You can find a curated list of devsecops tools to build a budget-friendly application security program.
7 min read
We are getting close to the end of the year and Christmas (the best time of the year!), which also means budgeting for some of us.
If you happen to watch any news or visit a nearby grocery store, you know the economy is not going well, and no surprise it is also affecting our cybersecurity budgets.
So that’s why I wanted to research the topic and share my findings.
We are on a big mission now! We are building our application security program, and tooling is one of the essential parts of it.
First, let’s start with what we have to secure and what type of devsecops tools we may need:
We are lucky on this table as SAST tools are the oldest types of vulnerability scanners. There are pretty mature open-source devsecops tools out there.
Semgrep is a great source code scanner when it comes to speed and flexibility. You can improve your results with custom rules.
If you are not doing anything for application security or, let’s say, you are not using any vulnerability scanner; I would say at least get yourself a software composition analysis tool. It is fast, accurate and can easily save you a lot of trouble.
You may miss features like detection for libraries in runtime, prioritization for critical environments or exploitability status, but you can still manage without them.
More criteria when you’re choosing a commercial SCA tool:
OWASP ZAP has been out there for many years. It has excellent features and community support; however, it is known for noise issues and can quickly generate up to %15 false positives. This is why we can not rely on having it in our automation.
On the other side, Nuclei is sharp as a shark (accuracy) and fast as lighting (speed). Still, it is a scanner for known vulnerabilities and misconfiguration rather than a DAST scanner.
So we have to look for alternatives in commercial scanners:
1-Acunetix: It is an enterprise-level DAST scanner under the same umbrella as Invicti and is also usually %20-30 cheaper than Invicti. (a.k.a. Netsparker)
2-Astra Security: This one is backed up by a team of bug-bounty people and has served SMEs and SMBs for a long time. (%25 discount code: “Astra<3You”)
3-Bright: A new-age DAST scanner with a Free starting edition. The limitation is with the concurrent scan (only one scan agent), and the max scan time is 5 hours. If this is not enough (in case you have many apps), you can start with the Pro package for $79/month without a target limitation.
4-Detectify: A crowdsource-powered vulnerability database can get you the speed of new findings from Sweden at affordable prices.
5-Probely: It is €39/month per target and a strong DAST tool joining the list from Portugal.
As we live in an era of cloud-native and containerized applications, ensuring their security also falls into our responsibility checklist.
Thanks to Aqua Security‘s support, there is Trivy and tfSec to detect vulnerabilities and misconfigurations in container images and Terraform code, Semgrep for Docker images, and Grype for filesystems and images (+SBOM) and KICS from Checkmarx.
These tools are open-source and backed up by robust security software vendors, so we can confidently use them in our application security program.
I recommend you start building your application security program with open-source solutions and prefer the ones backed by known security vendors. As we rely on these tools for a while, we want them to be there for a time and not disappear suddenly.
There are two main benefits to starting with open-source tools:
1- You can use open-source scanners while building the triage and remediation process so you wouldn’t lose money from the license of your expensive security testing tool.
2- You will have a base performance to compare with once you start looking for commercial scanners. You can compare scan speed, accuracy, and coverage and decide if it is worth paying x much for this tool.