Penetration Testing mailing list archives
Re: Nessus - open or closed source?
From: crazy frog crazy frog <i.m.crazy.frog () gmail com>
Date: Tue, 8 Nov 2005 12:21:23 +0530
not related to nessus but a genral trend in OSS world is that some people start a project told that it is open source,take industry support,make there product stable and one day close it down and went commercial. evey one cares for money thats it,they dont care where it comes from open source or it come from closed source.ppls earn lots of money using OSS. so just wait and lets see in next few years how many open source application goes commercial. -- ting ding ting ding ting ding ting ding ting ding ding bam bam i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" On 11/8/05, Justin Ferguson <jnferguson () gmail com> wrote:
While I cannot state who I work for due to security reasons, I just want to say that this is a perfect example of the difference between 'theory' and 'reality'. In reality, OSS/FS is all over the government, whether it be nessus or others. I can vouch for this from experience, and while I personally think nessus is trash, i will state that we have it deployed in manner environments, along with snort and other OSS software. Best Regards, Justin Ferguson On 11/7/05, Justin.Ross () signalsolutionsinc com <Justin.Ross () signalsolutionsinc com> wrote:You said: "This is absolute nonsense. Many government agencies and private enterprises with clued IT security folks already use Nessus and have for quite some time." I'm not going to defend Tenable or Nessus, but to call that statement "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information Assurance (IA) Implementation, dated February 6, 2003. "Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government." That's the instruction right there. Do certain government agencies use Nessus? Perhaps, would a DAA (designated approval authority) in any location be justified in removing it? Yes absolutely. Are there alternative IT solutions to Nessus which are not open source? Yes. I guarantee you that any military or defense agency that falls under 8500.2 has had to make justifications for it's use, without question or they will as soon as their accreditation expires (if they use Nessus). While I can't go into any details I can say I have seen Nessus not get chosen, because of this requirement. If we are talking small government agencies, like city/state... yea well big deal, I've never witnessed a state or local government agency willing to spend millions of dollars on a vulnerability scanner, you can be sure the fed's have spent a fortune on vuln scanner licenses, and that Nessus has missed out on most of it States/cities typically have far less resources, and generally throw everything they can into firewalls/IDS, then use free or Open source software- but its an apples to oranges comparison with the fed.1 I personally don't understand why Newt and Nessus can't be separate; nor why Nessus has to go closed source. Isn't that what newt was for? Regardless, I wouldn't say that comment was "nonsense" in some circles (DOD) it makes perfect cents... and dollars... Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com "Jay D. Dyson" <jdyson () treachery net> 11/04/2005 09:03 AM To Penetration Testers <pen-test () securityfocus com> cc Subject Re: Nessus - open or closed source? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 4 Nov 2005, brandon.steili () gmail com wrote:Sounds about right. Here's a link: http://www.networkworld.com/news/2005/101305-nessus.htmlQuoting from the article: "We want to bring Nessus to a larger audience, so Nessus 3.0 is going to be closed source, Gula said. If its not open source, a lot of government agencies and enterprises can use it, where before they wouldnt." This is absolute nonsense. Many government agencies and private enterprises with clued IT security folks already use Nessus and have for quite some time. In this move, all Tenable has ultimately done is pervert Nessus into a latter-day ISS clone. This shift toward commercialized closed-source silliness renders any use of Nessus untenable* in my book. I will no more recommend its future use than I would ISS. - -Jay * - No pun intended. ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ | = |-' `--' `--' `------ Security through obscurity isn't. ------' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK odWcfpRyZ/6ntr0yl7IWntE= =VQpM -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------------------------------------------------------------------------------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Nessus - open or closed source?, (continued)
- Re: Nessus - open or closed source? Giancarlo Razzolini (Nov 05)
- RE: Nessus - open or closed source? Juan Carlos Reyes Muñoz (Nov 06)
- Re: Nessus - open or closed source? Giancarlo Razzolini (Nov 05)
- Re: Nessus - open or closed source? Alex Bihlmaier (Nov 05)
- Re: Nessus - open or closed source? S.A.B.R.O. Net Security (Nov 06)
- Re: Nessus - open or closed source? Robert BARABAS (Nov 05)
- Re: Nessus - open or closed source? King Fuddler (Nov 05)
- Re: Nessus - open or closed source? brandon . steili (Nov 04)
- Re: Nessus - open or closed source? Jay D. Dyson (Nov 05)
- Re: Nessus - open or closed source? Justin . Ross (Nov 07)
- Re: Nessus - open or closed source? Justin Ferguson (Nov 07)
- Re: Nessus - open or closed source? crazy frog crazy frog (Nov 08)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 08)
- Re: Nessus - open or closed source? Stefano Zanero (Nov 08)
- Re: Nessus - open or closed source? Jay D. Dyson (Nov 05)
- RE: Nessus - open or closed source? Jason Baeder (Nov 09)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 10)