Transcript

00:07 Hi everyone, happy Wednesday. My name is Greg Anderson, creator and now CEO at DefectDojo. And I'm very excited to share these awards with you today. So first, like why create awards? My co-founder, Matt and I, we've been in open source security for a really long time. And I believe we're at a point where there's never been more noise in our industry. And at DefectDojo, we're sort of uniquely positioned.

00:35 to see which tools are performing the best. And so today we're here specifically to talk about open source tools and we want to shine a light on opportunities to use open source security tools because of their cost, because of their approachability to make sure that security isn't just reserved for large enterprises. And then a big part of this is that we're very grateful for

01:03 the position in the market that most of our customers and community have provided to us to make this possible and meaningful. So thank you to the DefectDojo community. Thank you to our customers. I'm very excited to be here today and share these with you. So before we get into the winners, I wanted to talk a little bit about our selection criteria. So the first thing we always wanted to consider was at least having one winner that was the most comprehensive in the space,

01:32 the industry staple, the most polished, the most approachable. However, when it comes to some of our winners, we wanted to make sure we picked winners that brought something unique, something that everyone could benefit from. And so sometimes those tools aren't the most polished, but we think they can do something that maybe other open source tools aren't providing to kind of offer a complete and comprehensive open source security program.

02:02 So with that said, let's get into the winners. Excuse me. So starting with DAST first, the first one I don't think will be a real surprise to anyone in the security community, which is Zap. So when you think of dynamic security tools and open source, Zap is what everyone thinks of. It's polished, it works well, it's the industry staple. It's what everyone talks about and we fully agree with that.

02:29 If you're going to use one tool in this space, we definitely think Zap is the go-to and for good reason. Our second winner in the DAST category is Nikto. And so what we really like about Nikto time and time again, when we see the results from this tool is it continuously finds things that others tools simply don't. And so when you add Nikto to a security program or to your DAST scanning, it finds specifically

02:59 header vulnerabilities in web servers that many other tools miss. And so we think of this as a tried and true good option to add to any security program that could unveil those types of vulnerabilities. And then our final winner may be kind of a hot take because it does require some babysitting for it to work well, but it is Arachni.

03:24 And so what we like about Arachni is actually the way in which it validates security vulnerabilities. It uses a headless browser technology for validation and testing, and it's just very unique to open source. And the challenge with Arachni is it can get stuck on itself as it scans a website. And so it does require significantly more handholding. You need someone who has experience with the tool typically to have it run in optimal state,

03:54 but can be very helpful to a comprehensive security testing program.

04:01 So moving on to SAST, similar to ZAP, we see sort of the category definer in SAST scanning today as SEMGREP. When we look at open source security tools as overall SEMGREP is relatively new actually to the category compared to say ZAP or some of our other winners that you'll see later on, but we still see SEMGREP is the industry standard, both in terms of accuracy, noise reduction,

04:31 fairly easy to use out of the box, although you can write custom rules as well to further enhance what SemGrep is providing with regard to static scanning. And then our second winner, more of an industry staple, a tool that most who use open source security tools will be familiar with, which is Sonar Cube. So what we like about Sonar Cube is the fact that it is a staple and it's very, very easy to get started with.

04:59 The challenge potentially with Sonar Cube is the noise around Sonar Cube, but static by its nature is generally more noisy. But in terms of getting immediate value, demonstrating value with regard to implementing a tool, you can get to value very, very quickly with the open source version of Sonar Cube. And then our final winner in the SAST space, again, kind of a hot take, but Horacek.

05:30 People could definitely disagree with this selection because it's not widely used, because it doesn't appear to be actively developed any longer. But what we really like about Horacek is the languages it covers from a SAST perspective. So when you look at say what SonarCube covers out of the box or in their open source edition versus commercial, and then what Horacek covers,

05:53 Horacek provides static scanning coverage of programming languages that typically you have to pay for. And so that really shined to us as a good option and reason to use the tool when you are budget constrained or exclusively using open source tools.

06:13 Moving on to SCA, which is software composition analysis. We think of this as dependency scanning, image scanning, et cetera. And our first winner, again, sort of the staple, the tool that everyone thinks up in this space is dependency track. We're huge fans of dependency track, both for the results that it produces and for its overall approachability. If there's a negative with dependency track, we think it's in scalability, potentially. Sometimes,

06:42 dependency track can struggle with scanning really large things or storing a ton of data post scan, which is actually something, you know, we solve it at DefectDojo is bringing that data in to solve those potential scalability challenges. But with regard to results, usability and approachability, I think dependency track is what everyone thinks of in this category. And we agree with that.

07:10 Moving on to Trivy. So Trivy we see as just a phenomenal image scanning. When we think of image scanning in the category of SCA, we think Trivy does it the best with regard to what is open source. And so, you know, a key part to building an overall security program, we see tremendous value add in Trivy. Our next winner is also in the image space, but in Checkov does

07:40 additional things beyond image scanning, such as looking at infrastructure as code. And so for that reason, for that unique capability, we thought it paired very nicely and was worthy of recognition. When we look at Trivy versus Checkov, they both produced very, very good results. But when used together, we thought it was very comprehensive

08:05 for a program that's trying to exclusively use open source tools.

08:12 Moving on to infrastructure, our first winner in the infrastructure category is Prowler. So what we like about Prowler is how polished it is. Prowler is specifically focused, you could almost call it, I would say in the CNAP space, it's almost a Wiz competitor focused primarily on AWS workloads. But we like the polish, we like the scalability, we like the usability.

08:39 If you are interested in examining infrastructure vulnerabilities, specifically with Amazon, we think it's a phenomenal choice and platform and brings incredible value. The other ones are more of industry staples. Unfortunately, we don't see, with the exception of Prowler, the same level of maturity as you see in like DAST with ZAP, but OpenVAS is still a staple in this space that can be used for

09:08 you know general infrastructure scanning overall. And when we talk about, you know, just generic scanning of infrastructure it is probably the best in this space with regard to not needing to, you know, overly babysit the tool that you can immediately run scans. There were a ton of commercial tools that have been inspired off OpenVAS, but with regard to open source, it's still

09:35 phenomenal in this category. And then finally, most people think of Nmap as a port scanner, which it is and does a phenomenal job. But the other really interesting thing about Nmap as it relates to infrastructure security is that very frequently people will publish scripts for the early detection of new vulnerabilities. This will show my time a little bit in security,

10:01 but back when we had the Heartbleed vulnerability, which affected SSL and most of the internet, NMAP actually was one of the first to have a script to detect that. And so we really like it for that reason, in addition to its core capabilities with regard to scanning new infrastructure vulnerabilities and being able to detect them extremely early in an open source setting without having to pay, we thought was something

10:28 really worth recognizing and drawing attention to for those that need to solve that in their security programs.

10:38 Moving on to secrets, we only picked one winner in secrets because we thought there was a tool that sort of stood above the rest in terms of both accuracy, versatility, etc. And that is TruffleHog. So TruffleHog uses entropy for secret scanning. You can really use it on any source. And so due to its versatility, we found that

11:06 secret scanning is kind of notoriously tough from an accuracy perspective. And when we look at other open source security scanners, we thought that Truffle Hog just performed better and deserved to be recognized without other winners in the category. And then finally, moving away from tools for a second, we did want to recognize someone from the DefectDojo community. So

11:34 we are extremely grateful for all the open source contributions that we get. The DefectDojo community is truly what makes our platform possible, these awards possible, and contributes greatly to open source security. We absolutely appreciate every contribution, and this is a very, very hard choice to make. But ultimately, we wanted to recognize the work of Kiplik is

12:00 this person's name on GitHub. I didn't know how much notoriety Kiblik wanted. So I didn't include a picture of Kiblik or anything like that. But Kiblik has been a long time contributor that has helped with various parts of the platform. And so, you know, we're extremely grateful for his participation and the impact that he's made for the open source version of DefectDojo. And so we just wanted to call that out and express our gratitude

12:28 both from the community and ourselves. So thank you, Kiplik. It's greatly appreciated.

12:35 And then so that concludes our award presentations. Again, what we really wanted to do here is use the data we have to shine the light on where we think open source security tools can be incredibly effective, can help you to build a security program at very low cost. And the final thing I wanted to do before we get to Q&A was just for those of you if you haven't heard of DefectDojo if you just join this presentation,

13:03 and you're like, I have no idea what this guy is talking about. We're an open source platform in security automation and vulnerability management with 43 million downloads used by 10K plus organizations. And so if you do have interest in open source security, we have both a Slack channel for discussion or our code base. If you're looking to leverage an open source tool in the vulnerability management space and aggregate the results from all your tools,

13:32 so thank you everyone, greatly appreciate it. Chris, let's go to Q&A if that's okay.