This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
Security pros, stop feasting! There are no more free lunches at Nessus.
Renaud Deriason, father of the popular open-source vulnerability scanner, and his business partner Ron Gula have spoken: You can still get the scanner free, but you have to pay for the signature updates. The cost of developing Nessus signatures is outpacing donations to the development team. Nessus is now a stepchild of Deriason's and Gula's newest venture, Tenable Network Security, which develops commercial vulnerability scanners that complement and capitalize on Nessus.
Rather than releasing vulnerability signatures as they become available, the Nessus Open Source Vulnerability Scanner Project is now charging for the service. Only those who pay will receive immediate updates; all others must wait seven days--an eternity of exposure. Users of Tenable's commercial Lightning management console receive the updates as part of their license.
In God we trust, all others pay cash, indeed.
Who will this affect? For starters, the numerous security vendors that rely on Nessus as the foundation of their commercial products. Like many open-source tools, the Nessus binary is free and open to manipulation under a general purpose license. Expect a trickle down as vendors who use Nessus pass along the subscription costs to customers.
Enterprises doing security on the cheap are affected. They'll have to pay up, too, or risk exposure while waiting for the blackout period to pass. The fact that
Security practitioners and vendors have Deriason, Snort IDS creator Martin Roesch and countless other moonlighting coders to thank for their paychecks. Without Nessus, there would be no commercial VA scanners, like McAfee's Foundstone and StillSecure's VAM. Without Snort, Internet Security Systems' Real-Secure IDS and Lucid Security's ipAngel IPS wouldn't exist. And where would any of us be without Nmap?
HD Moore, manager of The Metasploit Project, is on the verge of creating an automated pen tester powerful enough to go head-to-head with commercial products like Core Security Technologies' Impact. It's a true boot-strap project, in which Moore asks for donations to keep things going.
He wants to raise $1,337, but has only received 16 donations to date that total a mere $355.
Eventually, open-source tools go two routes: commercialization and/or commercial exploitation. Deriason, Roesch and Tripwire IDS creator Gene Kim have developed commercial products that make their open-source tools easier to use and manage. On the other side, Torvalds keeps Linux open, but enterprises wishing for expert technical support and timely updates must look to commercial services by IBM, Red Hat and Oracle. Nessus' new model is a reasonable compromise that ensures innovation isn't stifled by a lack of funding.
It's unfortunate that many practitioners and entrepreneurs view open-source tools like garage bands: fun to play with, very interesting and completely exploitable. How many free tools do we use everyday that provide priceless benefit to our enterprise? NetStumbler, SPIKE, RATS, FlawFinder, SPLINT and P0F, to name a few.
It's the communal exploration of ideas that's the underpinning of numerous security innovations. They deserve our intellectual and financial support, either through donations or direct charges.
This was first published in February 2005