Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nessus 3.0 discussed

Posted by ScuttleMonkey on from the profits-and-the-bottom-line dept.

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

12 of 131 comments (clear)

  1. Comment removed by account_deleted · · Score: 1, Insightful

    Comment removed based on user account deletion

  2. Re:GPL resistance? by dada21 · · Score: 3, Insightful

    But are most users incorporating Nessus code or are they using Nessus as a standalone product?

    I'd assume utilizing GPL'd software in a standalone fashion should have no bearing on your output, right?

  3. Re:even though it's still free by Cheapy · · Score: 2, Insightful

    The sad thing about open source in this case is that people were just using it and not contributing back. Maybe if some people pledged to contribute if the source was released, things could change.

    --
    Would you kindly mod me +1 insightful?
  4. Re:Hold your horses by Kjella · · Score: 4, Insightful

    They are looking to make money on their support of the product, which is a well astablished model.

    And fully possible without closing the source. The name can be protected by trademark, and people will rather have the developers supporting it than someone else. Besides, there is no reason to assume it will continue to be free. Basicly, it's no longer an OSS project, it's freeware given away by a business. Been there, in general rarely been happy with it. Expect NessusPlus for $$$ soon.

    --
    Live today, because you never know what tomorrow brings
  5. End of the day, you don't eat good intentions by xtal · · Score: 5, Insightful

    It's unfortunate it went closed source versus a service-supported model, but in the real world, there's cheques to sign. If one group is doing the efforts and not being compensated, that's the cathedral model, and cathedrals have collection plates. Open source works best when users are developers. That also explains the state of most of the user interfaces on the more complicated projects. (sarcasm, but with a grain of truth)

    Something else I've noticed is open source works well on widgets and shared components and APIs. Once the toolset becomes very focused and vertical in appeal, the model works less well - unless the users are also developers.

    It will be interesting to see how the forked version works.

    Smoothwall has done a good job with their approach. We'll see how it continues in the future.

    --
    ..don't panic
  6. Re:GPL resistance? by Kjella · · Score: 2, Insightful

    Because the GPL is virial is nature. If one of your developers links the sourcecode of your flagship product with a GPLed library, your flagship product now must be released under the GPL... It may sound like FUD, but it's also true...

    My, what a classic troll. Almost antique. Distributing without a valid license could lead to civil and criminal penalties, but never to forced release of code. Complying with the license afterwards would have no influence on your legal liability. The developers may offer to drop the lawsuit in return for complying instead of suing for $150,000 / incident, like the RIAA/MPAA. In other words, OSS developers are typically extremely forgiving compared to other copyright holders.

    --
    Live today, because you never know what tomorrow brings
  7. Wrong by Lifewish · · Score: 2, Insightful

    They wrote effectively all of V2, they can do with it as they wish (the GPL is a nonexclusive license, hence the success of dual-licensing). The only hairy issue is patches from the FOSS community, but apparently those were few enough to be handled on an individual basis or something.

    --
    For the love of God, please learn to spell "ridiculous"!!!
    1. Re:Wrong by say · · Score: 2, Insightful

      If you study FSF's GPL howto, you'll notice how important it is that you first preserve your copyright of the code, then GPL it. This is to establish that you - the copyright holder - choose to do the GPL on your own rights. Notice how this only works because yo own the rights yourself.

      You can obviously withdraw this later, but people who have used/copied/improved/whatever'd your code won't be forced to stop using it. This is specifically stated in the GPL. But I can take what I own the copyright for, and release that (or a derivate) under a different (non-GPL-compliant) license.

      So the licensor is obviously not bound by his own rules. He defines the rules, because he is the licensor. The code he has released can't be recalled to his command, but he can do what he wants with his own copy. Contributions to a GPL project is often copyright-transferred to the project maintainer, which would make the above apply to them as well. If not, individual agreements would have to be made if Nessus wants to bring them into v3.

      --
      Roses are #FF0000, violets are #0000FF, all my base are belong to you
  8. Re:GPL resistance? by rxmd · · Score: 2, Insightful
    And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project?
    I guess the project developer certainly does.
    But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product.
    If I understand correctly, the competition wasn't exactly from competing OSS projects, rather from companies providing services around the system that he built. In effect, he had a hard time competing with them, because he had to develop the software, while his competitors in the service arena just used the software he developed. As far as I can see, this is a perfectly legitimate point.
    The Nessus guy just doesn't believe in the OSS model, it's that simple.
    You could also put it that way: he tried the "OSS model", it cost him while providing zero benefit, so he drops it again.

    Open source really should be a two-way street. If the community only takes your work to profit from it and provides very little in return, there's no incentive for a developer to do open-source work.

    --
    As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
  9. Re:GPL resistance? by Master+of+Transhuman · · Score: 2, Insightful


    While I agree that OSS should be a two-way street, it doesn't require EVERYBODY using an OSS product to contribute to the project.

    The idea that all users should be developers is nonsense. "Contributors", perhaps - "Here's a feature we'd like you to provide" - but even there, some people may use a product and be perfectly happy with what it does and not need anything else.

    You can't say they can't use it just because they don't contribute to the project. That's just making a contract law substitution for a monopoly - "You can't use this unless we benefit directly." How is that different from the RIAA and MPAA wanting to license every possible meaning of fair use to produce revenue?

    It's normal that humans do this - no human can possibly allow any other human to somehow profit from the first one's actions. It's just not human nature. But it's not rational and it doesn't work to the benefit of the species as a whole, and thus it doesn't work to the benefit of most individuals, due to the economic effects.

    As for people developing services around the product that compete with the developer's own services, this is, as I pointed out, irrelevant to the OSS model. It's the BUSINESS model that matters here, not the development model. So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

    The OSS model did NOT "cost him" - his business model - or lack of one - is what cost him.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  10. Re:This only goes to show... by redmoss · · Score: 2, Insightful

    If there are Nessus tests that can cause a service or OS to crash, then that service or OS has an urgent security vulnerability that needs to be fixed. I wonder whether these vulnerabilities have been posted to Bugtraq and the like? Or maybe they are widely known, but the companies who produce the vulnerable product never fix it?

  11. Re:GPL resistance? by LurkerXXX · · Score: 2, Insightful
    So he closes the source? So what? Just because he speeds up Nessus by a factor of five, does he think no one else will? If somebody forks version 2 and speeds it up by 5, his competitors can use that version to continue to compete with him. It's totally irrelevant whether the source is closed or not in that regard.

    It certainly is relevant. Now his competitors have to put in the effort to try to figure out how to speed it up by 5 and spend a LOT of their time coding. That puts it on a much more even level than him doing all the work for them.

    OSS *IS* the problem with his previous business model.