- Published on
Comparing Open-Source Vulnerability Management Platforms
I compared various open-source vulnerability management platforms to decide which one was the best to implement for my organization. The requirements that I used might not accurately reflect yours, but you should still gain an understanding of the differences between the platforms.
Open Source Vulnerability Management Platforms
There are a lot of different vulnerability management platforms out there and most of them are not open-source. These are the open-source platforms I could find.
| Project Name | Project URL |
|---|---|
| DefectDojo | https://www.defectdojo.org/ |
| Faraday | https://faradaysec.com/ |
| ArcherySec | https://www.archerysec.com/ |
| VulnWhisperer | https://github.com/HASecuritySolutions/VulnWhisperer |
| PatrOwl | https://patrowl.io/ |
| Mixeway | https://mixeway.io |
| WatchDog | https://github.com/flipkart-incubator/watchdog |
| Jackhammer | https://github.com/olacabs/jackhammer |
| Seccubus | https://www.seccubus.com/ |
| Kvasir | https://github.com/KvasirSecurity/Kvasir |
Screening
To save time and to ensure that I only consider relevant options, I will filter out vulnerability management platforms that are not actively maintained. To determine if a project is actively maintained, I checked the codebase for recent commits. If the project has received a commit in the last year, I considered 'actively maintained'.
| Project Name | Actively maintained (received a commit in the last year) |
|---|---|
| DefectDojo | ✅ |
| Faraday | ✅ |
| ArcherySec | ✅ |
| VulnWhisperer | ✅ |
| PatrOwl | ✅ |
| Mixeway | ✅ |
| WatchDog | ❌ |
| Jackhammer | ❌ |
| Seccubus | ❌ |
| Kvasir | ❌ |
Collecting Data
Now it's time for some investigation. For each platform, I checked if they meet the 9 requirements that I listed below.
Requirements
- Login via SSO (Azure Active Directory)
- RBAC – access to projects based on role/team
- Import vulnerabilities from various scanners.
- Integration with Jira.
- Ability to triage vulnerabilities
- Export a report of findings.
- Ability to add comments or notes to vulnerabilities
- Support for Service Level Agreements
- Has an API
Defect Dojo
Defect Dojo has been actively maintained since mid 2016. Furthermore, it offers good developer support with multiple installation and deployment methods. Also, the platform's documentation is comprehensive; all API endpoints are documented, most features are documented and there is documentation on how to install DefectDojo. Overall, Defect Dojo is a mature and feature-rich platform.
It's worthy to note that DefectDojo also has a paid subscription plan for a SaaS version, which includes additional features such as consultant mode, dark mode, enhanced dashboard, license manager, messenger, smart upload, version manager. These features are not included in the open-source version, but they are enhancements, so they are not critical.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ✅ | https://documentation.defectdojo.com/integrations/social-authentication |
| 2. RBAC | ✅ | https://documentation.defectdojo.com/usage/permissions/ |
| 3. Import from scanners | ✅ | https://documentation.defectdojo.com/integrations/parsers/ |
| 4. Integration with Jira | ✅ | https://documentation.defectdojo.com/integrations/jira/ |
| 5. Triaging of vulnerabilities | ✅ | https://documentation.defectdojo.com/usage/features/#risk-acceptance |
| 6. Export findings | ✅ | https://documentation.defectdojo.com/integrations/exporting/ |
| 7. Add comments to vulnerabilities | ✅ | - |
| 8. Supports SLA | ✅ | https://documentation.defectdojo.com/usage/features/#service-level-agreement-sla |
| 9. Has API | ✅ | https://documentation.defectdojo.com/integrations/api-v2-docs/ |
Faraday
Faraday is a vulnerability management platform that is – judging by the GitHub stars – the most popular one. It has an open-source version (community edition) that doesn’t seem to be tailored towards a business use-case since they only allow for one user account to be created and they don’t allow login with SSO, therefore the community edition doesn’t seem to be a valid enterprise solution. The project is written in python and is actively maintained. The documentation is also excellent. They provide several guides on how to install Faraday on different servers and clearly explain how to use the features, with multiple blogs and guides on several topics.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ❌ | Not in community edition |
| 2. RBAC | ❌ | Not in community edition |
| 3. Import from scanners | ✅ | https://docs.faradaysec.com/Plugin-List-v4/ |
| 4. Integration with Jira | ❌ | Not in community edition |
| 5. Triaging of vulnerabilities | ✅ | https://docs.faradaysec.com/CSV-Exporter/ |
| 6. Export findings | ✅ | https://docs.faradaysec.com/Comments/ |
| 7. Add comments to vulnerabilities | ✅ | - |
| 8. Supports SLA | ❌ | - |
| 9. Has API | ✅ | https://docs.faradaysec.com/API-Server/ |
ArcherySec
ArcherySec is mostly built by one person, who is still maintaining it. The fact that it’s built by one person really shows in the missing features and lack of documentation. There is barely any documentation, but the community seems to love the project, because it has around 2k GitHub stars. It seems that ArcherySec really has potential, but I don’t find it suitable for an enterprise environment, because it’s missing SSO and integration with Jira.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ❌ | - |
| 2. RBAC | ❌ | Only roles, no teams |
| 3. Import from scanners | ✅ | https://github.com/archerysec/archerysec/issues/16 |
| 4. Integration with Jira | ❌ | - |
| 5. Triaging of vulnerabilities | ❌ | - |
| 6. Export findings | ✅ | - |
| 7. Add comments to vulnerabilities | ✅ | - |
| 8. Supports SLA | ❌ | - |
| 9. Has API | ✅ | https://developers.archerysec.com/ |
VulnWhisperer
The interesting thing about VulnWhisperer is that it integrates with Elastic Search. This is a technology that can be used to create search engines like Google. Even though the last commit on this project was quite recent, there have been no new features developed since April 2019. There is also very little documentation, which makes it difficult to work with.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ❌ | - |
| 2. RBAC | ❌ | - |
| 3. Import from scanners | ✅ | Very limited - https://github.com/HASecuritySolutions/VulnWhisperer#vulnerability-frameworks |
| 4. Integration with Jira | ✅ | https://github.com/HASecuritySolutions/VulnWhisperer/wiki/Atlassian-Jira-Module |
| 5. Triaging of vulnerabilities | ❌ | - |
| 6. Export findings | ❌ | - |
| 7. Add comments to vulnerabilities | ❌ | - |
| 8. Supports SLA | ❌ | - |
| 9. Has API | ❌ | - |
PatrOwl
PatrOwl has an open-source version and a paid version with more features. The documentation is very poor, they only provide information about installing and it’s very hard to find it in the first place. Furthermore, the project hasn’t been maintained for almost a year.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ❌ | Not in open-source version |
| 2. RBAC | ❌ | Not in open-source version |
| 3. Import from scanners | ✅ | Very limited |
| 4. Integration with Jira | ❌ | - |
| 5. Triaging of vulnerabilities | ❌ | - |
| 6. Export findings | ✅ | - |
| 7. Add comments to vulnerabilities | ❌ | - |
| 8. Supports SLA | ❌ | - |
| 9. Has API | ✅ | https://github.com/Patrowl/PatrowlDocs/tree/master/api |
Mixeway
Mixeway is a relatively unknown project, it has less than 100 GitHub Stars. For how small the project is they support quite some features. This is one of the only projects that isn’t written in python. It’s written in Typescript and Java. This project is missing the necessary documentation.
| Requirement | Meets Requirement | Comment |
|---|---|---|
| 1. Login using SSO | ❌ | - |
| 2. RBAC | ❌ | Only roles, no teams |
| 3. Import from scanners | ✅ | Very limited - https://mixeway.github.io/mixeway-info/integrations/) |
| 4. Integration with Jira | ✅ | - |
| 5. Triaging of vulnerabilities | ✅ | - |
| 6. Export findings | ✅ | - |
| 7. Add comments to vulnerabilities | ❌ | - |
| 8. Supports SLA | ❌ | - |
| 9. Has API | ✅ | https://mixeway.github.io/rest-api/ |
Comparing
The following table shows an overview of the requirements per vulnerability management platform.
| Platform | #1 SSO | #2 RBAC | #3 Import | #4 Jira | #5 Triaging | #6 Exports | #7 comments | #8 SLA | #9 API | Clear documentation | GitHub Stars |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Defect Dojo | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | 2.6k |
| FaraDay | ❌ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | 3.7k |
| ArcherySec | ❌ | ⚠️ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ⚠️ | 2.0k |
| VulnWhisperer | ❌ | ❌ | ⚠️ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ⚠️ | 1.3k |
| PatrOwl | ❌ | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ✅ | ❌ | 0.5k |
| Mixeway | ❌ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | 0.1k |
My opinion
After carefully reviewing the options, I find DefectDojo is the best open-source vulnerability management platform. It is the only open-source platform that meets all the requirements and it's the only project that fully supports login via SSO, SLAs and RBAC. Especially the SSO is noteworthy because that feature is most of the times reserved for the paid tier, since it will be used by big corporates (who have money to pay for it). DefectDojo has 2.6k GitHub stars, indicating that it is well-regarded by the community. Furthermore, the fact that it is an OWASP project provides confidence in its long-term reliability. DefectDojo also offers a user-friendly developer experience with multiple deployment and installation options and comprehensive documentation.