciate Prowler because when compared to AWS Security Hub, Prowler covers more checks than Security Hub has. Previously, Security Hub only had CIS and some very basic security frameworks, but Prowler offers more. However, there are pros and cons to this. The pro is that Prowler has more checks, but the con is that sometimes the new checks come as a surprise because all these configurations are too new and my team needs more time to review them. They might initially flag as false positives before my team reviews them internally to determine whether the findings are applicable to our environment.
Using Prowler scans is definitely very helpful. Normally when I POC my platform and push to production, we need to go through auditing or external security assessments such as VAPT, which stands for vulnerability assessment penetration testing. Before I go for external assessment, I use Prowler as a threshold to ensure my security is in compliance, so that when I go for external assessment, I am already at least 80% to 90% compliant. This makes my auditing life and assessment life much easier to resolve all findings before pushing to higher environments.
I do have one pain point using Prowler. Every time I use Prowler to output results, they have three formats available: CSV, HTML, and JSON. Whenever I open the CSV file, it is always nested, which makes it very hard to read. For people like product managers who do not code much, it is even more painful to read. I always have to write an automation script using their JSON file to massage the data so it is readable in an Excel file. I do not understand why this is a new issue because way back, their Excel output did not have this problem, but after mid 2023 or 2024, when they started with the new version of Prowler, this issue tends to appear where nested cells in Excel are very painful for us to break down or even filter.
What needs improvement?
Prowler is open source and easy for me to access. I know there are many other tools such as Trend Micro or Trivy. Trivy is open source as well, but because I always use it for my POC environment, I definitely want a route that does not require spending money and at the same time can perform well as a compliance tool compared to the rest of the tools that have to be purchased.
I understand that Prowler updates their checks quite frequently. Sometimes it might be a user issue because we always pull from the latest version. However, because we are using the latest version, it involves issue fixes for existing checks and also new introduced checks. All these new introduced checks sometimes come as a surprise for us because all these configurations might be new and we have to take time to review whether they are applicable to us or not. If a check is not applicable to us, we spend more time to review all these configurations that are not for us. For example, if Prowler released 10 to 20 checks, we have to spend more time to analyze if each one is applicable to us or not.
For how long have I used the solution?
I first used Prowler in 2020, but I am not a very consistent user. I use it on and off, once in a while, approximately once every three to six months on average.
What do I think about the stability of the solution?
I have never encountered downtime with Prowler. It is always available unless they do some feature upgrades. Based on what I know, they previously had a Python library for Prowler, but after some version, they removed the Python feature. I had to look for an alternative which I am trying to use now, but this is a small issue.
What do I think about the scalability of the solution?
I have no scalability issues. The scan is actually pretty fast. I have never encountered any scalability issues, and because I run it on serverless as well, it definitely does not take that much compute.
How are customer service and support?
Prowler's team is quite responsive. I still recall the first time I used it and always raised requests in the GitHub issue page. Sometimes, because it is open source, if I found findings that could be fixed, I also tried to commit some of the changes and let them get reviewed and pulled into the repo. The team is actually quite responsive.
Which solution did I use previously and why did I switch?
Initially I used Scout Suite, but I realized that the number of checks is not as much as Prowler and it is not as granular as Prowler. Scout Suite definitely has some checks that Prowler does not have, but if I do a comparison, Prowler is more detailed with more checks covered as compared to Scout Suite. Definitely for me to be more compliant, I would choose a tool that has more checks. It is better to be safe by doing more.
Previously I used Scout Suite which has lesser checks. Trivy is a tool that recently I realized my organization is using, and I also use Security Hub. However, maybe I am someone who likes to see all these findings in an Excel sheet, which is easier for me to clean up using Excel functions and features. There are quite a number of tools that I know about, and they do output the findings for you, but you cannot really export everything in one shot. A good example is Security Hub. I can actually call CLI or API to gather all the findings for me, but Prowler is just a one click and I can get the output already. I think it is convenient for us to access the output and results compared to the rest. Also, the granular findings that Prowler has compared to the rest covers quite a lot when I compare it to the other tools that I use.
How was the initial setup?
That is why I love Prowler because it is very straightforward and very easy to set up. It is like within three minutes, you can set it up already.
What other advice do I have?
Metrics are not tracked intensely. I do not use metrics to track Prowler's effectiveness, but I just scan, mediate, ensure we are compliant, and then send our product to an external assessment. Whenever we do external assessment, we realize that there are quite a lot of checks that are overlapping.
A complex environment is not very applicable to me because I only use Prowler on my AWS platforms. My infrastructures are pretty straightforward, and I have not encountered any complex situation between Prowler and my AWS platform.
I do not really use customizable checks. I do not know what customizable checks they have.
The only advice I always give to people who use Prowler is to always review the findings that Prowler flags because sometimes these findings might not be applicable to you. It is better to review them properly before you blindly remediate them. I would rate this product a 9 overall.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)