Vendors relying on open-source Nessus won't automatically get free, timely "plugin" programs after project managers of the popular vulnerability scanner announced a new feed structure that provides the most recent releases for a fee. The move comes after Nessus managers decided too many commercial users contributed nothing to the collaborative program.
Though no company names were mentioned by Nessus leaders during their recent announcement, the popular vulnerability scanner reportedly is used in many commercial security products and services. A quick Internet search indicated some of those security vendors include StillSecure, VeriSign, IBM Global Services, Counterpane Internet Security, Symantec, AcuNett, ScannerX and rackAID, among others.
"We hit all the MSSPs and vendors that use Nessus and made sure they knew about the recent announcements. I got [responses that ranged from] looks of disbelief to veiled threats in some cases," said Ron Gula, a Nessus project manager and president and CTO at Tenable Network Security, which also manages the Nessus project. "The vendors who were using Nessus and not contributing anything to it were not happy."
But not all vendors using Nessus are upset by the move. Jay Jacobson, CEO of Edgeos Inc. in Phoenix, would be screaming if people took credit for his creation for years. "As a vendor that relies heavily on Nessus, I would like to chime in with support on this matter," Jacobson said. "There are plenty of companies out there that are -- and have been for a long time -- taking Nessus, bundling it in some black-box, and claiming [it] as their own. They contribute nothing back and never give credit where credit is due. This is just simply wrong.
"We don't hide our use of Nessus and we contribute actively to the Nessus community, including the Nessus Knowledge Base," Jacobsen added. "I wouldn't be surprised if greater than 95% of vendors don't contribute back."
While Nessus is open source, it has a very small number of contributors compared to larger freeware projects like Apache or Linux. Almost all of the Nessus engine is made by those at Tenable, which includes Nessus founder Renaud Deraison as its chief research officer. And an estimated 90% of the Nessus plugins are created by them as well.
"It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits," said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech's Computer Forensics and Intrusion Analysis group. "To do so is to provide free software development for one's less scrupulous competitors, who are only too happy to take but not give back."
Gula sees the new feed structuring as a way to bring parity between those that contribute and those that don't.
"I think that many folks have no idea that Nessus code and the R&D used to keep it updated with new checks is a vital part of many different vendors," Gula said. "Most of these guys strongly de-emphasize their use of Nessus, others deny it and still others just use the code and call it by a completely different name."
In response to the "exploitation" of his brain child, Deraison, who still leads the Nessus project, announced that Nessus feeds will still be available in three forms: for a fee; for those who register, but with a seven day delay; and under copyright as part of the GNU Public License.
Nessus described the three feeds on its Web site:
- A "Direct Feed" entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance. Pricing for the Direct Feed is based upon the number of Nessus or complimentary copies of NeWT [Nessus Windows Technology] in use within your organization, consultancy or service. The cost for one scanner is $1,200 per year.
- A "Registered Feed" is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed. To obtain access to the Registered Feed, users are required to enter contact information for tracking and also agree to Tenable Network Security's license agreement for the plugins.
- The "GPL Feed" does not require registration, and includes plugins written by the user community. Tenable will continue to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and GPL feeds at the same time.
"We have found a way to keep the development of Nessus under the GPL instead of close-sourcing it to continue to provide plugins to end users for free, although the plugins [provided by Tenable] are not under the GPL, and to guarantee a valuable service to users who subscribe to our Direct Feed," Deraison said. "So I think it's a very good thing which balances equally the interests of the open-source community and the ones of Tenable.
"There are many security product companies whose business model simply consists of putting Nessus on an appliance, writing a Web interface for it, and renaming it as their own solution," Deraison continued. "We underlined the fact that these companies cannot redistribute the non-GPL plugins. Hopefully, it will make them invest in their own R&D teams to come up with their own checks and scanning engine, which should lead to more innovation. In the end, it's a very good thing for the end users."