Security can be a difficult, expensive world to navigate. So we decided to create a comprehensive guide of open-source security tools to cut through the bullsh*t and show what the most critical tools to implement are, what assets you need to protect, and how you can build a long-term security plan using only free and open-source tools.
What are the most critical tools?
There are seemingly endless security tools available, the first step is always deciding where to start. While it can always differ depending on specifics, we always recommend starting with the low-hanging fruit for attackers. Make sure your cloud infrastructure is secure, you don’t have secrets attackers can easily find, there are no simple coding mistakes leading to errors and you don’t have critical vulnerabilities in your open-source supply chain. From there you can implement more tools to improve security and behind to implement more best practices throughout the software development lifecycle.
What tools are available?
There are a lot of great open-source tools available and much will depend on your stack and exact needs, but below are some of what we consider to be the gold standard and a great place to start.
CSPM (Cloud Security Posture Management)
Cloudsploit
CSPM is an essential tool for protecting our cloud assets, Cloudsploit is an open-source CSPM. The project detects security risks in cloud infrastructure accounts, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI).
Secrets Detection
Trufflehog | gitleaks.
Secrets are high-value targets for attackers as they allow fast lateral movements into new systems, in fact, secrets are used in 83% of breaches. It is essential to detect them where they live, especially in your git repositories. Two of the best open-source tools for secrets are Trufflehog and gitleaks.
SCA (Software Composition Analysis)
Trivy | Dependency-Check | Dependency-Track
Open-source dependencies make up 85% of the code of our applications, this can mean attackers know your code better than you do! It is critical that we know what open-source components contain vulnerabilities. SCA tools analyze what open-source dependencies we use in our applications and determine what have known vulnerabilities against them. Trivy, Dependency-Check and Dependecy-Track are great tools to help us understand our open-source risks.
SAST (Static Application Security Testing)
Bandit | Breakeman| GoSec |SemGrep
SAST reviews your source code for mistakes that can lead to security issues. Some of the most common errors SAST can uncover are injection vulnerabilities, encryption failures and buffer overflows. The tools you choose will need to be specific to your specific tech stack. Some great options Bandit (Python), Breakeman (Ruby), GoSec (Go) and SemGrep (Generic).
DAST (Dynamic Application Security Testing)
Nuclei | Zap
DAST tools act like an automated hacker that runs attacks against your domains to discover exploitable vulnerabilities, this is also sometimes referred to as surface monitoring. Two great open-source tools are Nuclei and Zap.
Malware Detection
Phylum
Classic SCA tools rely on vulnerabilities that have been publicly disclosed. Malware detection is about discovering malicious code inside packages that may not have been reported. Phylum is a great tool for this, while technically it is not completely open-source but does have a free version which can be used with their CLI scanning tool.
IaC Scanning
Checkov
Infrastructure as code has allowed us to more confidently and easily provision and deploy cloud infrastructure. This can however lead to misconfiguration that introduces security issues. CSPM tools discussed before can find errors in your cloud infrastructure whereas IaC scanning can prevent the errors from happening before deployment. Checkov is a great tool that can scan these for security issues
In-App Firewall
Zen-Node | Zen Python
There has been a real trend about shifting left in security (moving security earlier in the lifecycle), while this is great we shouldn’t neglect the other side of this and implement security for our running applications. Zen by Aikido is an open-source in-app firewall that can block attacks like injection at runtime adding a secondary level of protection. Zen-Node | Zen Python
End-of-life components
endoflife.date
A big risk of our open-source supplychain is components that are no longer being maintained, endoflife.date is a great database of projects that are no longer activity being maintained and shouldn’t be used in production.
License Protection
Trivy
It is important to be aware that you are using the correct open-source license with your application, Trivy provides great insights into open-source license types and how they are being used.
Are open-source tools as good as commercial versions?
Open-source tools can be very high quality in terms of their scanning capabilities. However commercial tools bring more to the table when it comes to noise reduction, remediation, and monitoring. Many commercial tools like Aikido use open-source scanners under the hood. You shouldn't be afraid to use open-source tools but do be aware that using open-source tools, particularly as you grow, will require a lot of engineering time.
Why use open-source security tools
- No barrier to entry (quick and free to get started)
- Open-source is a great tool to get board buy-in (These tools can be used to highlight security issues)
- High-quality scanners (Many open-source tools match capabilities in scanning)
- Community support
Why not use open-source security tools
- Difficult setup, open-source tools use a patchwork of languages and frameworks so getting them talking nicely is difficult.
- Noisy, open-source tools tend to focus on discovery so can bring many false positives if additional layers of filtering are not created.
- Limited support, if tools breaks you are on your own
- No RBAC. In modern development, it's important to have the entire team involved. Open-source security doesn’t allow any filtering between roles making it a heavy burden on the security team.
There is no right answer for open-source over commercial tools and both have their place, read more on this subject here.
The Aikido Difference
If you are investigating open-source security tools you will likely have come or will come to the realization that commercial tools are expensive while open-source tools require lots of work to be able to centralize them in a dashboard. In Aikido we understand that challenge and creating a product seamlessly brings together open-source projects, centralized into a single dashboard bringing context to every security issue with auto-triage and remediation workflows. This enables you to have the power of a large commercial tool at a fraction of the price.