Open-source security spat leads companies to join forces for new tool – CyberScoop
A conflux of open-source developers and application security companies has been embroiled in a complex debate after a recent change in the licensing policy of a widely used static code analysis tool, resulting in a faction of organizations creating a new, open-source rival.
The issue started with a recent change in the licensing policy of Semgrep, a popular static application security testing (SAST) tool. This type of tooling examines code while it’s still being written, helping developers spot mistakes that could lead to security issues before the software goes live. Semgrep’s open-source version grew in popularity since its inception in 2017, partly because users can write and run custom rules that resemble patterns in code. By allowing this, it makes it easier for people to learn how to spot security flaws in code.
In December, the San Francisco-based company changed its licensing rules for the tool, restricting the use of community-contributed rules, with the company’s CEO stating the changes were made to keep rival Software-as-a-Service (SaaS) platforms from using their tool in their own services. Although the core engine remains free, the strategic shift has stoked discontent among stakeholders who had been drawn to the tool partly due to the original open-source ethos.
Over the next few weeks, users complained about the changes to the licensing rules, saying it makes it harder for community-created improvements to be shared freely. That led to a consortium of over 10 security firms — including U.S.-based Endor Labs, Israeli firm Mobb, and U.K.-headquartered Amplify Security, among others — to launch Opengrep, a “forked” version of Semgrep the companies say will preserve the essence of open-source principles the initial tool was founded on.
“We believe that discovering security issues must remain accessible to all,” the website reads. “Opengrep will empower every developer with open and transparent SAST, making secure software development a shared standard.”
The security firms say they will be putting in a lot of effort and resources to make sure Opengrep succeeds, providing dedicated teams to work on development, testing and deployment. They will also hold regular reviews to assess community contributions, ensuring everything stays on track and meets high standards.
“It’s rare to see competitors in the security space unite behind a single cause. The fact that Endor Labs, Aikido Security, Arnica, Amplify, Jit, Kodem, Legit Security, Mobb, Orca Security, and others — have come together to support Opengrep is a special moment indeed,” Varun Badhwar, CEO of Endor Labs, wrote in a blog post. “And we should address the elephant in the room — we all benefit from a standardized, open source SAST engine, and we all contribute community rules and improvements for it. But that is exactly the point. The promise of Opengrep means that developers and application security teams will get a better baseline product, no matter who their AppSec vendor of choice is.”
Opengrep’s backers contend that the tool will improve on Semgrep by focusing on remaining entirely open source, relying on a community for its development, and ultimately transitioning the tool to a foundation or nonprofit to ensure its long-term stability. The group also says that users will have unrestricted access to all scanning features, and the tool will have compatibility with existing workflows and outputs.
Semgrep’s parent company did not return CyberScoop’s request for comment.
The post Open-source security spat leads companies to join forces for new tool appeared first on CyberScoop.
–
Read More – CyberScoop
