Last month I attended a cybersecurity networking event through which I had some intriguing discussions. One such discussion occurred when I asked a security professional what type of tools they utilized to which he replied “We use more open-source tools such as OWASP Zap.” I responded “Are you concerned with the level of security in the tools since they are open source? Why wouldn’t a commercial grade tool be more secure?” He stated that Zap is more secure because it is open source. Interesting. He expanded by saying that because the Zap source code is available to the industry via GitHub, it is also available for the industry to scan and fix. Further research would show that OWASP has implemented a Bug Bounty program which allows contributors to submit detailed reports of bugs they have found within Zap. On average, the reported bug is reviewed within twenty hours and if accepted, the submitter is given a monetary reward around one thousand US dollars. This reward gives the industry incentive to continually review submitted Zap code, while also minimizing the number of software vulnerabilities (OWASP’s Bug Bounty Program, 2017).
Meanwhile, with commercial software, only the vendor has access to the source code, and it is up to them to review customer submitted vulnerability reports. For example, IBM Appscan has their own bug bounty program, but there is no mention of monetary incentive or what the average turnaround time is for reported bugs (IBM Security in Development, 2017). This lack of transparency and incentive is specifically why some security professionals, such as the individual I spoke to, would rather utilize an open-source tool.
Moreover, in addition to OWASP Zap being a ‘more secure’ software, the security professional mentioned the advantage of licensing cost. Specifically, OWASP Zap is a free to use software, while commercial grade software may cost thousands of dollars for licensing. To be fair, some commercial grade software is easier to scale for a security teams size. Specifically, IBM Appscan has an Enterprise edition which has made it easy to add new users, assign individuals to scanning groups, and manage multiple scans at once; each of which is useful for larger teams (IBM Security, 2017).
What do you think? Would you prefer an open source tool to one that is commercially available? Do you have an experience which utilized one tool type over the other? Post your opinion or experience below!
(Tug of War Clipart, n.d.)
IBM Security. (2017). Retrieved from https://www.ibm.com/security/application-security/appscan
IBM Security in Development. (2017, April 26). Retrieved from https://www.ibm.com/security/secure-engineering/report.html
OWASP’s Bug Bounty Program | Powered by Bugcrowd. (2017). Retrieved from https://bugcrowd.com/owaspzap
Tug of War Clipart. (n.d.). Retrieved from http://wikiclipart.com/tug-of-war-clipart_30963/