If main concern that there is no money involved in Zabbix usage - you can always offer your company management to buy a support contract. This way open source solution that makes no money to it's creators becomes a software that brings profit. Problem solved?

Jokes aside, what is exactly their complaint here? That it's opensource?
In that case does your company also not uses any Linux distro? Do they also view all Linux distros as an unsafe software?

That it's 'free'?
Well yes, you can use Zabbix free of charge, but to use more advanced feature you do need to pay in one of following ways:
1. Lots of man-hours for in-office IT personnel to learn how to setup/configure/finetune what you want(and most likely to deal with follow up mistakes due to misunderstanding how certain features work and what exactly the logic behind the hood)
2. Hire extra personnel who are familiar with system and can set it up for you
3. Pay for support contract

That it's unsafe?
Well you have access to source code. They are free to study it?
Also any software posses risks in one form or another. Extra ports are open, extra vulnerabilities introduced into environment, extra precautions to plan. In our case, you set up Zabbix system, we don't know how you handling security setup.

If solution is already implemented, it would make sense to setup most common issue scenarios and showcase how it's handled in your setup. If management have doubts about some specific feature they want - prepare demonstration of said features with explanation of handling logic and mechanisms available, etc.

So pretty much a common tactic of securing a sale of a product: showcase benefits, present capabilities, challenge objections.

Well, it once again depends on configuration you do for agents. And most security features are controlled by configuration file on end machine, not on Server side(which can be mentioned to the management/server-owners).

If they still highly suspicious, practical testing can be done in controlled lab environment. Setup machine with logged network connections - set selinux to permissive mode - install Zabbix agent - now you can see both network connections made from machine in network log and internal operation in audit log of selinux. (and source code is still available for study)

Also, alternative ways of data collection exist outside of Zabbix Agent. If server owners highly against Zabbix Agent, they can just enable SNMP and most metrics can be collected as SNMP requests from Zabbix server to monitored entity(and often enough it will be main collection method, network equipment is a good example where you mostly rely on SNMP).

Simple answer: closed source don't make tools good/secure automatically.
It is easiest to hide some malicious code inside closed source than in open.

Hi there.

I believe there's a cultural problem with your superiors called "fear of the unknown".
Zabbix, and many other open-source software, are backed up by a serious company and a strong community, working for a better, improved, and safe tool.
I believe that if you can make a little presentation of zabbix, simply using the contents on zabbix.com it should be enough to educate them and change their minds.



If they're still not convinced, you can show the link above, with some of the major companies that uses Zabbix as their monitoring tool.
As Splitek said, the fact that it is open source is another guarantee that they can take a look at the code for themselves to see if it's secure enough for them.

Sometimes to convince the Big Guys, it's not all about tech stuff.
If they really want to get to know it better, I reinforce ISiroshtan suggestion for them to check support contract.

Cheers.