Penetration Testing mailing list archives
Re: Nessus - open or closed source?
From: Justin.Ross () signalsolutionsinc com
Date: Tue, 8 Nov 2005 14:32:45 -0700
Ever hit send and wish you could pull it back? "Open source software takes several forms: 1. A utility that has publicly available source code is acceptable. 2. A commercial product that incorporates open source software is acceptable because the commercial vendor provides a warranty. 3. Vendor supported open source software is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. Number 4 is a real issue for Nessus (not for Newt obviously). " I meant issues 3/4. Nessus is not vendor supported, nor comes with a warranty. Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE, CCSI, CISSP Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com Justin Ross/SIERRA_VISTA/SSI 11/08/2005 02:17 PM To "Jay D. Dyson" <jdyson () treachery net> cc pen-test () securityfocus com Subject Re: Nessus - open or closed source? "And for "not going to defend Tenable or Nessus," you sure as hell went to a lot of verbiage "not defending" that silliness." Yeah, I have a bad habit of backing up my statements and commentary with facts, even if it increases the length of my email. I guess I'll have to practice by making unsupported and random statements. :) Having said that, I have no doubt, government agencies (DOE, DOJ, DHS, etc.), and "perhaps" even the military use FS/SW/OSS. In regards to the military, it can use anything provided there is a great need or the DAA approves it. The military/DoD is a government agency/entity/department, which could fall into the "many government agencies" category of your statement. Considering it is one, if not thee most-funded and most likely to spend the greatest amount on InfoSec/IT, in fact probably moreso then any other government agency and 5 other agencies included with it. I felt it would be remiss to not mention it, I wasn't putting words into your mouth or discrediting your statement regarding "many government agencies... use nessus...", in fact I agree with it. Looking at Ron Gula's quoted statement on Network World: "“If it’s not open source, a lot of government agencies and enterprises can use it, where before they wouldn’t." The DoD has a requirement that effects, and is absolutely related to what you call/called "nonsense" and "silliness". That's why I pointed it out. That's not a defense of Nessus or Tenable, just the facts, that would seem to support and qualify his statement. The decision of whether or not a piece of software is FS/SW/OSS is ultimately decided by the DAA, doesn't matter what Wikipedia says, but the Desktop Application STIG clearly states: Open source software takes several forms: 1. A utility that has publicly available source code is acceptable. 2. A commercial product that incorporates open source software is acceptable because the commercial vendor provides a warranty. 3. Vendor supported open source software is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. Number 4 is a real issue for Nessus (not for Newt obviously). Also the policies/guidelines all contain a certain amount of "grey space" even in definitions, so as not to paint the government into a corner when they really feel they need something. I agree personally that Open Source Nessus could/would be approved by a majority of the DAA's, but as of now, where the DoD (including Army, Navy, Air Force, Marines, DISA, etc.) is concerned it has to be justified with detailed mitigation strategies, etc. during the accreditation/approval process. Going closed source wouldn't seem to hurt them from a competitive commercial aspect, but whether that will result in more sales/profits, I'll defer to the analysts, financial forecasters, and astrologers. Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com "Jay D. Dyson" <jdyson () treachery net> 11/07/2005 06:08 PM To Justin Ross/SIERRA_VISTA/SSI@Signal_Solutions cc pen-test () securityfocus com Subject Re: Nessus - open or closed source? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 7 Nov 2005, Justin.Ross () signalsolutionsinc com wrote:
I'm not going to defend Tenable or Nessus, but to call that statement "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information
Assurance (IA) Implementation, dated February 6, 2003.
Not all government agencies are DoD. And I was not speaking of, nor did I reference, ANY military or defense agency when I made that remark. I stated, and I quote "Many government agencies" and I stand by that remark. And for "not going to defend Tenable or Nessus," you sure as hell went to a lot of verbiage "not defending" that silliness. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ | = |-' `--' `--' `------ Security through obscurity isn't. ------' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFDb/p7dHgnXUr6DdMRAo8kAJ9ajBycWMoAS7Bq7PmhbTTpYc0YPACfSsFy iz48I16qvTqTLRcTDHploIQ= =rm1Z -----END PGP SIGNATURE-----
Current thread:
- Re: Nessus - open or closed source?, (continued)
- Re: Nessus - open or closed source? Justin . Ross (Nov 07)
- Re: Nessus - open or closed source? Justin Ferguson (Nov 07)
- Re: Nessus - open or closed source? crazy frog crazy frog (Nov 08)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 08)
- Re: Nessus - open or closed source? Stefano Zanero (Nov 08)
- RE: Nessus - open or closed source? Jason Baeder (Nov 09)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 10)