Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nessus 3.0 discussed

Posted by ScuttleMonkey on from the profits-and-the-bottom-line dept.

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

12 of 131 comments (clear)

  1. GPL resistance? by dada21 · · Score: 3, Interesting

    What is the primarily reason that corporate policy precludes using GPL'd software? I thought the friction was reduced in the most recent GPL version. Is this being addressed in the next GPL?

    I know some consider it broke, but Nessus is fairly popular, and the GPL resistance seems a key reason for going closed source.

    1. Re:GPL resistance? by Master+of+Transhuman · · Score: 3, Interesting

      "there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors"

      First, the two points are independent.

      And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project? That's irrelevant to anything. Naturally, due to the nature of the concept of OSS, it would be BETTER if a community of developers appears and supports the project - that's the advantage of OSS over proprietary. But it's not a requirement per se. In fact, however, it usually indicates that there is a REASON for this - which might be how the project is run, the technical difficulty of the project, the niche market for the project, or any number of things - some of which might be solvable, some may not.

      The second point is just a refutation of the concept of OSS: instead of trying to make money from support or other business models using OSS, just dump the concept and go back to being proprietary. It's NOT A REASON, it's a CHOICE!

      And again, it goes back to the what and how of the project. Does Linus complain that Sun uses Linux while producing OpenSolaris - arguably a "competitor"? Granted, Linus doesn't view himself as a "competitor" in business against Sun - he's simply a developer who wants to advance the state of the art in OS building.

      The problem is, the Nessus guy does view himself as a competitor in a closed market. He wants to use Nessus to produce other security software and sell it. He views everybody else who uses Nessus to produce other security software to sell as "competitors". Well, they are - if that's your business model.

      It's an issue of perception, however, not necessarily reality. It's also an issue of whether you feel you can BE competitive on a level playing field - obviously this guy doesn't.

      That doesn't make his choice the right one - it's just his choice. I think it will cost him in the future.

      Open source doesn't mean you don't have competitors. Every project stands or falls on its merits in the marketplace of ideas. That's why we have something like a thousand Linux distros - most of which are utterly irrelevant to most users and utterly irrelevant to the position of Linux in the marketplace of users.

      And open source as a SOURCE of business models is not different. The question is whether you can develop a business model that allows you to make money - or even get "rich" (whatever "rich" means to you), if you're smart enough - and that's really not relevant to open source as a development model.

      Some people deride open source as a bunch of geeks working for free while somebody else gets rich off their efforts. While this may in fact happen on occasion, it isn't a direct consequence of the OSS development model.
      The only place where it might be an issue is in developing something that can be seized on by a company like Microsoft which ALREADY has an monopoly position due to its closed source model and its business practices and then turned against the OSS developer. The GPL was intended to prevent this by disallowing the incorporation of OSS software into a proprietary product and closing off access to the source.

      But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product. The OSS COMMUNITY says that you SHOULD return value to the original OSS product. But that doesn't always happen, nor should it always happen.

      If you develop an OSS product, and try to make a business out of it, you should be smart enough to assume that other people will take your product and try to develop a business around it as well - and conduct yourself accordingly. If you believe in the OSS model, you can find ways to continue to develop using that model and still compete effectively.

      The Nessus guy just doesn't believe in the OSS model, it's that simple.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
    2. Re:GPL resistance? by Tony+Hoyle · · Score: 2, Interesting

      Not really, what he said *is* true.

      If your application links with *any* gpl code it cannot be distributed without making the whole application GPL. That's the reason for corporate policies against using GPL software - the risk is too great.

      'complying with the license afterwards' == 'release your software as GPL'. Not acceptable - and most companies would *prefer* to pay $150,000 per incident than do that.

  2. Seems simple enough... by Anonymous Coward · · Score: 5, Interesting

    You own the project. You can decide whether it's open source or not.

    However, some questions:

    1. Can someone more familiar with the licensing process elaborate on the pandora's box here?

    Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

    2. Why wouldn't they just keep the CVS tree accessible by main developers and give only those important people commit access?

    Like pretty much any large project (*BSD, Linux kernel) does? Yep, I know -- they make it so those without such access cannot check out code just to see if they want to be part of the project in the first place. But could they be convinced if enough people show interest? I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

    3. How long until we see OpenNessus or (insert clever derivative name here)?

    Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

    Just curious.

    1. Re:Seems simple enough... by eht · · Score: 2, Interesting

      1. Many open source projects require you to transfer copyright of any submitted code to them, not to sublicense it to them under your choice of code.

      MySQL for example will license you their source in either GPL or non-GPL varieties so that you can incorporate it into your software to resell and not provide a license, they can dual license because they own all the code, they could not dual license if someone had submitted code under the GPL to them.

      They also seem to have not had very many people contribute back to them.

      2. They can't close up the GPL'd source any more than you can because they've already released it, but now future improvements won't be released to the public.

      3. In about as long as it takes for someone to register a domain and post the code. Whether or not it will be developed much is really the question.

      One of the problems the Nessus team faced is that they would sell support, but because the project is open source and available to anyone, anyone else could also sell support, or make their own improvements and rent out "Nessus servers", this is one of the holes hoped to be "closed" by the next version of the GPL, but we'll see.

  3. This only goes to show... by TechnoGuyRob · · Score: 4, Interesting

    ...that as technology grows more and more sophisticated, companies will start outsourcing more and more. It used to be affordable to hire a guy or two as permanent company staff to manage your website or network servers. But now you need to ask an entire different company to provide you the services necessary for network administration.

    Hopefully, Nessus 3 will also solve some of the problems Nessus has been having. According to Wikipedia, "some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash." For those who are wondering, Nessus scans vulnerabilities mostly on the application and network layer. Usually it port scans open ports for vulnerabilities, and looks for various network problems such as computers on promiscuous mode, etc.

    For any of you network admins out there, a friend of mine has a medium business LAN and has been using Nessus, and it's working very smoothly for him; however, I recommend looking more into it before making any quick decisions based on Slashdot articles.

  4. even though it's still free by know1 · · Score: 2, Interesting

    the sad thing about closed source is there is no way to tell what info is being sent back to the manufacturer, a la microsoft.

  5. open source != open source project by penguin-collective · · Score: 5, Interesting

    'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.'

    If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors.

    Just writing software, making it open source, and having it become popular doesn't create an "open source project"--you have to design and manage the project as an open source project. You have to make it easy for people to contribute, organize the code appropriately, be nice to potential contributors, and give people an incentive to contribute.

    (Just one data point: last I looked at Nessus, it didn't look like a good foundation to build on for our needs.)

  6. So Here's The Deal by Effugas · · Score: 4, Interesting

    OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.

    First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.

    Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.

    I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.

  7. There is a fork by timbrown · · Score: 3, Interesting

    Speaking as one of the folks behind the OpenVAS (www.openvas.org) fork, there are plenty of people interested in maintaining an open source alternative. Interestingly many of these people have attempted to work with Tenable in the past and have had their contributions ignored. IMO Tenable didn't understand how they could make money off the Nessus project without closing the source.

    As a side point, it would be interesting to understand how Tenable have dealt with contributions that they did accept for version 2 - have they been removed completely from version3?

    --
    Tim Brown
  8. Re:Wrong by Yaztromo · · Score: 4, Interesting

    But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

    The simple solution to which is simply to remove the contributed code completely, and independently re-implement its functionality (if having that functionality is desired and/or necessary).

    I had to do something similar (but for a release in the opposite direction -- from closed source to OSS) for the jSyncManager Project. The version 1.0 series was coded entirely by myself, and was only ever released as closed source software (albeit as 100% free-as-in-beer software via the web; I completed v1.0 of this project as a thesis project, and felt that getting outside help by allowing others to inspect and comment on the code might have been considered "cheating" by some). A few weeks after v1.0 was released, I was hired by IBM Canada as a software developer.

    The problem then became that nasty contract provision you have to sign when you join a company like IBM: the "what's yours is ours, and what's ours is ours" agreement, which basically states that anything you develop while employed by the company, even if it is completely on your own time and uses nothing learned from your employment at the company, belongs to the company. Fortunately, I was able to list existing technologies I had developed prior to joining IBM on said contract -- they were exempt so long as I stopped working on them while employed by the company.

    There was, however, significant interest in the technology within IBM, and an IBM branded version called "ManplatoSync for Java" eventually made its way to IBM's alphaWorks website. It included a significant rewrite of the GUI code, along with some new functionality, parts of which were contributed by other IBM employees. The intention was always to release the sources under the IBM Public License -- but the legal eagles who had continuing discussions (which I wasn't part of), and kept holding off on a source release (the whole discussion of which apparantly died once I was released from the company).

    When I was later let go from the company, and free from their restrictions as to what I could and couldn't work on, I decided I wanted to release the jSyncManager as Open Source Software. But I couldn't just take ManplatoSync for Java and re-brand it back to the jSyncManager -- it was encumbered with IBM copyrights. I couldn't even retain functionality since jSyncManager v1.0 which I myself had written in those intervening 2.5 years, because it too was considered IBM property (nevermind the fact that I wrote it and didn't get paid one single red cent by IBM for any of it. Indeed, when I was later invited to speak on the technology at various conferences, the company forced me to use my own vacation time to do so).

    At that point, I had two choices: give up and find something else to work on, or suck it up and go back to the pre-IBM sources and work from there. And that's what in the end I decided to do: I took my pre-IBM sources, made them Open Source, and then worked my ass off to re-implement all of the lost functionality (along with a lot of functionality that the IBM releases never had, like USB device support and network data synchronization), and released it all as GPL/LGPL software.

    The Nessus team could very well have elected to do something similar -- just strip out any external contributions, and then work from there. The unfortunate thing about going from Openn Source to Closed Source, however, is that contributors are now forced to take the teams word for it that they stripped out any such contributions (assuming that they didn't re-assign copyright to the Nessus project when they were submitted -- something I've never asked any of my contributors to do), as you can't look at the source to see if your code is still in it (i

  9. Re:Wrong by Yaztromo · · Score: 2, Interesting
    I'm curious why you released the source under GPL, and whether that worked out as you expected.

    There were a few factors which played in this decision:

    • I was fresh out of work, and needed a project to keep me busy,
    • I didn't want to wind up in a similar situation with my next employer. By releasing the code as GPL/LGPL, and putting it on SourceForge, at least it couldn't be buried in a filing cabinet somewhere, even if I weren't permitted to work on it anymore (and with more and more employers in the computer industry permitting their employees to work on OSS projects on their own time, I was hoping that by being OSS when joining any such company I could potentially continue to work on the project under such a framework),
    • Perhaps most importantly, the project was getting too big for just one person to work on. I needed outside help, but didn't have the money to pay people to work on it. Nor did I think it would be feasible to make it into a commercial product (although corporations are our biggest base of users, the jSyncManager is a tool that only a small fraction of a percentage of corporations have a need for, so finding customers would have been extremely difficult and expensive. The corporations which use the jSyncManager are spread all around the globe, with the majority of them overseas. Being Open Source made it easy for them to find us and try out our code with no layout of funding from me -- under the closed source model I would have had to spend a pile of money on all sorts of advertising just to find these customers in the first place)

    How has it worked out for me? As with anything, there have been upsides and downsides. On the upside, in the end I have made some money from the project, through being hired as a developer and consultant in implementing it for a medical data system. I'm not making anywhere near what I did as a developer at IBM, but it's sufficient to live off. It's also allowed me to make some contacts and open some doors -- it's quite easy for me to show an organization my experiences in managing a diverse, dispersed team developing a fairly large project, and they can also see the overall project (and code) quality.

    On the down side, I know what it's like for a project to have more users than contributors. I'm still the largest contributor to the project, and do the vast majority of the work (although this itself has increased and decreased over time -- some contributors come and go, while others have become too busy with their professional lives to contribute on a regular basis, but still follow the project). External contributions are very rare (but are greatly appreciated whenever they are given!). I can pretty much always use more help -- as it is right now, I do the vast majority of coding, administration, technical support, releases, and documentation. And as I do have responsibilities outside the jSyncManager Project, this often means that development appears to be very slow (it has been more than 2 years now since our last "final" release, although we have had a number of alpha and beta releases since that time (part of the delay being due to some time I served in the Navy and was unable to do any development)).

    It also doesn't completely help that the very devices they project is designed to communicate with (PalmOS based handhelds) have been seeing a diminishing market share. It's always easier to find contributors and users when your target audience is increasing, rather than when it is decreasing (although a decreasing share can have an interesting bubble-effect, as those who are still embracing such a technology look for groups they can partner with for a reliable, medium-to-long term solution. Open Source is very attractive in this area, as you never know when a commercial, closed source partner might go out of business, or stop offering the product or support your organization needs).

    So, as with anything, you have to take the good with the bad. My eperiences seem to have tended towards the good, although the benefits aren't always immediately tangible.

    Yaz.