Story Tweedie-Yates

[00:12] Hi, this is Story Tweedie-Yates, and today we're going to be talking about open source and commercial in the context of vulnerability scanning. So we'll use vulnerability scanning as a case study, taking two specific solutions. But the overall goal here is really to help you in your decisions to just go either way. To go with open source or to go with a commercial solution for your specific needs. So with that, let's talk about how we're going to help demonstrate this. So we've got two solutions. We have Aqua Trivy, which is a vulnerability scanner, also includes infrastructure-as-code capabilities. And Trivy has more than 3,000 stars on GitHub.

[01:05] It's the most popular cloud native security vulnerability scanner available today on the market. It's used as a default by GitLab, Harbor, and more. So it's a popular open source tool, and more like a DevOps tool, right? On the commercial side, we have Aqua Security. So they have the Aqua platform. Aqua owns Trivy, and it's a commercial scanner, I would say, that forms a key part of a larger platform. So other capabilities, other solutions as part of the same cloud native security platform. And again, because the point of all of this really is decision points, figuring out what are the decision points for your own decision moving forward that makes sense to keep in mind. And really, the key points are the ones that have a personal impact for you and your team. There's no right or wrong.

[02:03] What you'll see is that the decision can flip back and forth. There are very established companies using open source. There's established companies using commercial, and there's students using commercial as well. So, it goes both ways. But the things to keep in mind and the things you want to make a plan for are some of the following. So thinking about whether a solution will fit with your longer-term needs, right? You need X right now or vulnerability scanning now, what will you need in the future that's part of your roadmap? How fit to purpose do you need it? Do you just need one capability? Do you need three capabilities? For example, do you need vulnerability scanning, and do you need infrastructure-as-code scanning, or do you need vulnerability scanning and malware scanning? Right?

[02:47] So how fit to purpose would the solution be? Management overhead. So this means different things to different people. Is money more important than time in your particular organization? That will look different from open source to commercial, and this is probably one of the decision points that's nearly guaranteed to be similar across every open source to commercial spectrum, in that open source is less on price, more on time. Commercial is the opposite, more on price, less on time, so you don't have to spend as much time using it. Other things to keep in mind, so vendor guarantees, right? And here comes in the purpose of the application to begin with.

[03:29] Do you need SLAs? Do you need support? What kind of support do you need around education of a team? And then how much do you want to get into efficacy, accuracy, best-in-breed? Sometimes, not always, but sometimes there are differences on the open source and commercial sides between, yeah, in terms of best-in-breed accuracy, et cetera. And then I would say the first one here as well as last, time to value. Generally open source, you get up and running much, much quicker. And so something to keep in mind. So, what we're talking about today in the case study of Aqua and Trivy, Aqua Trivy, is vulnerability scanning. So how we apply some of these decision factors to vulnerability scanning is as such. So when we're talking about time to value, can you integrate the scanning solution into the CI/CD pipeline? Are there integrations with the integrated developer environment?

[04:29] In terms of longer term needs, there are a lot of ancillary capabilities in the vulnerability scanning space, because when you're scanning for vulnerabilities, you're scanning applications, and application security is quite of a broad space. And then you have the cloud native element as well, which is also varied. So CSPM, for example, scanning the different configurations of your cloud service accounts, and making sure that there are no misconfigurations there that could expose your application to attack. And runtime protection. So if you're scanning in the build, are you also protecting and having other gates in runtime to stop something that's gotten through and where there might be an attack in progress?

[05:16] In terms of management overhead and vulnerability scanning, this could potentially be a list that applies to maybe other types of security, but how you manage multiple tools across teams when it comes to vulnerability management. How do you take your remediation results and actually feed that back into the process to get a bit of a circular motion going and making sure that you're continually improving? How many nodes, clusters, images, registries you need to be protecting and you need to be looking over, that obviously has an impact with management overhead. And then vulnerability management itself, the overall holistic process, even amongst people and teams.

[06:00] So if you have then vulnerability scanning, you're scanning business-critical applications, and you maybe need certain commercial terms. That's also something where vendor guarantees will come into play. Some open source solutions don't have the same commercial terms as a commercial solution would. And that's not something that's often brought up, but it's very true. And then lastly, in terms of vulnerability scanning, best-in-breed, for example, with infrastructure-as-code. So I will say here, when we talk about decision points, they're not mutually exclusive. So we were talking before about fitting with longer-term needs, fitting to purpose. That also has to do with best-in-breed efficacy, accuracy.

[06:48] So they're not mutually exclusive by any means. But let's say you're looking for malware protection, protection from supply chain attacks, as well as vulnerability scanning. That's something where your decision point around best-in-breed accuracy definitely comes into play in terms of vulnerability scanning with open source versus commercial solutions. So with that, let's go into the actual case study, and talk about these two solutions and what they would look like in reality, to give you a sense for your later decisions, maybe in other areas. So beginning with the end in mind, basically you're going to be using Trivy for vulnerability scanning when you're just looking to get started. Let's say you're doing a course, you're in school, or your applications are not business-critical, or you simply have less complex, less distributed architectures.

[07:47] And one thing that's not listed here is if you absolutely have to get up and running with something today or tomorrow from a compliance perspective, Trivy is going to be your friend. And it benefits from wide usage and inputs from customers and organizations and projects across the board. So, it's the default scanner for Harbor, GitLab, Artifact Hub. So you're still going to be getting a best-in-class solution, absolutely. And one point about Trivy getting up and running quickly, no database dependency. You just install binary, specify a target. So again, that use case of quick time to value is absolutely true with Trivy. Now, if we get into the commercial product and some of the elements on that side, again, beginning with the end in mind.

[08:42] Here, you're going to be looking a little bit in more depth. So some of the decision points here, just to make that clear, we've got management overhead, right? In this first point. We've got efficacy and accuracy in best-in-breed when you're looking at broadest security coverage, right? In terms of what it scans and what it doesn't. You're talking about vendor guarantees and commercial licensing limitations. You're also talking about longer-term needs for continuous protection into runtime. So this is just an overview, and there's one more overview point on the next slide. But, again, beginning with the end in mind, this is what you're looking at between commercial and the open source in terms of vulnerability management in this case study.

[09:27] So diving in, management overhead, vulnerability management, actionable results, and a feedback loop. On the commercial side, you've got... Well, actually, let's choose a different one, because we'll be getting into that a little bit later. So I would just say, on the Trivy side, there's no default aggregation of data from Trivy into a UI. And on the commercial side, you have one place across all your systems with a drop-down menu, a way to see which artifacts are scanned. And so that's really helpful. Now, you can filter vulnerabilities by criticality with Trivy. But in order to see in a visualization tool results outside of the command line, you really need to export the result.

[10:23] And I'm going to show you what Trivy actually looks like so you can understand it here. So, share that really quickly. So press play. So this is what it looks like to actually set up and install Trivy. It's all command line based. And then I'll show you what it looks like in the commercial product as well. So here you've just installed it, it's downloading, and then this is the end result of what you see, right? So you have the library, you have the vulnerability IDs, severity, install version, fixed version, and this is how you get it. And again, this can be filtered, but this is going to be very different from what you see in, for example, let me go here.

[11:06] All right. So this is the vulnerability management screen of the commercial product. But if I go to images, you can just see in general all the images that have been scanned, and there's drop-downs and you can get a little bit more detail in here like this. Obviously there was no drop-down, there's no extra detail in any drop-down in command line, right? So it's very different. So that's just a little quick view into exactly what we're looking at here. So let's get back to the slides. Okay. And I believe that is sharing. So let's talk about as well coverage. So sometimes developers will copy files directly into an image instead of installing files via a package manager. So if a file is not installed by a package manager, Aqua Trivy will not be analyzing it. That's not the case on the enterprise side, because it also will scan for standalone binaries. And then moving down to the next slide, there are commercial licensing limitations with Trivy, so it's not for resale. Whereas on the commercial side, you can absolutely repackage the Aqua platform, and it can be sold to MSP providers.

[12:37] A big difference there and a key decision point in general for any open source commercial solution. And then in terms of the last point here, so this is really a mix. Like I said before, decision points are not mutually exclusive. So this is both a, I would say, longer-term need decision point as well as a potential decision point around best-in-breed and accuracy and scope. So basically, the commercial solution has multiple gates, multiple different points of protection along the pipeline, including in runtime. So when you're scanning for vulnerabilities, you're generally doing this before production, trying to get the cleanest image possible in the case of cloud native.

[13:25] And on the open source side, on the Trivy side, that's where it is, right? That's where it stays. It's a vulnerability scanner. On the commercial side, you have an option for a follow-up protection, in case there's an attack in progress, and something got past the scanners, which it happens, and we've seen that happen, right? So moving on, if we take a look at another decision point around management overhead. Here, we're getting into much more depth around vulnerability management and what that would actually look like across both solutions in this case study. So holistic vulnerability management is something where you following Gartner's model. So in Gartner's model, you assess, mitigate, and then you improve over time.

[14:22] Now, in Trivy, as we saw, you can... Well, I didn't show how you can filter vulnerabilities, but you saw the vulnerabilities and how they're displayed. And if you need an integration with a visualization tool, you'd have to do this externally. Now, what I didn't show in the commercial product is actually how the vulnerabilities can be visualized in relation to their exploitability, in relation to their impact on the actual environment. So I will show that in a second. I'll show that in the dashboard itself. One other key thing around vulnerability management here is the option to mitigate. Sometimes you cannot actually fix a vulnerability. You have to find a way to mitigate without fixing or patching, and there's multiple reasons for that, which we won't get into.

[15:16] vShield is an option to do that. It's an option to mitigate without fixing or patching. It's a runtime policy, and gives you a bit more of a holistic kick, right? Which can be very helpful if that's what you're looking for. Now, I will say, and I've shown on the bottom, this is a customer of Aqua Trivy who has built their own UI on top of Trivy. So they went the more time, less money route, and they built their own UI, and it works for them from a compliance perspective. So they're exporting data to that UI, uploading it, and getting the compliance view that they need to, to satisfy the auditors. That's also very much possible. Again, this is all about decision points and just an example of what you might see in either perspective.

[16:08] So with that, let's go ahead and look at what we said we would. So we'll look at vShield, and we'll look at how that's actually taken into account with the risk-based insights view that actually prioritizes which threats you should be looking at, or which vulnerabilities you should be looking at. So let me share again the screen. Okay, and that should be sharing now. So let's go to the risk-based insights view. So as promised, what will show up here is not a timeline, but a line of relevance. The threats or the vulnerabilities that are on this side are relevant to your workloads as they stand today. So these are actual exploitable workloads. So from a prioritization perspective, this is the stuff that needs to be prioritized, right? And now, if you have vShield turned on, and you're blocking certain things that might be exploited, given the vulnerabilities in your workloads, that would be taken into account in this view.

[17:25] So that remediation or shield, because it's not really remediation, it's a shield. That shield would be taken into account when this view is being shown. And so that's just UI benefit, management overhead benefit that you're just not going to be finding in an open source solution in general, right? So if we go back to... Just give me a second with the demo. Just takes a little while to get back sharing. And share again slides. Okay, so that should be sharing now. Okay. So getting back to the flow and the decision point. So another decision point around management overhead. And here we're talking about the need for a central view.

[18:30] And this is really only relevant if you have disparate teams that want to see data all in one place. So here we're talking about data aggregation. We're talking about the ability even to set policy across lots of different teams. Right? And then also at the very end, we'll be talking about vendor guarantees, those decision points that might help with business-critical applications. And you'll also be talking about the best-in-class decision point for how broad the coverage needs to be, as we talked about before with runtime policies. So starting at the top, there is no way to set one policy with Trivy and have it spread across multiple parts of your architecture. That's generally not going to be possible. Whereas on the enterprise side, you're going to be able to set policies called assurance policies across all of your systems in one place with a drop-down menu, and you'll be able to see which artifacts have been scanned all in one place, and set policies on them.

[19:47] And more than that, you'll also be having the capability for RBAC, which is going to limit what certain people can see when they actually get into the UI. So again, if you have a large team and you want some people to have compliance visibility, you want other people to have just scanning capability, that's where this capability to shut different people off from certain parts of the system really helps. And I will show that in the demo coming up here. Lastly, if we're looking at business-critical applications, there's a few decision points here, right? There's your longer-term vision, and there's also the vendor commitment and what the vendor will provide.

[20:32] So just in this example again, if your longer-term vision is to have something tangential to vulnerability scanning, like a runtime policy for a cloud native application, on the Trivy side, you're going to have to write a Rego script from scratch, and then that would be enforced with Open Policy Agent in some way, via an OPA policy. On the commercial side, there are literally runtime policies from a drop-down menu. So it's just two very different capabilities for something that is tangential to vulnerability scanning in the context of app development. So if we get to the demo, what I'm going to show you is the policies, number one, and then I will show the permission sets in RBAC, number two.

[21:31] So again, with disparate teams trying to get a sense of consistency across the board on what people can and can't do. So if we go to the screen again, and we go to policies. So let's just see what the results are to add a new assurance policy. So you can see here all the different controls that are offered for any binding app team to come through and have access to, unless they're controlled by RBAC. So role-based access control. So you have, for example, you could say, okay, an image will not be compliant if it's not built off an approved base image. Really would help with supply chain attacks, right? We want to enable malware scanning. We also want to make sure that sensitive data is scanned, and we want to control any superuser capabilities or privileges, right? Just as an example.

[22:33] In this case study, this is the benefit of a commercial solution for a larger disparate team, right? And if we go to the access management section and just look at permission sets, we see some really nice examples of the permission sets that can be granted. So the administrator obviously has full access to the management console. This person, though, is having the permissions of the vulnerability operator, and they can add runtime policies, audit events, but they don't have access to the management console, and this one has even less. So only permissions for scan results and to acknowledge vulnerabilities, but no runtime policy capabilities, et cetera.

[23:25] So these things can be managed. And in general, what this will look like is a developer from Team A would maybe have visibility into vulnerabilities and issues in Team A's images but wouldn't be able to see or alter security policies. Or a global compliance officer might see reports and audit events across all applications but can't change runtime policies, et cetera. So with that, let's go back again to the slides. Just one second. Okay. So let's be balanced for a second. GitLab is a fantastic example of a great company solution that has decided to standardize on open source in many ways.

[24:24] So they take best-in-class open source solutions and use them in, this example is their auto DevOps capability. So for Trivy, that's where they use it. And the benefit to them is the fact that there's long-term roadmap input that they are guaranteed on the open source side. And so when we talk about business needs and long-term plans, that's not something they've brought up before, but this is a huge benefit of having open source, right? And they've successfully managed the challenges of this, and they have a real partnership with the Trivy team. So just to show that yes, open source can and absolutely is used in a production scenario for a very large established company. And moving on, here we see the opposite view, right? Again, trying to make it balanced.

[25:30] So this is an article about a developer or an engineer who really tried an experiment. He wanted to see what it was really like using open source across multiple registries, teams, et cetera, and this is the quote that he came up with, right? So it goes both ways. There's no one truth, and you just have to make the decision that works for you. So this is the last real detail of this particular session, and then we will get into a summary. So if we look at some more decision points, primarily these are around best-in-breed and maybe future plans for the app and the security solution that's needed for it. Here we're talking about accuracy from a vulnerability management perspective. So, you've got the AVD.

[26:36] And I'll just show that again. So if you were to take this vulnerability from Trivy and plug it in where it needs to be plugged in the Aqua AVD to see the detail about the vulnerability, this is what you would get, right? So you would go from one screen to another. Now, if you were to go from Aqua, the commercial product, and you were to get into the-- Actually, let's go to... Sorry, let's go to the... Sometimes slow. That's the joy of doing a live demo. Yeah, so if we were to just get into this, you'd see, it's in the same screen, right? The information about the CVE is all in the same screen. So, copy-paste versus just right on the same screen, it can add up over time, right?

[27:48] And the depth of the information is the difference between a dedicated security and threat team who is curating constantly the threat data versus a more publicly available feed, I would say. And then on the scanning side, there's an option to scan for malware and scan for serverless functions. This is all on the commercial side. But again, Trivy and I actually should have put here as well infrastructure-as-code scanning. So it's vulnerability scanning and infrastructure-as-code scanning. So just picking your poison. Do you want to get really in-depth into one area? Do you want to have a broader view? And which solution, open source or commercial, is going to provide that for you?

[28:43] Now, lastly, here are more on the decision tree spectrum of, I would say, best-in-breed and ancillary areas of protection. So if you want to take the data, do some kind of forensics analysis on the Linux kernel and what's happening there, you could do that with another open source solution called Tracee. And what it'll give you is data, a lot of data, right? Now, if you wanted to potentially use the data about what's happening with the Linux kernel and then figure out from there how an image would be then behaving at runtime without running it in runtime, so basically a container sandbox to identify supply chain attacks, you can do that with a commercial solution. So technically, you can do the same thing on both sides, but the management overhead of creating an entire new product, basically to take that forensics data from the kernel and create value out of it, is going to be what you're getting on the commercial side versus the hardcore data, which is also great and interesting on the open source side.

[29:59] So let's do a final view into the dashboard, where I'm going to just show you all of the different scanning options on the commercial side, give you just a sense of the difference. So we're going to go to scanning images. What you'll see when I actually choose one is you'll see a lot of different options at the top for what's actually analyzed. So vulnerabilities, yes. Different layers in terms of base image, et cetera, sensitive data, malware, and this is the dynamic threat analysis sandbox that I was referring to before. So with that, let's summarize. And I think the primary points of view from my perspective, given this case study, is that when you're looking at open source versus commercial, the point is not necessarily exactly mapping all of your decision points and the things that matter to you to each capability of the product, because to be frank, they're not mutually exclusive. We saw a lot of decision points that were around best-in-breed that were melding into decision points around long-term plans for your application and what you need from a solution. So it's not mutually exclusive, but that's not the point.

[31:28] The point is just doing a decision point exercise around understanding the difference in what you need. In general, I think the only truth that I've seen is that you're definitely going to have more management overhead, but quicker time to value with open source. That generally is true as I've seen. I would also say that just for vulnerability scanning in particular, definitely does not exist in a vacuum and neither will, I bet, an open source solution for any other technology. So just an example here. So as a result, Trivy also has infrastructure-as-code capabilities that it's added on as a result of the other things that you generally want to be checking if you're scanning an application. So keep that in mind for other open source solutions, technologies and capabilities don't necessarily exist in a vacuum in terms of the value that you need to be getting out of them.

[32:22] And then last point I would make is open source is not just for fun. It's not just for students. It is being used in production regularly by companies every day. So it could be the solution to your needs. It's up to you to decide. All right. Thank you so much. I hope this has been helpful for some of your future decisions.