Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nessus - open or closed source?

From: Justin.Ross () signalsolutionsinc com
Date: Tue, 8 Nov 2005 14:32:45 -0700
Ever hit send and wish you could pull it back?

"Open source software takes several forms:
1. A utility that has publicly available source code is acceptable.
2. A commercial product that incorporates open source software is 
acceptable because the
commercial vendor provides a warranty.
3. Vendor supported open source software is acceptable.
4. A utility that comes compiled and has no warranty is not acceptable.

Number 4 is a real issue for Nessus (not for Newt obviously). "

I meant issues 3/4. Nessus is not vendor supported, nor comes with a 
warranty.


Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CCSI, CISSP
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com






Justin Ross/SIERRA_VISTA/SSI
11/08/2005 02:17 PM

To
"Jay D. Dyson" <jdyson () treachery net>
cc
pen-test () securityfocus com
Subject
Re: Nessus - open or closed source?





"And for "not going to defend Tenable or Nessus," you sure as hell went to 
a lot of verbiage "not defending" that silliness."

Yeah, I have a bad habit of backing up my statements and commentary with 
facts, even if it increases the length of my email. I guess I'll have to 
practice by making unsupported and random statements. :)

Having said that, I have no doubt, government agencies (DOE, DOJ, DHS, 
etc.), and "perhaps" even the military use FS/SW/OSS. In regards to the 
military, it can use anything provided there is a great need or the DAA 
approves it. 

The military/DoD is a government agency/entity/department, which could 
fall into the "many government agencies" category of your statement. 
Considering it is one, if not thee most-funded and most likely to spend 
the greatest amount on InfoSec/IT, in fact probably moreso then any other 
government agency and 5 other agencies included with it. I felt it would 
be remiss to not mention it, I wasn't putting words into your mouth or 
discrediting your statement regarding "many government agencies... use 
nessus...", in fact I agree with it.

Looking at Ron Gula's quoted statement on Network World: "“If it’s not 
open source, a lot of government agencies and enterprises can use it, 
where before they wouldn’t." 

The DoD  has a requirement that effects, and is absolutely related to what 
you call/called "nonsense" and "silliness". That's why I pointed it out. 
That's not a defense of Nessus or Tenable, just the facts, that would seem 
to support and qualify his statement. 

The decision of whether or not a piece of software is FS/SW/OSS is 
ultimately decided by the DAA, doesn't matter what Wikipedia says,  but 
the Desktop Application STIG clearly states:

Open source software takes several forms:
1. A utility that has publicly available source code is acceptable.
2. A commercial product that incorporates open source software is 
acceptable because the
commercial vendor provides a warranty.
3. Vendor supported open source software is acceptable.
4. A utility that comes compiled and has no warranty is not acceptable.

Number 4 is a real issue for Nessus (not for Newt obviously). 

Also the policies/guidelines all contain a certain amount of "grey space" 
even in definitions, so as not to paint the government into a corner when 
they really feel they need something. I agree personally that Open Source 
Nessus could/would be approved by a majority of the DAA's, but as of now, 
where the DoD (including Army, Navy, Air Force, Marines, DISA, etc.) is 
concerned it has to be justified with detailed mitigation strategies, etc. 
during the accreditation/approval process. 

Going closed source wouldn't seem to hurt them from a competitive 
commercial aspect, but whether that will result in more sales/profits, 
I'll defer to the analysts, financial forecasters, and astrologers. 

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com






"Jay D. Dyson" <jdyson () treachery net> 
11/07/2005 06:08 PM

To
Justin Ross/SIERRA_VISTA/SSI@Signal_Solutions
cc
pen-test () securityfocus com
Subject
Re: Nessus - open or closed source?






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 7 Nov 2005, Justin.Ross () signalsolutionsinc com wrote:


I'm not going to defend Tenable or Nessus, but to call that statement 
"nonsense" is inaccurate in light of DoD Instruction 8500.2, Information 



Assurance (IA) Implementation, dated February 6, 2003.


                 Not all government agencies are DoD.  And I was not 
speaking of, 
nor did I reference, ANY military or defense agency when I made that 
remark.  I stated, and I quote "Many government agencies" and I stand by 
that remark.

                 And for "not going to defend Tenable or Nessus," you sure 
as hell 
went to a lot of verbiage "not defending" that silliness.

- -Jay

    (    (                                                       _______
    ))   ))  .-"There's always time for a good cup of coffee."-. >====<--.
  C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |    = 
|-'
   `--' `--'  `------ Security through obscurity isn't. ------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFDb/p7dHgnXUr6DdMRAo8kAJ9ajBycWMoAS7Bq7PmhbTTpYc0YPACfSsFy
iz48I16qvTqTLRcTDHploIQ=
=rm1Z
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: