By Carol Brzozowski

The decision between choosing open source versus proprietary software to build a cloud-native environment is driven by risks and rewards. It should also be based on team size, time investments and available budget.

“Perceptions of open-source software (OSS) are evolving, and what was once seen as potential risk is now seen as an enabler for both security and business,” said Paul Calatayud, CISO, Aqua Security. “The pros of open source are that the community is a strong and collaborative one, and it puts an emphasis on security by working together to identify and resolve software vulnerabilities and bugs.”

Some OSS projects run bounty programs to incentivize the community to quickly fix issues with code, while other open-source projects are maintained primarily by companies that invest significant time and resources into software maintenance in the same way they do with their proprietary products.

“This is particularly relevant for cloud-native environments, which benefit from the rapid innovation and agility that are common within the OSS community,” Calatayud added.

He noted that the benefits of using open-source software are extensive, but it can require a significant investment of time.

“If companies do not see the value of open-source investment and don’t make it a priority, it can put a strain on teams. However, implementing open-source software can offer strong ROI over time, and it offers more flexibility than proprietary software might,” he said.

“Proprietary software provides a more cookie cutter approach, with formal, dedicated resources for maintenance, but at a premium,” Calatayud continued. “It can be a more rigid option than open source, with less customization and flexibility. And though it can require a larger financial commitment upfront, a company may need to contribute fewer resources toward implementing and maintaining it over time.”

Paul Schwarzenberger, CISSP, CCSP, a cloud security specialist for Celidor, sees the choice is often among three options: open source versus cloud provider services versus third-party proprietary software.

He cited an example from his background as a cloud security professional: “Many enterprises want to make sure their cloud estate is always configured securely. To meet this requirement, they look for a Cloud Security Posture Management [solution]. They could choose between an open-source tool such as Cloud Custodian; a cloud provider service such as AWS Security Hub; or third-party proprietary services such as Palo Alto Prisma.”

The decision-making process includes:

  • The culture of the organization. A strong DevOps unit typically favors an open-source solution.
  • Budgets. External costs will be zero for open source, while cloud provider and third-party service costs may be considerable.
  • Functionality. Common sense says you want either type of software to perform all the functions needed.
  • Integration with multiple clouds. Generally, cloud provider services only integrate with other services within their own cloud, although there are some exceptions such as Azure Arc and Anthos from Google Cloud Platform, Schwarzenberger noted.
  • Support with service level agreement. Both cloud provider and third-party services will have service level agreements for support in the event of issues. “With open source, you’re reliant on the goodwill of the maintainers and the open source community,” said Schwarzenberger.

Schwarzenberger noted that one risk of choosing open-source solutions is that an open-source project may only have a very small number of active contributors.

“If circumstances change and key individuals move on, the project may stop being effectively maintained, potentially leading to the functionality becoming out of date and in the worst-case leaving security vulnerabilities unfixed,” he added.

If it’s challenging to find time to test a plan, it’s even more daunting to fix the problems the tests uncover.

“While open-source software has no license cost, there won’t be a service wrap, so individuals within the organization will need to learn how to implement, maintain and operate a solution or application using that software, which could be a considered a hidden cost.”

Schwarzenberger said that creating and maintaining open-source software can be “very rewarding. I created and maintain the open source tool Domain Protect, and it’s very satisfying to have developed a solution which helps many organizations around the world improve their security and to hear their feedback. I am looking forward to more contributions and involvement from the open-source community.”

When deciding whether to adopt open-source software or proprietary software, the organization should have a roadmap or strategy in place to guide its decision-making, Calatayud pointed out.

“It’s a good opportunity to audit the tools, processes, and infrastructure it currently uses to determine if and where it needs to make changes,” he said. “Identifying duplicative or superfluous tools can help streamline resources, so first understanding what’s in place will help the decision process.”

Additionally, the team making the decision needs to consider the budget, Calatayud noted.

“Either option will require resources in different ways,” he pointed out. “If you’re leaning toward open source, ensure that there is or will be a team in place to devote time to the new tools. If you’re leaning toward proprietary software, ensure that the immediate financial commitment is possible.”

Calatayud highlighted a recent survey by Aqua Security shows that 78 percent of CISOs believe open source solutions provide them with access to the best and most current innovation in cloud security.

“As cloud-native environments are rapidly changing, companies that work with open-source solutions are able to be nimble and adapt to the changes to allow themselves to keep up with the pace of innovation.” Additionally, companies should implement security best practices, including vulnerability management, access control enforcement and network security for optimal security, according to Calatayud.

“By adopting a DevSecOps model, companies can secure cloud native applications throughout the life cycle from development to deployment,” he pointed out. “In vulnerability management, there are also processes a company can implement, such as a scanning code and Docker container images to check for vulnerabilities, ensuring a safer cloud native environment across the organization.”

Carol Brzozowski is an award-winning freelance writer located in Florida.