Re: Nessus - open or closed source?

[Justin.Ross () signalsolutionsinc com]

You said: "This is absolute nonsense.  Many government agencies and 
private enterprises with clued IT security folks already use Nessus and 
have for quite some time."

I'm not going to defend Tenable or Nessus, but to call that statement 
"nonsense" is inaccurate in light of DoD Instruction 8500.2, Information 
Assurance (IA) Implementation, dated February 6, 2003. 

"Binary or machine executable public domain software products and other 
software products with limited or no warranty such as those commonly known 
as freeware or shareware are not used in DoD information systems unless 
they are necessary for mission accomplishment and there are no alternative 
IT solutions available. Such products are assessed for information 
assurance impacts, and approved for use by the
DAA. The assessment addresses the fact that such software products are 
difficult or impossible to review, repair, or extend, given that the 
Government does not have access to the original source code and there is 
no owner who could make such repairs on behalf of the Government."

That's the instruction right there. Do certain government agencies use 
Nessus? Perhaps, would a DAA (designated approval authority) in any 
location be justified in removing it? Yes absolutely.  Are there 
alternative IT solutions to Nessus which are not open source? Yes.

 I guarantee you that any military or defense agency that falls under 
8500.2 has had to make justifications for it's use, without question or 
they will as soon as their accreditation expires (if they use Nessus). 

While I can't go into any details I can say I have seen Nessus not get 
chosen, because of this requirement. If we are talking small government 
agencies, like city/state... yea well big deal, I've never witnessed a 
state or local government agency willing to spend millions of dollars on a 
vulnerability scanner, you can be sure the fed's have spent a fortune on 
vuln scanner licenses, and that Nessus has missed out on most of it

States/cities typically have far less resources, and generally throw 
everything they can into firewalls/IDS, then use free or Open source 
software- but its an apples to oranges comparison with the fed.1

I personally don't understand why Newt and Nessus can't be separate; nor 
why Nessus has to go closed source. Isn't that what newt was for? 
Regardless, I wouldn't say that comment was "nonsense" in some circles 
(DOD) it makes perfect cents... and dollars... 

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com







"Jay D. Dyson" <jdyson () treachery net> 
11/04/2005 09:03 AM

To
Penetration Testers <pen-test () securityfocus com>
cc

Subject
Re: Nessus - open or closed source?






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 4 Nov 2005, brandon.steili () gmail com wrote:

> Sounds about right. Here's a link:
> http://www.networkworld.com/news/2005/101305-nessus.html

Quoting from the article:

                 "We want to bring Nessus to a larger audience, so
                 Nessus 3.0 is going to be closed source, Gula said.
                 If its not open source, a lot of government agencies
                 and enterprises can use it, where before they wouldnt."

                 This is absolute nonsense.  Many government agencies and 
private 
enterprises with clued IT security folks already use Nessus and have for 
quite some time.  In this move, all Tenable has ultimately done is pervert 

Nessus into a latter-day ISS clone.

                 This shift toward commercialized closed-source silliness 
renders 
any use of Nessus untenable* in my book.  I will no more recommend its 
future use than I would ISS.

- -Jay

* - No pun intended.

    (    (                                                       _______
    ))   ))  .-"There's always time for a good cup of coffee."-. >====<--.
  C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |    = 
|-'
   `--' `--'  `------ Security through obscurity isn't. ------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK
odWcfpRyZ/6ntr0yl7IWntE=
=VQpM
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 

login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
are 
futile against web application hacking. Check your website for 
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before 
hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------