Penetration Testing mailing list archives
RE: Nessus - open or closed source?
From: "Miller, Joseph A" <joseph.miller () eds com>
Date: Tue, 8 Nov 2005 09:47:26 -0500
Justin, I'm breaking into this thread late in the game. In 'reality' it does not matter if it is trash or not. Because we all run as many tools as possible. Does Nessus hit on something that ISS missed, yes sometimes, does ISS hit something that Nessus missed... Yes sometimes... Doing due diligence and using all the tools you can find to help in your quest to perform whatever task you may be performing with these tools, the presence of the option to use it, and see if it helps is better than nothing. Even one or two of this happening will make the case for having more than one assessment tool. If these tools eventually became less and less efficient then we would all stop using them, and move on, and a new tool would appear asking for cash hand over fist per usual, and we buy the latest greatest. However, I can't imagine liking or disliking a tool that helps cross-check vulnerability assessments. Perhaps you can only afford so many, but all
some > none. If you can't afford more than one, then sure that IS a
hard bargain, because you will potentially miss things without the overlapping of tool checks. If there was one perfect solution, we'd all use it. Regards, Drew -----Original Message----- From: Justin Ferguson [mailto:jnferguson () gmail com] Sent: Monday, November 07, 2005 10:52 PM To: Justin.Ross () signalsolutionsinc com Cc: pen-test () securityfocus com; Jay D. Dyson Subject: Re: Nessus - open or closed source? While I cannot state who I work for due to security reasons, I just want to say that this is a perfect example of the difference between 'theory' and 'reality'. In reality, OSS/FS is all over the government, whether it be nessus or others. I can vouch for this from experience, and while I personally think nessus is trash, i will state that we have it deployed in manner environments, along with snort and other OSS software. Best Regards, Justin Ferguson On 11/7/05, Justin.Ross () signalsolutionsinc com <Justin.Ross () signalsolutionsinc com> wrote:
You said: "This is absolute nonsense. Many government agencies and private enterprises with clued IT security folks already use Nessus and have for quite some time." I'm not going to defend Tenable or Nessus, but to call that statement "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information Assurance (IA) Implementation, dated February 6, 2003. "Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs
on behalf of the Government."
That's the instruction right there. Do certain government agencies use
Nessus? Perhaps, would a DAA (designated approval authority) in any location be justified in removing it? Yes absolutely. Are there alternative IT solutions to Nessus which are not open source? Yes. I guarantee you that any military or defense agency that falls under 8500.2 has had to make justifications for it's use, without question or they will as soon as their accreditation expires (if they use
Nessus).
While I can't go into any details I can say I have seen Nessus not get
chosen, because of this requirement. If we are talking small government agencies, like city/state... yea well big deal, I've never witnessed a state or local government agency willing to spend millions
of dollars on a vulnerability scanner, you can be sure the fed's have spent a fortune on vuln scanner licenses, and that Nessus has missed out on most of it States/cities typically have far less resources, and generally throw everything they can into firewalls/IDS, then use free or Open source software- but its an apples to oranges comparison with the fed.1 I personally don't understand why Newt and Nessus can't be separate; nor why Nessus has to go closed source. Isn't that what newt was for? Regardless, I wouldn't say that comment was "nonsense" in some circles (DOD) it makes perfect cents... and dollars... Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com "Jay D. Dyson" <jdyson () treachery net> 11/04/2005 09:03 AM To Penetration Testers <pen-test () securityfocus com> cc Subject Re: Nessus - open or closed source? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 4 Nov 2005, brandon.steili () gmail com wrote:Sounds about right. Here's a link: http://www.networkworld.com/news/2005/101305-nessus.htmlQuoting from the article: "We want to bring Nessus to a larger audience, so Nessus 3.0 is going to be closed source, Gula said. If its not open source, a lot of government agencies and enterprises can use it, where before they
wouldnt."
This is absolute nonsense. Many government agencies
and private enterprises with clued IT security folks already use
Nessus and have for quite some time. In this move, all Tenable has
ultimately done is pervert
Nessus into a latter-day ISS clone.
This shift toward commercialized closed-source
silliness renders any use of Nessus untenable* in my book. I will no
more recommend its future use than I would ISS.
- -Jay
* - No pun intended.
( (
_______
)) )) .-"There's always time for a good cup of coffee."-. ====<--. C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |
=
|-' `--' `--' `------ Security through obscurity isn't. ------'
`------'
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK odWcfpRyZ/6ntr0yl7IWntE= =VQpM -----END PGP SIGNATURE----- ---------------------------------------------------------------------- -------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------- --------- ---------------------------------------------------------------------- -------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------- ---------
------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Nessus - open or closed source?, (continued)
- Re: Nessus - open or closed source? King Fuddler (Nov 05)
- Re: Nessus - open or closed source? brandon . steili (Nov 04)
- Re: Nessus - open or closed source? Jay D. Dyson (Nov 05)
- Re: Nessus - open or closed source? Justin . Ross (Nov 07)
- Re: Nessus - open or closed source? Justin Ferguson (Nov 07)
- Re: Nessus - open or closed source? crazy frog crazy frog (Nov 08)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 08)
- Re: Nessus - open or closed source? Stefano Zanero (Nov 08)
- Re: Nessus - open or closed source? Jay D. Dyson (Nov 05)
- RE: Nessus - open or closed source? Jason Baeder (Nov 09)
- Re: Nessus - open or closed source? Javier Fernandez-Sanguino (Nov 10)