Re: Nessus - open or closed source?

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Justin.Ross () signalsolutionsinc com wrote:

> Ever hit send and wish you could pull it back?
>
> "Open source software takes several forms:
> 1. A utility that has publicly available source code is acceptable.
> 2. A commercial product that incorporates open source software is 
> acceptable because the
> commercial vendor provides a warranty.
> 3. Vendor supported open source software is acceptable.
> 4. A utility that comes compiled and has no warranty is not acceptable.
>
> Number 4 is a real issue for Nessus (not for Newt obviously). "
>
> I meant issues 3/4. Nessus is not vendor supported, nor comes with a 
> warranty.

I'm really surprised you say this:

- as for 4, go check out ftp://ftp.nessus.org/pub/nessus/ and see for 
yourself, Nessus/Tenable distributes _sources_ not _binaries._ Only 
*some* Linux or BSD distributions ship binaries of Nessus and, when 
they do so, they ship both the sources and the changes they've made to 
the sources, as required by the GPL license Nessus is distributed 
with. For example, Debian, "ships" Nessus in all mirrors worldwide 
like this:
ftp://ftp.debian.org/debian/pool/main/n/nessus-core/
ftp://ftp.debian.org/debian/pool/main/n/nessus-libraries/
ftp://ftp.debian.org/debian/pool/main/n/nessus-plugins/
ftp://ftp.debian.org/debian/pool/main/libn/libnasl/
[ you'll see many binary packages there, for many different processor 
architectures, and they are distributed alongside the original sources 
(orig.tar.gz files) and Debian patches (diff.gz files)]

- as for 3 I really doubt that if Tenable was approached by a 
government agency and asked for "vendor support" for Nessus they will 
gladly give it out, for a fee. Actually, Tenable will provide an 
agency, for a fee, for "Nessus in-an-appliance boxes" a.k.a. as 
Lighting console, for which they provide full support: 
http://www.tenablesecurity.com/products/lightning.shtml

Conclusion: 4 does *not* apply to Nessus from my PoV:

- 1 does, if you are using the Nessus version shipped by any Linux/BSD 
distribution out there,  or
- 2 does, if you go out and buy the Lightning Console appliance, and
- 3 does because the vendor can provide you support for the OSS they 
distribute

IMHO Nessus clearly applies here and I fail to see how anyone would 
say that 4 is an issue for Nessus.

Regards

Javier

PS: Notice, however, that point 4 *will* apply for Nessus v3 
(binary-only, no sources) which Tenable has said they will ship in the 
future

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------