Re: Nessus - open or closed source?

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Justin.Ross () signalsolutionsinc com wrote:
> I'm not going to defend Tenable or Nessus, but to call that statement 
> "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information 
> Assurance (IA) Implementation, dated February 6, 2003. 
>
> "Binary or machine executable public domain software products and other 
> software products with limited or no warranty such as those commonly known 
> as freeware or shareware are not used in DoD information systems unless 
> they are necessary for mission accomplishment and there are no alternative 
> IT solutions available. Such products are assessed for information 
> assurance impacts, and approved for use by the
> DAA. The assessment addresses the fact that such software products are 
> difficult or impossible to review, repair, or extend, given that the 
> Government does not have access to the original source code and there is 
> no owner who could make such repairs on behalf of the Government."

I'm really surprised that this would apply to Nessus note that "public 
domain" / "freeware" / "shareware" is _not_ free software / open 
source for one access to the source code is available. So that makes 
that statement do not apply (it _is_ possible to "review, repair, or 
extend," as the government _does_ have access to the "original source 
code".

Also, the fact that there is a company that can provide support for 
that software (i.e. Tenable or any other willing to provide Nessus 
support) means that there _is_ an owner that can make such repairs on 
behalf of the goverment.

> That's the instruction right there. Do certain government agencies use 
> Nessus? Perhaps, would a DAA (designated approval authority) in any 
> location be justified in removing it? Yes absolutely.  Are there 
> alternative IT solutions to Nessus which are not open source? Yes.
(...)

IMHO the application of that instruction to OSS is quite outright 
false. Maybe people have done that for political reasons, maybe other 
vendors have pushed the (wrong) view that it applies to OSS. When it 
mentions other type of software and _not_ FLOSS. People that apply it 
to OSS should be hit with a clue bat and directed at
http://en.wikipedia.org/wiki/Open-source_software
http://en.wikipedia.org/wiki/Shareware
http://en.wikipedia.org/wiki/Freeware

Which are all, surprisingly, different and easily distinguished.

> While I can't go into any details I can say I have seen Nessus not get 
> chosen, because of this requirement. If we are talking small government 
> agencies, like city/state... yea well big deal, I've never witnessed a 
> state or local government agency willing to spend millions of dollars on a 
> vulnerability scanner, you can be sure the fed's have spent a fortune on 
> vuln scanner licenses, and that Nessus has missed out on most of it

That's a pity, because it certainly does not look that the requirement 
applies to open source software and, even, Nessus. I'm most certain 
that some unethical vendors have used the above to push their products 
and people who don't understand the differents between open source, 
freeware, shareware or what not have fallen to it.

Even so, Tenable had the perfect right to dual-license Nessus for 
those that wanted another license. Just like MySQL AB did. However, 
curiously enough, the fact that they are turning over to a closed 
source (but "free") license makes their new version fail that 
requirement inmediately. Even without seeing the license I believe it 
will be labeled as a "no warranties, freeware, no source code 
available" software (and I'm positive competitive vendors will push 
this idea too). Eventually, this will mean that they will have to 
produce a different ("with warranties?") license for the government 
agency and/or open up their source code to those agencies. Why haven't 
they dual-licensed Nessus before eludes me.

> I personally don't understand why Newt and Nessus can't be separate; nor 
> why Nessus has to go closed source. Isn't that what newt was for? 

No, Newt was the Windows-only closed source port of Nessus. I'm not 
sure how succesful has it been in penetrating (no pun intended :-) the 
US a market full of competition (ISS's Internet Scanner and eEye's 
Retina, to name a few). As for why Nessus closes source IMHO the 
reason is simple: they don't believe in the open source model anymore 
as they expected more from it and they think that the OSS model hurts 
them (= they don't get customers they expected to). That's what some 
people from Tenable have in the Nessus public mailing lists.

> Regardless, I wouldn't say that comment was "nonsense" in some circles 
> (DOD) it makes perfect cents... and dollars... 

Yes, large budgets available at government agencies tend to make 
people (i.e. software vendors) unethical. This does not only apply to 
the US but probably the dollar expenditure of security-related 
software there is higher than in other countries (compared to Europe)

Regards

Javier

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------