Becoming a unicorn without writing the bulk of the code!
Open source tooling is the best
It must be the best or commercial vendors wouldn’t keep using their code base to build their commercial products and pass them off as their own.
You can’t just take code from someone else and pass it off as your own work can you?
The answer is yes, you can.
In open source, there are multiple licence types that people use. To name a few, you have Apache 2.0, MIT, BSD, GPL among others.
Some of these licence types don’t allow for commercial usage of the code unless it’s published along with the solution but others allow you to do as you please.
Apache 2.0, MIT and BSD are the ones that are mostly used to create commercial products because there is no requirement on even mentioning the original developer of the solution.
Did you know that Mac OSX was literally an open source operating system called OpenBSD which is still freely available today?
Because it’s licenced on the BSD licence, anyone can take that operating system, stick a new logo on it and start selling it as a commercial operating system. Granted, Apple have done a lot of work on top of this original piece of work but the entire structure of that operating system is based on a free bit of kit. That’s why Unix like commands work on Mac….
Vendors take the code that's already been worked on by a large community, re-skin it, set up a channel and start pumping it out to the masses without them being aware that this is what they do.
The flooded cyber security market
99% of the tools that you find in the cyber security market these days are open source derived. We did an article not so long back about how the market is flooded and how there are 100’s of the same solution in the market with very little to differentiate them.
Let’s look at a few of the solutions that make up these solutions on the market.
1. Zed Attack Proxy (Owasp Zap)
The basis of 90% of the commercial web application scanners on the market. We see people building their entire product on the back of this engine alone and charging big ticket prices for something that the user can download for free and perform an instant scan. The reports that are produced by Owasp Zap are more or less identical to the ones that are produced by commercial scanners.
Anyone with a little knowledge of developing can create a shiny front end that can perform a scan using the Zap engine and can sell it as an online service.
Zap can be run on a desktop or in a server environment and has unlimited amounts of targets and scans. No restriction on this licence if you want to scan your web apps!
For a list of vendors that come into this category, search DAST scanners in the Google machine and you will see how many vendors are doing this. This market is absolutely flooded with solutions doing exactly the same thing.
2. RouterSploit
This is quite a new addition to the open source cyber tools but it seems to be getting utilised by commercial vendors all over the world.
Several examples of commercial vendors using this under the hood of their products have come up.
What RouterSploit does is scan for vulnerabilities in embedded devices.
It’s vulnerability scanning for firmware of devices. Often marketed as security for IoT it’s checking for any possible exploits within the firmware of a device.
Licenced on the MIT licence, which again means that the company using the code doesn’t have to tell people that is what they are using.
To understand the types of vendors using this solution in their commercial project, search for vulnerability scanner for firmware.
We’ve seen about 10 of them in the last year alone.
3. OpenVAS
OpenVAS is different to the previous two in that when it’s used in a commercial product, the code has to be released with it too.
领英推荐
Doesn’t stop people using it though.
OpenVAS is a network vulnerability scanner that picks up on things like out of date operating systems, open ports, weak credentials and the such.
It’s completely free to use!
Several commercial scanners on the market use this project under the hood. There is a commercial side to openVAS which is run by the maintainers of the project called Greenbone which is run out of Germany.
4. ModSecurity
Another one from the vaults of Owasp, this is licenced on Apache 2.0 and is free to be modified, sold and completely reskinned with no restrictions.
ModSecurity is an open source Web Application Firewall and is used by many commercial web application firewalls as the solution that powers them.
With cloud hosting more popular than ever, the vendors don’t even need to build the hardware to sell it anymore, although this is still a thing.
I don’t put the commercial vendors that are building their products on the back of these open source products but if you search for WAF on the Google machine, you will find lots of them that use ModSecurity.
5. Keeweb
Password managers have become all the rage recently. With everyone going passwordless and just having their password manager handle everything.
So you’ve paid for a password manager?
Probably based off of Keeweb that is licenced on MIT licencing and able to be used to create all of those commercial password managers that keep cropping up.
Anyone with a bit of development knowledge is able to take this code base and create a new front end and call it a product.
6. Teler
Intrusion detection system that detects anomalies on the network in real time by looking out for suspicious activity. It’s a detection system and thus doesn’t do any prevention but it does alert the user to anything abnormal on the network.
I know of at least 5 commercial vendors using this under the hood.
With the AI components in there where it learns over time, commercial vendors can state that they are working on AI technology.
Unlike intrusion prevention systems, this bit of kit is only concerned with the detection but we do have prevention systems that are also available to us on the less restrictive licencing.
7. Slips
Slips is a behavioral-based Python intrusion prevention system that uses machine learning to detect malicious behaviors in the network traffic. Slips was designed to focus on targeted attacks, detection of command and control channels to provide good visualisation for the analyst. Slips is a modular software.
Sewing them all together
There a lots more where these came from. You only need to hang around in Github for a bit to find what the original sources of the commercial products are.
What a lot of commercial vendors are doing is sewing all these little bits of open source kit together and create the Swiss army knives of security tools.
What you get with a commercial licence as opposed to the open source and free software equivalent is a SaaS version of it, support and more likely a nicer front end.
Just know that the commercial products that you are having to remortgage the house to pay for are essentially free tools that are easily obtainable and just need a little investment in time to learn.