Balancing Security: When to Leverage Open-Source Tools vs. Commercial Tools
When deciding what approach to use for security tooling, it seems like there are two choices.
1. Sell your left kidney and buy the enterprise solution whose name is on the side of a Formula 1 car.
2. Pick the free open-source tool that swipes right on more false positives than a dating app during a lonely Friday night.
Like everything in security, there is more to unpack in reality. In this article I want to explore when open-source security tools should be used, when commercial tools are more effective, and if we can trust tools built from an open-source core.
Build vs Buy (the open-source cost trap)
As you grow your company, you will soon realize that the choice between open-source and commercial is more a choice between building tools or buying tools. Open-source provides a great starting point but they lack a lot of the features you need, dashboards, integrations, compliance reporting, remediation workflows, false positive filtering, and vulnerability prioritization, to name a few. So the idea that open-source is free simply isn’t true. This can be an advantage though, building as you go stretches out the initial investment and you can focus on features that are important to you. It means you aren’t relying on a vendor to deliver the feature they ‘promised’ they would deliver in Q3 2 years ago.
There are plenty of negatives to consider when building on top of open-source tools. Firstly not only will it take significant development time to build out these tools but it will also require continuous maintenance. Security tools can also block production when they are integrated into elements like CI/CD pipelines for example. This means when they fail or crash, they can cause losses in productivity with no support to help you get back online.
What about the buy option then? Firstly there is no ramp-up period, you get complete coverage right from the beginning which results in less security debt later on. You also don’t lose the opportunity cost of taking engineering teams off your core objectives to focus on building features for internal tools. In the fast-paced startup world, don’t underestimate the value of this.
Open-source vs commercial
Are commercial tools better at vulnerability discovery?
So far we have talked about all the tool's features without even asking possibly one of the most important questions. What will find more vulnerabilities? Generally speaking, the core functionality of open-source tools will often match their commercial counterparts in their ability to find vulnerabilities. Where commercial tools will pull ahead though is their ability to filter out false positives and prioritize their findings.
Think of it like this, you have two fishing boats an open-source boat and a commercial boat. Both use the same net and catch just as much volume as each other, but the commercial tool has a processing plant that throws away the trash, sorts the fish into sizes and throws away the fish we can’t eat. Both boats caught the same results but the open-source tool is missing the next stage of triage.
It is very often commercial tools that are built on open-source projects. For example, let's take Zen by Aikido, a full-featured in-app firewall that is designed to stop threats at runtime. So is it better at detecting run-time threats and stopping them than an open-source equivalent, not really, because it's based on an open-source project, AikidoZen. The value of the enterprise version is in its additional features like analysis, rule creation, deeper understanding of Your specific threats, and ease of deployment, all things you would need to build yourself if you used the open-source version in an enterprise. So open-source isn’t necessarily worse, it just is missing the next stage of triage.
Note: Benchmarking tools against vulnerabilities found can also be very tricky. A great security tool might find fewer vulnerabilities because it is better at removing false positives based on context. Therefore the better tool isn’t always the one that finds the most, more often than not it's the opposite.
Powered by open-source built for enterprises
So open-source is too much development and the commercial is too expensive, how about a happy medium? Full-featured tools that use open-source at their core are not a new concept. Some of the most successful security products in the world use open source at their core like, Hashicorp Vault, Elastic Security, and Metaploit to name a few. There are many reasons why these tools do so well and it’s probably not for the reasons you think.
Cost-effectiveness
Open-source powered tools not only need to compete with alternative commercial tools, they also must compete with their open-source base. That means their value must be proven and transparent often resulting in a more cost-effective offering.
Power of the community
Often open-source tools are maintained and built by commercial companies, like Aikido Zen. Tools that are based on open-source are not just done so to reduce development time, but also because founders believe fundamentally in the power of open-source. Open-source tools are often faster at building features because they have a community behind them, it also means that if you have a specific and niche problem you can introduce it to the tool yourself.
Transparency
Often buying commercial tools can be a little like buying a car without seeing its engine. How good/reliable is it in the long term? It is easier to hide weaknesses when someone can’t peer into the engine. Open-source powered tools cannot hide their engine so it is easier to feel confident in the tool itself.
Commercial Features
As stated before, because an open-source-powered tool is often competing with both commercial alternatives and open-source tools it has to stand proudly behind its additional features. This will mean everything you expect from a commercial tool but often quite a bit more. Because the product benefits from a well-defined open-source base, attention can be spent on improvements which are ultimately passed onto the end user.
So what do I choose (final thoughts)
We have discussed the advantages of open-source, commercial, and open-source powered security tools. I think it is clear from my tone that as the author I love the open-source community and believe open-source-powered tools to be a compromise on price without a compromise on features. It is of course idiotic to say that there is no reason why in some scenarios where a pure commercial version is better. There are great innovative solutions out there that are entirely closed-source. But my ultimate point is that just because something is based on an open-source project, it doesn’t mean it will compromise in ability or features. And because it needs to prove its value in complete transparency, it often offers deeper features and value.
Aikido security was created by developers for developers to help get security done. We a proud of our open-source heritage and would love for you to come see it in action for yourself.