“Why don’t we build our own platform with Open Source tools?” Customer Insights: Question 1

‘Why don’t we just build our own platform using the open source tools you provide?’

Intro

One of the great benefits of my role is regular engagement with some exceptionally talented people. Practitioners and SMEs in organisations that differ in maturity, scale and complexity; but that all have similar security challenges, driven by the increasing adoption of cloud-native technologies.?

These quick reads will share insight from the field, from my customers, our partner eco-system and the wider DevSecOps community. Each will pivot around a real question that I’m often asked. The insight shared will be from someone who has?specialist knowledge and often has already?achieved?the?outcome?(company names and individuals may not be included).?

The scenario

This organisation had been using Aqua open-source tools for some time and recently finished testing the enterprise solution. Their adoption of containerised applications was now a strategic initiative, transforming the security requirement from exploratory into a business critical need. Our respective teams came together for a pilot wrap-up meeting and executive stakeholder intro. The Aqua Exec was in midst of the conversation, learning about the project (migration to AWS EKS), the security requirements (aligned to NIST), seamless testing and the value of joint workshops (credit to Iheanyi N. & Philip TM Pearson ).?

Then the senior stakeholder responsible for the project, stepped into the discussion and asked this key question:

“I have incredibly smart people in my team that develop solutions. You offer the same capabilities in your open-source tools. Why do I need to buy your enterprise product?’

‘Why don’t we just build our own platform using the open source tools you provide?’

‘If you want us to invest, you need to help me understand the value you offer, over and above putting my resources into building this in house.

Open Source?

Let’s take a step back. Do Aqua really offer open source tools for free??

Yes. Aqua are huge supporters of open source across multiple projects. These include Trivy which is the worlds most popular container scanner, or Chain-Bench (in partnership with Center for Internet Security) the worlds first CIS benchmarking tool for supply chain security.?

Why? Because supporting OSS projects allows our customers to get started straight away and fix immediate security issues. The open source community helps drive innovation and also provides a massive amount of context for threat intelligence. You can learn more about Aqua Open Source projects here.

When is Open Source not the answer??

In this scenario, our Exec thanked the customer for the question - this was a very important point and one that many customers have explored. They explained that to address the primary objectives this customer had already described - securing from code to runtime, delivering at scale, automating process, collaboration across teams, and protecting critical business applications - this would require a unified platform for cloud-native security.

To build your own?

‘In theory, yes… with enough time, resource, investment and expertise you could build your own platform. Then you would be a security unicorn like us! But, the value of Aqua is not only in joining the dots, it is how you join the dots. This takes experience, and we have built a deep understanding from 8 years of tackling these challenges! As the challenge has evolved, Aqua have continued to innovate and build that knowledge into our technology. When you invest in Aqua, you benefit from the value of our unique solution, and the expertise gained from solving these issues hundreds of times.’ (Aqua Exec)

At this point the conversation pivoted. It moved from a potential discussion about ‘Build vs Buy’ cost analysis, to addressing the real concern of the project sponsor. Which was to ensure they found the right strategic partner, that would offer support with expert guidance and ensure a successful outcome.

Customer Insight

Requirements are unique for each organisation and each project, but the challenges of scale, complexity and cost are increasingly universal. For tactical requirements or non-essential projects, open-source tools may be perfect. In this case the Timing, Business Case and TCO all aligned to an investment in Aqua enterprise.?

To further compliment the perspective shared above, I’ve asked several of my customers this same question. Having already used Aqua enterprise for several years, one customer shared a brilliant and succinct summary:

‘To effectively secure applications across the entire lifestyle you need an integrated platform. You could build this with open source if you wanted to, but you would need to patch it together, and build up a huge array of custom logic, specific to your organisation to make that happen. That just isn’t cost effective.’ (Customer X)

The Platform Approach

The typical approach to DevSecOps today, is to manually stitch together multiple siloed tools (open-source and/or commercial products). These each have a limited view and siloed responsibility of the overall application risk. Gartner have created a market guide for CNAPP which provides an objective view on taking a platform approach:?

‘Securing cloud-native applications offers enterprises the opportunity to redesign security approaches. Rather than treat development and runtime as separate problems - secured and scanned with a collection of separate tools — enterprises should treat security and compliance as a continuum across development and operations, and seek to consolidate tools where possible’ (Gartner)

?Aqua provide the most compressive CNAPP platform available, providing full lifecycle security and protection from advanced attacks in real-time. If you want to learn more, our team have curated a great resource and content channel to help the community learn about Cloud Native Application Protection Platforms.

If you got to the end, I appreciate you reading! Feel free to share any feedback.