Nessus no longer free

By Shawna McAlearney, News Editor 16 Dec 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Vendors relying on open-source Nessus won't automatically get free, timely "plugin" programs after project managers of the popular vulnerability scanner announced a new feed structure that provides the most recent releases for a fee. The move comes after Nessus managers decided too many commercial users contributed nothing to the collaborative program.

Though no company names were mentioned by Nessus leaders during their recent announcement, the popular vulnerability scanner reportedly is used in many commercial security products and services. A quick Internet search indicated some of those security vendors include StillSecure, VeriSign, IBM Global Services, Counterpane Internet Security, Symantec, AcuNett, ScannerX and rackAID, among others.

"We hit all the MSSPs and vendors that use Nessus and made sure they knew about the recent announcements. I got [responses that ranged from] looks of disbelief to veiled threats in some cases," said Ron Gula, a Nessus project manager and president and CTO at Tenable Network Security, which also manages the Nessus project. "The vendors who were using Nessus and not contributing anything to it were not happy."

But not all vendors using Nessus are upset by the move. Jay Jacobson, CEO of Edgeos Inc. in Phoenix, would be screaming if people took credit for his creation for years. "As a vendor that relies heavily on Nessus, I would like to chime in with support on this matter," Jacobson said. "There are plenty of companies out there that are -- and have been for a long time -- taking Nessus, bundling it in some black-box, and claiming [it] as their own. They contribute nothing back and never give credit where credit is due. This is just simply wrong.

More information How to select the best security assessment tool for the job A wide range of testing gizmos are available that can perform security vulnerability assessments, including basic port scanners, network and OS vulnerability assessment tools -- even complex Web application penetration testing programs. If you need to perform a security vulnerability assessment or plan to outsource one, it pays to know which security tools work best for particular tasks and to take the time to choose the right tool.

"We don't hide our use of Nessus and we contribute actively to the Nessus community, including the Nessus Knowledge Base," Jacobsen added. "I wouldn't be surprised if greater than 95% of vendors don't contribute back."

While Nessus is open source, it has a very small number of contributors compared to larger freeware projects like Apache or Linux. Almost all of the Nessus engine is made by those at Tenable, which includes Nessus founder Renaud Deraison as its chief research officer. And an estimated 90% of the Nessus plugins are created by them as well.

"It is difficult to financially justify releasing the work of a corporate developer to the open source community when that developer is supported by thousands of dollars of equipment, salary and benefits," said Richard Bejtlich, technical director for the Monitoring Operations Division of ManTech's Computer Forensics and Intrusion Analysis group. "To do so is to provide free software development for one's less scrupulous competitors, who are only too happy to take but not give back."

Gula sees the new feed structuring as a way to bring parity between those that contribute and those that don't.

"I think that many folks have no idea that Nessus code and the R&D used to keep it updated with new checks is a vital part of many different vendors," Gula said. "Most of these guys strongly de-emphasize their use of Nessus, others deny it and still others just use the code and call it by a completely different name."

In response to the "exploitation" of his brain child, Deraison, who still leads the Nessus project, announced that Nessus feeds will still be available in three forms: for a fee; for those who register, but with a seven day delay; and under copyright as part of the GNU Public License.

Nessus described the three feeds on its Web site:

• A "Direct Feed" entitles subscribers to the latest vulnerability checks. Customers who purchase a Lightning Console or NeWT Pro scanner receive access to this feed with their annual product maintenance. Pricing for the Direct Feed is based upon the number of Nessus or complimentary copies of NeWT [Nessus Windows Technology] in use within your organization, consultancy or service. The cost for one scanner is $1,200 per year.
• A "Registered Feed" is available for free to the general public, but new plugins are added seven days after they are added to the Direct Feed. To obtain access to the Registered Feed, users are required to enter contact information for tracking and also agree to Tenable Network Security's license agreement for the plugins.
• The "GPL Feed" does not require registration, and includes plugins written by the user community. Tenable will continue to accept plugins written from the Nessus and NeWT user communities. Plugins accepted with a copyright under the GNU Public License will be distributed to the Direct, Registered and GPL feeds at the same time.

"We have found a way to keep the development of Nessus under the GPL instead of close-sourcing it to continue to provide plugins to end users for free, although the plugins [provided by Tenable] are not under the GPL, and to guarantee a valuable service to users who subscribe to our Direct Feed," Deraison said. "So I think it's a very good thing which balances equally the interests of the open-source community and the ones of Tenable.

"There are many security product companies whose business model simply consists of putting Nessus on an appliance, writing a Web interface for it, and renaming it as their own solution," Deraison continued. "We underlined the fact that these companies cannot redistribute the non-GPL plugins. Hopefully, it will make them invest in their own R&D teams to come up with their own checks and scanning engine, which should lead to more innovation. In the end, it's a very good thing for the end users."

Tags: Vulnerability Risk Assessment,  Open Source Security Tools and Applications,  Monitoring Network Traffic and Network Forensics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research Open Source Security Tools and Applications Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of today's IT tools Maltego demo: Identifying a website's trust relationships Free HP SWFScan tool detects Adobe Flash flaws L0phtCrack returns How to use (almost) free tools to find sensitive data Should open source disk-encryption software be used? Open source security concerns can trump cost savings Monitoring Network Traffic and Network Forensics Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing Know when you need IDS, IPS or both An inside look at security log management forensics investigations How to analyze a TCP and UDP network traffic spike How to perform a network forensic analysis and investigation Tying log management and identity management shortens incident response The telltale signs of a network attack Cyberattack mapping could alter security defense strategy Should the government reduce its external Internet connections?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary