DACI Decision


Status
ImpactThis decision affects the level of security protection built into the application code developed and deployed by the Lab Booster team.
DriverKRONTIRAS-ext, Pavlos 
ApproverKRONTIRAS-ext, Pavlos 
ContributorsWho is directly impacted and must be consulted?
InformedWho should be informed of this decision?
Due date
OutcomeWhat did you decide?



Tips and info

Contributor? Add your recommendation and reasoning here.


Contributors: I am seeking the right people to get involved in the decision. Add your comments to this page, let's get the conversation started.

Please add:

  • The people directly impacted by this so we can include them.
  • Any references to previous work and investigations that we can leverage.
  • Any constraints and challenges we need to consider to make this decision and following action plan.



Here's an example you can use as a guide.

Decision characteristics
  • The decision will have a material impact on the customer experience OR
  • will significantly impact the roadmap OR
  • will adversely disrupt an internal business process.

  • The decision will involve a less than material change to customer experience OR
  • will impact the roadmap OR
  • will impact an existing internal business process

  • All other decisions





Background

The application code developed for Lab Booster (DataLab) includes 3rd party libraries that are widely used in the industry but may still include vulnerabilities. Also the business logic within the code along with the application design may itself create vulnerabilities that could expose the Syensqo systems and data to potential bad actors. Including security tools as part of the application code build, and the development practice itself can significantly reduce this risk.

Current state

No standardized security tools are used.

Data for decision support

What data or research will help make this decision?

Options considered

 


Option 1: Do nothingOption 2: AikidoOption 3: SnykOption 4: SonarQubeOption 5: HCL AppScan

Description



https://www.aikido.dev/

https://snyk.io/https://www.sonarsource.com/https://www.hcl-software.com/appscan

Rollout plan







Pros and cons

(plus) No change, BAU

(minus) Code quality remains questionable

(minus) Security vulnerabilities can continue to be added to the application

(minus) Additional effort spent on debugging problems that might have otherwise been caught during the build/scanning of the code

(minus) Potential disruption to service if Security team blocks application due to security risks

(plus) Developer-first tool
(plus) Multiple integrations with IDEs and Ci/CD tools
(plus) Real-time scanning during development
(plus) Context-aware, AI-powered analysis, reduces false positives
(plus) Easy to setup/deploy
(plus) Focus on cloud-native security, especially microservices architectures.

(plus)

(minus) Young company (2yo)., not enough track record
(minus) SaaS only
(minus) AI reduces false positives but accuracy is unknown
(minus) SAST only, no DAST capability

(minus)

(plus) Scans code, library dependencies, containers, and IaC.
(plus) Integration with IDEs and CI/CD tools.
(plus) Strong open-source vulnerability detection
(plus) Regular updates to address the latest vulnerabilities

(plus)

(minus) SaaS only

(minus) Can be expensive

(minus) Complex setup and confusing UI/UX

(minus) Difficult customization

(minus)

(plus) Support for multiple programming languages

(plus) Integration with popular CI/CD tools

(plus) Ease of use & deployment

(plus) Detailed reports

(plus) Plugin can scan code in real time during development

(plus) Customizable rules

(plus) Comprehensive service with code quality + security analysis

(plus) SaaS and on-prem self-managed

(minus) Can be difficult to integrate

(minus) Not very user friendly UI

(minus) Only static analysis

(minus) Learning curve can be steep

(minus) Can be resource intensive for scans of large projects

(minus) SAST only, no DAST

(minus)

(plus) Combines static, dynamic, and interactive security testing
(plus) Detailed reporting
(plus) Supports frameworks like OWASP, GDPR, and PCI-DSS
(plus) Feature-rich and stable (has been on market for many years)

(plus)

(minus) Multiple different modules, choosing the right one can be confusing
(minus) Steep learning curve and high maintenance
(minus) Expensive
(minus) Complex CI/CD integration
(minus) Outdated UX/UI

(minus)

Risks



New product and community knowledge/skills/support may be limited

AI classification may not be very accurate


May not address all use casesHigh cost and complexity to maintain

Estimated cost and effort



From € 299/mo for 10 users

https://www.aikido.dev/pricing

$25 per dev/product/month (minimum 5 devs / $1,375 annually)

https://snyk.io/start/team/

Limited functionality for free

Developer license $160/year

https://www.sonarsource.com/plans-and-pricing/

On demand, not publicly shared


FAQ

Q1.

A1.


References



RelevanceLink
Why is this relevant? Add a link 











Follow-up action items

  • Type your task here. Use "@" to assign a user and "//" to select a due date.


Learn more: https://www.atlassian.com/team-playbook/plays/daci

Copyright © 2016 Atlassian

Creative Commons License
This work is licensed under a Creative Commons Attribution-Non Commercial-Share Alike 4.0 International License.