Re: Nessus - open or closed source?

[Justin Ferguson <jnferguson () gmail com>]

While I cannot state who I work for due to security reasons, I just
want to say that this is a perfect example of the difference between
'theory' and 'reality'. In reality, OSS/FS is all over the government,
whether it be nessus or others. I can vouch for this from experience,
and while I personally think nessus is trash, i will state that we
have it deployed in manner environments, along with snort and other
OSS software.

Best Regards,

Justin Ferguson

On 11/7/05, Justin.Ross () signalsolutionsinc com
<Justin.Ross () signalsolutionsinc com> wrote:
> You said: "This is absolute nonsense.  Many government agencies and
> private enterprises with clued IT security folks already use Nessus and
> have for quite some time."
>
> I'm not going to defend Tenable or Nessus, but to call that statement
> "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information
> Assurance (IA) Implementation, dated February 6, 2003.
>
> "Binary or machine executable public domain software products and other
> software products with limited or no warranty such as those commonly known
> as freeware or shareware are not used in DoD information systems unless
> they are necessary for mission accomplishment and there are no alternative
> IT solutions available. Such products are assessed for information
> assurance impacts, and approved for use by the
> DAA. The assessment addresses the fact that such software products are
> difficult or impossible to review, repair, or extend, given that the
> Government does not have access to the original source code and there is
> no owner who could make such repairs on behalf of the Government."
>
> That's the instruction right there. Do certain government agencies use
> Nessus? Perhaps, would a DAA (designated approval authority) in any
> location be justified in removing it? Yes absolutely.  Are there
> alternative IT solutions to Nessus which are not open source? Yes.
>
>  I guarantee you that any military or defense agency that falls under
> 8500.2 has had to make justifications for it's use, without question or
> they will as soon as their accreditation expires (if they use Nessus).
>
> While I can't go into any details I can say I have seen Nessus not get
> chosen, because of this requirement. If we are talking small government
> agencies, like city/state... yea well big deal, I've never witnessed a
> state or local government agency willing to spend millions of dollars on a
> vulnerability scanner, you can be sure the fed's have spent a fortune on
> vuln scanner licenses, and that Nessus has missed out on most of it
>
> States/cities typically have far less resources, and generally throw
> everything they can into firewalls/IDS, then use free or Open source
> software- but its an apples to oranges comparison with the fed.1
>
> I personally don't understand why Newt and Nessus can't be separate; nor
> why Nessus has to go closed source. Isn't that what newt was for?
> Regardless, I wouldn't say that comment was "nonsense" in some circles
> (DOD) it makes perfect cents... and dollars...
>
> Justin Ross
> MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
> Senior Network Security Engineer
> Signal Solutions Inc.    -   http://www.signalcorp.com
> Email: Justin.Ross-at-signalsolutionsinc.com
>
>
>
>
>
>
>
> "Jay D. Dyson" <jdyson () treachery net>
> 11/04/2005 09:03 AM
>
> To
> Penetration Testers <pen-test () securityfocus com>
> cc
>
> Subject
> Re: Nessus - open or closed source?
>
>
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 4 Nov 2005, brandon.steili () gmail com wrote:
>
> > Sounds about right. Here's a link:
> > http://www.networkworld.com/news/2005/101305-nessus.html
>
> Quoting from the article:
>
>                  "We want to bring Nessus to a larger audience, so
>                  Nessus 3.0 is going to be closed source, Gula said.
>                  If its not open source, a lot of government agencies
>                  and enterprises can use it, where before they wouldnt."
>
>                  This is absolute nonsense.  Many government agencies and
> private
> enterprises with clued IT security folks already use Nessus and have for
> quite some time.  In this move, all Tenable has ultimately done is pervert
>
> Nessus into a latter-day ISS clone.
>
>                  This shift toward commercialized closed-source silliness
> renders
> any use of Nessus untenable* in my book.  I will no more recommend its
> future use than I would ISS.
>
> - -Jay
>
> * - No pun intended.
>
>     (    (                                                       _______
>     ))   ))  .-"There's always time for a good cup of coffee."-. >====<--.
>   C|~~|C|~~| \------ Jay D. Dyson - jdyson () treachery net ------/ |    =
> |-'
>    `--' `--'  `------ Security through obscurity isn't. ------'  `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK
> odWcfpRyZ/6ntr0yl7IWntE=
> =VQpM
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
>
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------