Published on

Comparing Open-Source Vulnerability Management Platforms

I compared various open-source vulnerability management platforms to decide which one was the best to implement for my organization. The requirements that I used might not accurately reflect yours, but you should still gain an understanding of the differences between the platforms.


Open Source Vulnerability Management Platforms

There are a lot of different vulnerability management platforms out there and most of them are not open-source. These are the open-source platforms I could find.

Project NameProject URL
DefectDojohttps://www.defectdojo.org/
Faradayhttps://faradaysec.com/
ArcherySechttps://www.archerysec.com/
VulnWhispererhttps://github.com/HASecuritySolutions/VulnWhisperer
PatrOwlhttps://patrowl.io/
Mixewayhttps://mixeway.io
WatchDoghttps://github.com/flipkart-incubator/watchdog
Jackhammerhttps://github.com/olacabs/jackhammer
Seccubushttps://www.seccubus.com/
Kvasirhttps://github.com/KvasirSecurity/Kvasir

Screening

To save time and to ensure that I only consider relevant options, I will filter out vulnerability management platforms that are not actively maintained. To determine if a project is actively maintained, I checked the codebase for recent commits. If the project has received a commit in the last year, I considered 'actively maintained'.

Project NameActively maintained (received a commit in the last year)
DefectDojo
Faraday
ArcherySec
VulnWhisperer
PatrOwl
Mixeway
WatchDog
Jackhammer
Seccubus
Kvasir

Collecting Data

Now it's time for some investigation. For each platform, I checked if they meet the 9 requirements that I listed below.

Requirements

  1. Login via SSO (Azure Active Directory)
  2. RBAC – access to projects based on role/team
  3. Import vulnerabilities from various scanners.
  4. Integration with Jira.
  5. Ability to triage vulnerabilities
  6. Export a report of findings.
  7. Ability to add comments or notes to vulnerabilities
  8. Support for Service Level Agreements
  9. Has an API

Defect Dojo

Defect Dojo has been actively maintained since mid 2016. Furthermore, it offers good developer support with multiple installation and deployment methods. Also, the platform's documentation is comprehensive; all API endpoints are documented, most features are documented and there is documentation on how to install DefectDojo. Overall, Defect Dojo is a mature and feature-rich platform.

It's worthy to note that DefectDojo also has a paid subscription plan for a SaaS version, which includes additional features such as consultant mode, dark mode, enhanced dashboard, license manager, messenger, smart upload, version manager. These features are not included in the open-source version, but they are enhancements, so they are not critical.

https://github.com/DefectDojo/django-DefectDojo

RequirementMeets RequirementComment
1. Login using SSOhttps://documentation.defectdojo.com/integrations/social-authentication
2. RBAChttps://documentation.defectdojo.com/usage/permissions/
3. Import from scannershttps://documentation.defectdojo.com/integrations/parsers/
4. Integration with Jirahttps://documentation.defectdojo.com/integrations/jira/
5. Triaging of vulnerabilitieshttps://documentation.defectdojo.com/usage/features/#risk-acceptance
6. Export findingshttps://documentation.defectdojo.com/integrations/exporting/
7. Add comments to vulnerabilities-
8. Supports SLAhttps://documentation.defectdojo.com/usage/features/#service-level-agreement-sla
9. Has APIhttps://documentation.defectdojo.com/integrations/api-v2-docs/

Faraday

Faraday is a vulnerability management platform that is – judging by the GitHub stars – the most popular one. It has an open-source version (community edition) that doesn’t seem to be tailored towards a business use-case since they only allow for one user account to be created and they don’t allow login with SSO, therefore the community edition doesn’t seem to be a valid enterprise solution. The project is written in python and is actively maintained. The documentation is also excellent. They provide several guides on how to install Faraday on different servers and clearly explain how to use the features, with multiple blogs and guides on several topics.

https://github.com/infobyte/faraday

RequirementMeets RequirementComment
1. Login using SSONot in community edition
2. RBACNot in community edition
3. Import from scannershttps://docs.faradaysec.com/Plugin-List-v4/
4. Integration with JiraNot in community edition
5. Triaging of vulnerabilitieshttps://docs.faradaysec.com/CSV-Exporter/
6. Export findingshttps://docs.faradaysec.com/Comments/
7. Add comments to vulnerabilities-
8. Supports SLA-
9. Has APIhttps://docs.faradaysec.com/API-Server/

ArcherySec

ArcherySec is mostly built by one person, who is still maintaining it. The fact that it’s built by one person really shows in the missing features and lack of documentation. There is barely any documentation, but the community seems to love the project, because it has around 2k GitHub stars. It seems that ArcherySec really has potential, but I don’t find it suitable for an enterprise environment, because it’s missing SSO and integration with Jira.

https://github.com/archerysec/archerysec

RequirementMeets RequirementComment
1. Login using SSO-
2. RBACOnly roles, no teams
3. Import from scannershttps://github.com/archerysec/archerysec/issues/16
4. Integration with Jira-
5. Triaging of vulnerabilities-
6. Export findings-
7. Add comments to vulnerabilities-
8. Supports SLA-
9. Has APIhttps://developers.archerysec.com/

VulnWhisperer

The interesting thing about VulnWhisperer is that it integrates with Elastic Search. This is a technology that can be used to create search engines like Google. Even though the last commit on this project was quite recent, there have been no new features developed since April 2019. There is also very little documentation, which makes it difficult to work with.

https://github.com/HASecuritySolutions/VulnWhisperer

RequirementMeets RequirementComment
1. Login using SSO-
2. RBAC-
3. Import from scannersVery limited - https://github.com/HASecuritySolutions/VulnWhisperer#vulnerability-frameworks
4. Integration with Jirahttps://github.com/HASecuritySolutions/VulnWhisperer/wiki/Atlassian-Jira-Module
5. Triaging of vulnerabilities-
6. Export findings-
7. Add comments to vulnerabilities-
8. Supports SLA-
9. Has API-

PatrOwl

PatrOwl has an open-source version and a paid version with more features. The documentation is very poor, they only provide information about installing and it’s very hard to find it in the first place. Furthermore, the project hasn’t been maintained for almost a year.

https://github.com/Patrowl/PatrowlManager

RequirementMeets RequirementComment
1. Login using SSONot in open-source version
2. RBACNot in open-source version
3. Import from scannersVery limited
4. Integration with Jira-
5. Triaging of vulnerabilities-
6. Export findings-
7. Add comments to vulnerabilities-
8. Supports SLA-
9. Has APIhttps://github.com/Patrowl/PatrowlDocs/tree/master/api

Mixeway

Mixeway is a relatively unknown project, it has less than 100 GitHub Stars. For how small the project is they support quite some features. This is one of the only projects that isn’t written in python. It’s written in Typescript and Java. This project is missing the necessary documentation.

https://github.com/Mixeway/MixewayHub

RequirementMeets RequirementComment
1. Login using SSO-
2. RBACOnly roles, no teams
3. Import from scannersVery limited - https://mixeway.github.io/mixeway-info/integrations/)
4. Integration with Jira-
5. Triaging of vulnerabilities-
6. Export findings-
7. Add comments to vulnerabilities-
8. Supports SLA-
9. Has APIhttps://mixeway.github.io/rest-api/

Comparing

The following table shows an overview of the requirements per vulnerability management platform.

Platform#1 SSO#2 RBAC#3 Import#4 Jira#5 Triaging#6 Exports#7 comments#8 SLA#9 APIClear documentationGitHub Stars
Defect Dojo2.6k
FaraDay3.7k
ArcherySec⚠️⚠️2.0k
VulnWhisperer⚠️⚠️1.3k
PatrOwl⚠️⚠️0.5k
Mixeway⚠️⚠️0.1k

My opinion

After carefully reviewing the options, I find DefectDojo is the best open-source vulnerability management platform. It is the only open-source platform that meets all the requirements and it's the only project that fully supports login via SSO, SLAs and RBAC. Especially the SSO is noteworthy because that feature is most of the times reserved for the paid tier, since it will be used by big corporates (who have money to pay for it). DefectDojo has 2.6k GitHub stars, indicating that it is well-regarded by the community. Furthermore, the fact that it is an OWASP project provides confidence in its long-term reliability. DefectDojo also offers a user-friendly developer experience with multiple deployment and installation options and comprehensive documentation.