Open source Vs SaaS
Silicon Valley is built on open-source software. RedHat reports that 86% of IT leaders say that the most innovative companies are using enterprise open source. For developers building a product for distribution, they might prefer using open source components inside it over commercial. But when it comes to services used by IT, which do not form the core of your product offering, SaaS is becoming the much-preferred way over open source. This is because SaaS is easy, while it is a headache to install and manage open source software. There are even new breeds of companies like Elastic, Cloudera, etc. that combine SaaS + open source models in new ways that are extremely successful.
Application Security Testing scanners
Now in Application Security Testing, both commercial and open-source testing scanners exist side by side. So far, mostly large enterprises have been investing a good amount in application security in general, and they can afford the very expensive price tag of these commercial scanners, a price tag that could go well into the millions of dollars per year.
Commercial scanners are unsustainable
But this model is not sustainable for the following reasons:
- Research reports that the DevSecOps market is expected to explode primarily because of the adoption of the small and medium enterprises. These enterprises simply cannot afford the high price tag of these commercial scanners. They need to look at something both affordable and easier. While open source scanners are free, they are not easy to manage and need security expertise which these enterprises do not have.
- Software architecture is changing and is getting complex. Commercial scanners from a specific vendor are typically good only in one or two languages, or in a few architectural models. In today’s software world, where there are a mix of different languages and different architectures, these commercial scanner vendors don’t serve all permutations and hence are leaving large holes even for their best enterprise customers. By contrast, open source scanners are tailored and specialized for specific languages and architectures, and so using a combination of them can fill the holes left by commercial scanners or even replace them completely.
- Since application security is talked about, even in the company’s board meetings, companies are scrambling to enable the best application security. In the “old days”, they were able to do away with just doing one type of security testing, but today, to get tight security, they must do all types of security testing including SAST, DAST, SCA, Secrets, Containers, etc. No commercial vendor offers the best security scanners across all these testing types, so the options are to either have a fragmented set of commercial vendors increasing the overall price tag, or to look for a cohesive solution that consolidates all scan types into one offering. Although some commercial vendors are trying to build a suite of products, this type of consolidation is easy on top of open source scanners as compared to commercial ones.
Open source scanners to the rescue, but not just yet
So, it looks like open source scanners may come to the rescue after all. They are free, each one of them is tailored and specialized, and they cover all scan types, and using a combination of them should provide bulletproof, efficient, and affordable security. Like any open source software, however, they do come with all the potential for headaches:
- There are many of them, so it is confusing to figure out everything you need for your situation. Companies need to select those that are most relevant to their language and architecture.
- Admittedly, open source scanners are a big pain to set up, maintain and upgrade. This is because of unclear documentation, a multitude of parameters, varying requirements on platforms and different upgrade processes.
- There are too many false positives coming out of these scanners. This calls for a noise reduction layer to be implemented on top of these scanners. The noise reduction layer should map the technical impact of a vulnerability with its actual business impact.
- It is difficult to understand open source scanner results. Their output format is not easily understandable for humans. As a result, companies need to build their own software layer to consume their results.
- It is difficult to aggregate results across multiple types of scanners. Each scanner determines risk differently. The categories are named differently and require normalization.
- It is difficult to track results from one scan to another, with the lack of vulnerability management capabilities, making it challenging for results to be actionable for developers.
- It is also difficult to aggregate results across different dependencies helping companies to understand the total risk for an application or the total risk for an organization.
You get the picture.
Open Source + SaaS is a better model
This kind of problem, where the base open source software components are superior, but suffers from overall maintainability, management and a lack of consolidation or orchestration layer is not unique to the application security testing market. Companies like Elastic, Cloudera, etc. who use an Open Source + SaaS model have shown us the standard. The underlying core software is open source, while a SaaS layer on top provides maintainability relief.
What if there were a product that does the same for Application Security Testing? Meet Sken.ai. Sken.ai uses a combination of open source security scanners that are free, specialized, powerful, community tested, and they cover all types of application security testing. Sken adds a SaaS layer on top of them to make them all usable and maintainable.
Sken.ai does the following:
- Based on the language, and the architecture of the application, Sken automatically figures out which open source scanners to use and then configures them.
- Docker images with the latest version of those open source scanners are used removing the need for any install, maintenance, or updates of scanners.
- Sken then aggregates the results across multiple scans and scan types into one unified dashboard with easy to use vulnerability management capabilities.
- Sken has robust risk determination capabilities that consider the business impact of risks and considers dependencies between applications. With Sken, you do not need to be a security expert to improve application security, Sken needs very minimal security expertise.
In conclusion, Sken.ai’s SaaS orchestration layer, on top of the open source scanners, handles upcoming market inflections, which will favor easier, affordable and all-encompassing application security testing products. Visit our website at Sken.ai and sign up for early access.