Traditional DevOps teams are now living in an age where failing to integrate security operations is unacceptable. With the range of open-source DevSecOps tools available, there is no reason for the average developer not to include the likes of Static Application Security Testing (SAST) or Software Composition Analysis (SCA) tools into their daily workflow.
But despite the strength of the open-source movement, there are benefits to using commercial, closed-source tools. Although they are packaged at a higher cost, there are benefits such as fewer false positives. Turning to the industry big boys can give you access to better tools, faster vulnerability patching, and fewer false positives.
For many DevSecOps teams, the question of open-source vs commercial tools is a financial one. Understanding when to rely on the big boys can be the difference between going bigger or going bust for some development companies. Is it maybe time to adopt new tools and change the way your team works?
We explore the following concepts
- What Should All Good DevSecOps Tools Be Able To Do?
- What Are The Benefits Of Using Open-Source Tools?
- What Are The Benefits Of Using Commercials Tools?
- Should I Use Open-Source DevSecOps Tools?
What Should All Good DevSecOps Tools Be Able To Do?
When employing DevSecOps tools in the software development process and security posture, you need to consider what exactly you want from those tools. Yes, it is important to save costs, but can affordable or free open-source tools guarantee the same level of security as commercial, enterprise solutions?
Employing good DevSecOps tools means finding how they fit into your CI/CD pipeline. It serves as a useful reference point for teams building up a suite of tools to integrate with their DevSecOps culture.
What Is “Moving Left”?
Traditionally in the DevOps workflow, security was the last thing a development team would consider. Developing source code, adding the binary to a repository, staging, production – these all were unaffected by security professionals. For people working in InfoSec positions, this seems like madness – how do you know anything is going to work securely?
Because security was an afterthought, finding vulnerabilities in a piece of software became a frustrating final stage where the security team finds a potentially fatal flaw. The DevOps team would have to circle back and go through the pipeline all over again.
With security “moving left” in the DevOps pipeline (that is, moving to an earlier stage in the process), DevOps and security are integrated. The potential vulnerabilities that would appear at the end of the development process are now addressed during an earlier stage in the pipeline. Hence the name DevSecOps – Development, Security, and Operations.
Do I Need To Use Open-Source Tools To Move Left?
Although there is an attraction to using open-source tools, you need to ask yourself “is an open-source tool going to outperform the commercial alternative?”. The truth is that open-source tools have some severe drawbacks which will make security managers think twice – the overall management overhead is just one example.
What Are The Benefits Of Using Open-Source DevSecOps Tools?
When acquiring both effective and open-source tools, security professionals will turn to repositories like GitHub to find professional quality tools without breaking the bank. Open-source security tools are freely available to everyone and can make an excellent backbone to a security posture.
An Excellent First Step In The World of DevSecOps
Open-source tools are useful for newbies. For a small-scale operation that needs to acquire lots of different tools in a short amount of time, looking for open-source solutions can create an effective defensive arsenal without spending a penny.
Similarly, if the team only needs a small number of very specific tools, commercial tools are overkill. If you do not need Dynamic Application Security Testing (DAST) tools, why would you pay for them? Building bespoke tool kits that fit with your DevSecOps pipeline is possible without also taking on bloatware.
Available To Everyone
Regardless of the security platform that you are establishing, you can find a variety of open-source security tools. The use cases for open-source tooling are very broad; if you can think of a reason that you would adopt a tool, there is someone who has probably had the same problem in the past.
This crowd-sourced approach to software is commendable. The tools that we use need to be capable of tackling the problems we face daily – so why not turn to our fellow professionals for assistance?
Usually Affordable or Free
The biggest reason to use open-source DevOps tools is that they are generally available without having to pay high prices or large subscription fees. For the DevSecOps team that is still developing its approach, saving money can be an important issue.
Despite commercial tools having unified interfaces that allow security professionals one space to use all their tools, they are also more expensive. For fledgling or small-scale development teams, these prices put a great deal of strain on their budgets.
Turning to open-source allows for funds to be allocated in areas that don’t come for free – advertising, hardware, and wages, for a few examples.
What Are The Benefits Of Using Commercial DevSecOps Tools?
Using non-commercial tools is attractive, that’s clear from the number of open-source proponents (especially considering the number of tools uploaded to GitHub). But for teams to find and implement the tools that will protect their web application projects, is it better to turn to some closed-source tools?
Easy Of Use
Open-source tools are great, but why would you want to find and set up many different pieces of software when you can just install one? Finding a unified, closed-source platform that can be used to analyze an application from the start of your CI/CD DevOps pipeline to the end can save your team a lot of time.
Although many excellent tools such as Nmap and OWASP ZAP can completely change your security workflow, having all your tools centralized in one unified Mission Control can aid the way your team runs development and deals with security issues.
Fewer False Positives
False positives are frustrating for both security and the software development team. The more time that is spent finding out potential security vulnerabilities are false positives, the less time your team has to actually do their jobs.
In 2020, we saw an 80% increase in cyberattacks – how many of them could have been avoided? The DevOps team and the security professionals dealing with alerts need a helping hand in the fight against vulnerabilities. That’s why commercial tools are so valuable – they are less likely to show up false positives.
“Moving Left” Doesn’t Work With Open-Source
At least some of the time anyway. Overall, Static Code Analysis (SCA) adoption is low in the open-source community. Of the organizations that rely on non-commercial tools, only 38% of them have actually integrated an SCA into their pipeline.
This means that despite the promises of being a security team able to reinvigorate its best practices and move security scanning “left” in the development pipeline, fewer than 2 in 5 companies can due to their overreliance on open-source tools.
In effect, a DevSecOps team that does not integrate commercial, unified tools into their pipeline might not be a DevSecOps team – they’re a DevOps team that thinks about security when the application is done.
Patching Is Far Faster
When there is an issue in the code of a security tool, the entire pipeline is compromised. Sadly, despite all of the hope that open-source tools bring to DevSecOps teams, patching is simply too slow for non-commercial tools.
A large part of the problem is that patching source code and correcting vulnerabilities can take between 2 and 3 weeks. For a security team in an agile work environment, that’s too slow.
The application that the development team is working on can’t wait for almost a month every time a vulnerability is discovered – relying on a tool that can work for them whenever they need it is key.
Should I Use Open-Source DevSecOps Tools?
For a development team looking to improve its security practices, open-source tools are an excellent first step to creating a positive DevSecOps culture. In addition to being available to anyone and having their code there to read, they can be mixed and matched to make a rudimentary Jenkins pipeline workflow.
Although the low cost and high flexibility option of tools from the likes of OWASP are fantastic, the truth is that projects that rely on those tools will be facing problems. It’s no secret that 50% of companies that don’t employ commercial tools face delays in their delivery schedules. Can you afford that? Many small operations can’t.
Turning to commercial tools such as AppSec Phoenix is the best way to integrate all the necessary tools you need to fulfill a productive and secure CI/CD pipeline without fearing downtime, a large number of false positives, or reverting to a generic DevOps + security approach.The AppSec Phoenix security platform integrates with your current workflow, allowing your software security and development teams to produce the best work possible without concerns about vulnerability management and compliance.