Pitfalls of Open Source Security Tools

For many, the concept of Open Source is associated with free software products. Indeed, who doesn’t want to get something for nothing, especially when it comes to such complex solutions as application security tools? But let’s stop here and analyze whether it is really that profitable.

With the departure of Western vendors providing solutions for secure development, Russian companies were faced with the need to urgently review their strategies. Some began to actively develop their solutions, some turned to proprietary software, and some to open source programs. It would seem that the last option is the simplest and most profitable, because you can get access to the tools without spending money. However, if you dig a little deeper, it turns out that everything is not so clear-cut. This impression of “free” often turns out to be an illusion.

This is Vera Bagno, AppSec engineer at Swordfish Security. Today we will look at the capabilities of free and paid versions of secure software development tools Defect Dojo and Semgrep and dispel the misconception that open source products are “free”. The article was co-authored with my colleague Nadezhda Peregudova, Marketing Manager.

Pitfalls of Open Source

In 1998, the concept of “Open Source Software” was introduced. Formally, all freely distributed software can be considered open source software.

Today, using open source solutions helps Russian developers save (as it seems at first glance) on commercial licenses and reduce dependence on foreign suppliers. In addition, working with open source software provides access to a wide community of support and joint development, improving the competencies of specialists and allowing the integration of many tools and libraries to increase productivity.

Overall, the topic is really useful and interesting, but every coin has two sides. The key challenges you may face when working with open source software are:

  • Open Source is not free. Why? Developers often offer a donation system or provide paid advanced versions and services, such as extended functionality and technical support. Companies also often have to allocate a budget for adapting open source software to their specific tasks. And here's the surprise: in some cases, working with Open Source can be significantly more expensive than buying a license for a vendor solution.

  • Need for refinement. When you deal with open source software, be prepared to modify it to suit your needs, and for this you will definitely need to involve a staff of developers. Of course, small companies can handle this. But large players, as a rule, prefer more predictable solutions so as not to torment themselves with editing large amounts of code.

  • Lack of technical support. When using Open Source, you may encounter problems that you will have to solve yourself. Vendors by default help to eliminate information security errors, improve performance, and understand how to use the functionality correctly. Open Source projects can also offer services in the managed service format, but, of course, on a commercial basis.

  • Threats to information security. Open source code is visible to everyone – both developers and hackers. Anyone can study it and make malicious changes and/or components to the source code. And although the developer community tries to identify and fix such problems, in practice it does not always work perfectly. In some projects there are too many “extra eyes”, and in others there is little checking at all.

  • Potential conflict of interest. Real case: your developer is involved in the development of an open source project and publishes code in a public repository that was developed with the company's money. Even if you legally insure yourself against this, the situation is not pleasant. What if this developer leaves, taking all the knowledge with him? Hello, headache for those who stay! Understanding someone else's code is not an easy task, and, most likely, the functionality developed earlier will become impossible to maintain and develop.

You have to pay for a quality software security analysis

Statistics show that the use of Open Source projects is becoming an integral part of software development. Many companies use open source information security tools because of their availability and flexibility. But when deploying open analyzers, be prepared for additional and often labor-intensive refinement of these solutions. For this, companies need both qualified developers and cybersecurity specialists. At the same time, we are not talking about a one-time attraction of resources, but rather about the formation of a dedicated team to implement all the necessary tasks, including subsequent support of the refined solution. And this also has its own considerable cost.

As a rule, good Open Source tools end up under the wing of commercial companies. They are supplemented with a lot of paid functionality, and the price of such “open and accessible” products may ultimately exceed the cost of their vendor counterparts. In order not to be unfounded, we will analyze the capabilities of free and paid versions of popular information security solutions DefectDojo and Semgrep.

Defect Dojo

DefectDojo is an open source ASPM vulnerability management tool. We covered it in detail in one of our previous posts. articlesBriefly about its capabilities:

  • Ready-made parsers for scanners;

  • Tracking time to fix vulnerabilities (SLA);

  • Powerful filter system;

  • Tagging;

  • Vulnerability management and deduplication;

  • Requesting assistance from colleagues (peer review);

  • Basic engineering metrics;

  • API for integration into DevOps processes.

Despite the positive aspects of the tool, the free version of the solution is not perfect, and here's why:

  • DefectDojo doesn't like a lot of data. If you have a bunch of pipelines, be prepared for frequent performance drops. For example, in the company VK shared that one day, when trying to connect DefectDojo to multiple data sources, the tool started to lag.

  • Sometimes have to manually solve problems and enable additional features by editing the source code. This means that you will need at least one developer or AppSec engineer to support all of this.

  • Metrics are only for “our own”. Metrics in DefectDojo are aimed at developers and team managers. They are used to assess how quickly vulnerabilities are closed and what level of “health” the project has. But they practically do not track business processes, repeated vulnerabilities, and technical debt.

Here's what the paid Pro version includes::

  • Automatic updates;

  • Configurable deduplication;

  • Platform manager with more advanced event tracking;

  • Integrate notifications via Slack, Teams and email;

  • Advanced analytics and dashboards;

  • Smart Upload with Predictive Finding Placement;

  • Improved communication between vulnerability scanning tool and DefectDojo, advanced unloading of findings – instruction;

  • Authentication in the product via SAML/OAuth;

  • Premium support.

There is an even more advanced and expensive version – Enterprise. In addition to the Pro version features, it includes:

  • Self-hosting;

  • Refinement of the product for the client, development of an implementation strategy, assistance with team onboarding;

  • Personal client manager.

Semgrep

Semgrep is an Open Source static analysis tool for detecting vulnerabilities in code. It does not require any special settings: you can use ready-made rule sets from Semgrep Inc, there are also manual by syntax.

What can be detected with Semgrep:

  • Various vulnerabilities such as SQL injections, XSS, insecure function calls or outdated encryption algorithms;

  • Various errors such as duplicate code, extra spaces or incorrect comments;

  • Performance issues: slow database queries, unnecessary calculations, long loops and other slowdowns.

Overall, the tool is not bad, it has excellent documentation and positive feedback from the AppSec community. But there are a number of significant disadvantages that prevent you from performing a full-fledged software check:

  • Inter-file interaction, external reference resolution, Global taint are not supported;

Now let's look at the paid version – the proprietary product Semgrep Pro from Semgrep Inc. It includes:

  • Semgrep Code is an advanced SAST scanner with cross-file and cross-functional analysis, providing more accurate results than the free version of Semgrep OSS. It comes with premium rules (Pro rules) that use cross-file analysis to reduce the number of false positives;

  • Semgrep Supply Chain is a highly accurate dependency scanner that detects vulnerabilities in third-party open source libraries throughout the software development life cycle (SDLC);

  • Semgrep Secrets is a secrets scanner that, in addition to detecting secrets, checks for their leaks on various services;

  • Semgrep AppSec Platform is a web application for managing and monitoring results obtained by SAST, SCA, and Semgrep Secrets scanners. The service integrates with continuous integration and delivery (CI/CD) platforms such as GitHub Actions, GitLab CI/CD, CircleCI, and others.

In general, any whim for your money 🙂

What should you choose?

It is obvious that a truly personalized and high-quality product requires a significant budget. If you study the price lists of the Pro versions of the open source tools mentioned above, you will understand that the cost of both the commercial versions of these products and the accompanying services is far from small. Is it worth the candle?

It may be more profitable to purchase a solution from a vendor that will meet your company's needs without the “starred” conditions. What do proprietary solutions provide, in addition to wide functionality:

  • Warranty and liability. If something goes wrong, you have the contract and all the rights of the client in your hands. Vendors are responsible for the quality of their solutions;

Let's take our ASPM class tool as an example – AppSec.Hub. It provides comprehensive vulnerability analysis as part of the DevSecOps process. With AppSec.Hub, you can fully automate the development process, seamlessly integrate new tools into the secure software development process, and manage scan results through a single “window”, as well as effectively monitor the progress of the AppSec initiative using clear metrics and KPIs.

Overall, vendor solutions allow companies to focus on more important tasks and goals, instead of spending time and effort on customization and finding solutions to emerging problems with open source software.

Conclusion

Using “free” open source tools is definitely better than nothing. However, such solutions carry information security risks and have very limited functionality. And purchasing paid versions can result in even greater costs than purchasing commercial licenses for vendor software. It is also worth considering that at the moment, purchasing information security solutions from unfriendly countries is severely limited and often impossible.

There is no universal super-tool that suits everyone at once. Each organization has its own needs, which depend on the technology stack and the budget allocated for cybersecurity. We want you to choose the tool stack that will not only make your life easier, but will allow you to release digital products many times faster and be one step ahead of possible threats.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *