BigBang Licensing Model Overview💣
While BigBang is open source and free to use, the same cannot be said of its components. The licensing requirements of components requires a nuanced explanation. The intent of this document is to be a self service resource to help consumers of BigBang make an informed decision regarding licenses they may need to successfully deploy an ATO’able DevSecOps Platform using BigBang.
What Licenses Do I Need for Bigbang?💣
There are two issues that make it difficult to figure out BigBang’s license requirements:
- The modular (and in some cases swappable) componentized nature of BigBang means choices affect license requirements. OS, Kubernetes Distribution, and Application decisions need to be made before license requirements can be sorted out.
- Freemium applications often require a license to unlock features like HA (High Availability), advanced SSO functionality with authn, authz, and audit logging of federated users, or advanced compliance controls like FIPS 140-2 mode, compliance reporting, or audit logs.
What Components Could Have Licenses?💣
- OS / CSP(Cloud Service Providers) VM Images
- RHEL requires a subscription and comes with vendor support
- CSPs often offer licensed VM Images at additional per hour cost, these add features like offloading STIG/CIS OS hardening
- Several free Linux OS Distributions exist, including Ubuntu and free RHEL alternatives like Amazon Linux 2 and others. There are also tools like openscap, which has ansible and bash scripts to automate STIG/CIS benchmark compliance for OS security to help automate DIY hardening of the OS.
- Kubernetes Distributions
- RedHat OpenShift, VMware TKG, and D2IQ Konvoy each require a license, that comes with support and additional features, they each offer 30-90 day trial licenses
- There are free options like kubeadm, k0s, k3s, RKE2, talos-systems, and many other CNCF compliant distributions.
- k0s, RKE2, and talos-systems are free options with optional paid Vendor Support.
- BigBang’s Core Applications:
- Many of the core applications are free open source software
- Twistlock is a core component that requires a license
- ElasticSearch is a core component that requires a license to unlock additional features, that could be considered required in some cases (more on this nuance below.)
- Although BigBang is free, support can be purchased.
- BigBang’s AddOn Applications:
- Also include a mix of free, freemium, and licensed products.
Who Purchases the Licenses?💣
Licensing of products deployable by BigBang are not covered by the BigBang team. As a general rule of thumb the acquisition of licenses is the responsibility of the end-user’s organization, and product vendors should be contacted for support of their respective products. (PartyBus is an example of an exception to the rule of thumb.)
Who Decides If a Licenced Feature in a Freemium Application Is a Hard Requirement?💣
- The Consumer of BigBang, their security team, and their AO (Authorizing official) need to decide if licensed features constitute a hard requirement or if free tier functionality can be considered at lower impact levels or unique use cases.
- In most cases licenses will be required due to Security Controls only being available in the fully licensed version; however, users may be able to hold off on licensed versions for non-ATO’d proof of concept deployments or risk acceptance by an AO for unique scenarios.
- Even if there isn’t a hard requirement for a license (like in the case of a Kubernetes Cluster), consumers of BigBang may still want to consider purchasing licenses or support contracts.
Table to Help Elaborate on Nuances of Application Licensing💣
Package | Purpose | Licenses | Notes about Licensed Features and Support |
---|---|---|---|
FluxCD | GitOps (Prerequisite App) | Apache License 2.0 (Free/OSS) | |
Open Policy Agent Gatekeeper | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * Styra is the original creator of OPA and can offer commercial support. |
Kyverno | Policy Enforcement (Core App) | Apache License 2.0 (Free/OSS) | * Kyverno is a fully open-source product, however there are multiple companies which provide paid support services for it. |
Istio Controlplane, Istio Operator, and Kiali | Service Mesh, Operator, and Service Mesh Dashboard (Core App) | Apache License 2.0 (Free/OSS) | * Tetrate is an Istio Vendor that can offer commercial support. |
Jaeger | APM (Application Performance Monitoring) / Tracing (Core App) | Apache License 2.0 (Free/OSS) | |
Prometheus Operator Stack (Prometheus, Grafana, AlertManager, Loki, etc.) | Metrics, Metrics Dashboard, and Alerts (Core App) | GNU Affero General Public License v3.0 | |
Fluentbit | Log Shipper (Core App) | Apache License 2.0 (Free/OSS) | |
ECK (Elastic Cloud on Kubernetes) (ElasticSearch and Kibana) | Log Storage and Log Dashboard (Core App) | Elastic License (Freemium) | Enterprise features of note: Kibana SSO, authn, authz, FIPS 140-2 mode, audit logging require an enterprise tier license. Free tier notes: BigBang’s Authservice/Authentication Proxy could be put in front of Kibana to achieve basic SSO with all or nothing access. PartyBus uses licensed ElasticSearch https://www.elastic.co/subscriptions licensing |
Cluster Auditor | Collects OPA GK events and sends them to ElasticSearch for Review (Core App) | Apache License 2.0 (Free/OSS) | |
Twistlock / Prisma Cloud | Runtime Security, Security Dashboard, Intrusion Prevention (Core App) | Prisma Cloud Compute License (Paid Product that requiring a license) | Prisma Cloud License is required for an ATO’d cluster. Considering investigating alternatives Licenses are sold per node. Each defender on a node uses 7 credits and the credits are purchased in bundles of 100 credits. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welcome/licensing https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-edition-admin/install/install_kubernetes.html licensing |
ArgoCD | GitOps (AddOn App) | Apache License 2.0 (Free/OSS) | |
Velero | Backup and Recovery of Persistent Volumes (AddOn App) | Apache License 2.0 (Free/OSS) | |
Keycloak | SSO (Single Sign On) and Federated Authn. (AddOn App) | Apache License 2.0 (Free/OSS) | |
Authservice (and HA Proxy) | SSO Authentication Proxy (AddOn App) | Apache License 2.0 & GNU General Public License Version 2(Free/OSS) | |
Mattermost, Mattermost Operator | Self Hosted Chat (AddOn App) | Mattermost is comprised of Multiple Licenses | Enterprise features of note: HA, Additional SSO options, prometheus metrics integration, Elasticsearch integration to optimize searching/indexing, Compliance Reporting, Audit Logs, Advanced roles and permissions. Free tier notes: A non-HA deployment can quickly auto heal thanks to Kubernetes, the free tier can use Gitlab or P1’s Keycloak implementation for Federated SSO. (MM Plugins don’t need the paid version, but the need a single node instance or the paid HA for cluster awareness to prevent duplicate triggering of functions.) PartyBus uses the Enterprise E20 licensed version. licensing https://mattermost.org/licensing/ https://mattermost.com/pricing-self-managed/ |
Minio, Minio Operator | Self Hosted S3 API compatible object storage (AddOn App) | Affero General Public License Version 3 (Free/OSS) | Commercial Support is Available: https://min.io/pricing |
Nexus | Generic Artifact Repository (AddOn App) | Nexus Repository OSS: Eclipse Public License v1.0 Nexus Repository Pro: Paid Licensed product | Enterprise features of note: HA, SAML SSO, Auth Token Support Free tier notes: A non-HA deployment can quickly auto heal thanks to Kubernetes, AWS S3 blob storage. https://www.sonatype.com/products/repository-oss-vs-pro-features https://www.sonatype.com/products/pricing |
Gitlab, Gitlab Runners | GitRepo, Container Registry, and CICD Software Factory (AddOn App) | Gitlab Community Edition: MIT Expat license Gitlab Enterprise Edition: (multiple tiers) | Premium features of note: Release Controls, Project Management Ultimate features of note: Unlimited Guest Users, Advanced Security Testing (Note this functionality comes from container images that may not yet be in IronBank) Free tier notes: Free tier is fine for Proof of Concepts, but the Release Controls in Premium tier contain security controls that would be necessary for a cATO pipeline. PartyBus has multiple instances of Gitlab, most use Premium, a few use Ultimate. PartyBus’s Gitlab pipelines integrate with additional licensed apps: Twistlock, Anchore, Fortify, SD Elements, and others. (This is offered as a data point, it doesn’t mean these are required for a cATO pipeline, the Consumer of BigBang’s AO makes that call.) https://about.gitlab.com/pricing/#self-managed https://gitlab.com/gitlab-org/gitlab-foss/-/tree/master#editions |
SonarQube Community Edition | Static Code Analysis (AddOn App) | SonarQube CE: GNU Lesser GPL License v3 (Community Edition is Free/OSS) | An Enterprise Edition Exists, but is not bundled by BigBang |
Anchore Enterprise Edition* | Vulnerability Scanner (AddOn App) | Anchore Enterprise Edition (Paid/Licensed) Anchore OpenSource Edition Apache License 2.0 (Free/OSS) | Licensed features of note: Proprietary Vulnerability Data Feeds for increased accuracy, NIST 800-190, Docker CIS Compliance, DoD container Policy Compliance, cATO Capable, RBAC, SSO Free tier notes: BigBang’s values file can be set to deploy the OSS version for Proof of Concept deployments. PartyBus and other Platform One services use the licensed version https://docs.anchore.com/3.0/docs/faq/#2 https://anchore.com/pricing/ licensing https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/docs/CHART.md#adding-enterprise-components |
Vault | Secret management (AddOn App) | Mozilla Public License 2.0 | |
Metrics Server | Scalable, efficient source of container resource metrics. (AddOn App) | Apache License 2.0 |