Penetration Testing mailing list archives
Re: Nessus - open or closed source?
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Thu, 10 Nov 2005 10:25:16 +0100
Justin.Ross () signalsolutionsinc com wrote:
Ever hit send and wish you could pull it back? "Open source software takes several forms: 1. A utility that has publicly available source code is acceptable.2. A commercial product that incorporates open source software is acceptable because thecommercial vendor provides a warranty. 3. Vendor supported open source software is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. Number 4 is a real issue for Nessus (not for Newt obviously). "I meant issues 3/4. Nessus is not vendor supported, nor comes with a warranty.
I'm really surprised you say this:- as for 4, go check out ftp://ftp.nessus.org/pub/nessus/ and see for yourself, Nessus/Tenable distributes _sources_ not _binaries._ Only *some* Linux or BSD distributions ship binaries of Nessus and, when they do so, they ship both the sources and the changes they've made to the sources, as required by the GPL license Nessus is distributed with. For example, Debian, "ships" Nessus in all mirrors worldwide like this:
ftp://ftp.debian.org/debian/pool/main/n/nessus-core/ ftp://ftp.debian.org/debian/pool/main/n/nessus-libraries/ ftp://ftp.debian.org/debian/pool/main/n/nessus-plugins/ ftp://ftp.debian.org/debian/pool/main/libn/libnasl/[ you'll see many binary packages there, for many different processor architectures, and they are distributed alongside the original sources (orig.tar.gz files) and Debian patches (diff.gz files)]
- as for 3 I really doubt that if Tenable was approached by a government agency and asked for "vendor support" for Nessus they will gladly give it out, for a fee. Actually, Tenable will provide an agency, for a fee, for "Nessus in-an-appliance boxes" a.k.a. as Lighting console, for which they provide full support: http://www.tenablesecurity.com/products/lightning.shtml
Conclusion: 4 does *not* apply to Nessus from my PoV:- 1 does, if you are using the Nessus version shipped by any Linux/BSD distribution out there, or
- 2 does, if you go out and buy the Lightning Console appliance, and- 3 does because the vendor can provide you support for the OSS they distribute
IMHO Nessus clearly applies here and I fail to see how anyone would say that 4 is an issue for Nessus.
Regards JavierPS: Notice, however, that point 4 *will* apply for Nessus v3 (binary-only, no sources) which Tenable has said they will ship in the future
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Nessus - open or closed source?, (continued)
- Re: Nessus - open or closed source? Justin Ferguson (Nov 07)
- Re: Nessus - open or closed source? crazy frog crazy frog (Nov 08)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 08)
- Re: Nessus - open or closed source? Stefano Zanero (Nov 08)
- RE: Nessus - open or closed source? Todd Towles (Nov 04)
- RE: Nessus - open or closed source? Troy L. Mayes (Nov 05)
- RE: Nessus - open or closed source? Miller, Joseph A (Nov 08)
- RE: Nessus - open or closed source? Jason Baeder (Nov 09)
- Re: Nessus - open or closed source? Justin . Ross (Nov 08)
- Re: Nessus - open or closed source? Justin . Ross (Nov 08)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 10)