Nessus 3.0 discussed

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

GPL resistance?

[dada21]

What is the primarily reason that corporate policy precludes using GPL'd software? I thought the friction was reduced in the most recent GPL version. Is this being addressed in the next GPL?

I know some consider it broke, but Nessus is fairly popular, and the GPL resistance seems a key reason for going closed source.

Re:GPL resistance?

[dada21]

But are most users incorporating Nessus code or are they using Nessus as a standalone product?

I'd assume utilizing GPL'd software in a standalone fashion should have no bearing on your output, right?

Re:GPL resistance?

[fpu]

Fyodor (author of NMAP) posted about Nessus going closed source in the nmap-hackers mailing list some weeks ago. It seems that Teenable's main point is not GPL-resistance from the enterprise customers, but rather the fact that there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors. I, for one, can see their point, even if I am a strong advocate of free software (free as in FSF, not OSF).

However, as has already been stated, that does not mean this is the end of free Nessus -- it will still be free, except we no longer will be able to look under the hood. Since many of us automate Nessus directly through the command line client and parsing of NBE files, I believe that this will impact very little even power users.

Re:GPL resistance?

[Master+of+Transhuman]

"there has been almost zero code contributed to Nessus, and that by providing its source, they were helping a lot of companies that could be classified as their competitors"

First, the two points are independent.

And the first one is almost irrelevant. Who cares if nobody contributes to your OSS project? That's irrelevant to anything. Naturally, due to the nature of the concept of OSS, it would be BETTER if a community of developers appears and supports the project - that's the advantage of OSS over proprietary. But it's not a requirement per se. In fact, however, it usually indicates that there is a REASON for this - which might be how the project is run, the technical difficulty of the project, the niche market for the project, or any number of things - some of which might be solvable, some may not.

The second point is just a refutation of the concept of OSS: instead of trying to make money from support or other business models using OSS, just dump the concept and go back to being proprietary. It's NOT A REASON, it's a CHOICE!

And again, it goes back to the what and how of the project. Does Linus complain that Sun uses Linux while producing OpenSolaris - arguably a "competitor"? Granted, Linus doesn't view himself as a "competitor" in business against Sun - he's simply a developer who wants to advance the state of the art in OS building.

The problem is, the Nessus guy does view himself as a competitor in a closed market. He wants to use Nessus to produce other security software and sell it. He views everybody else who uses Nessus to produce other security software to sell as "competitors". Well, they are - if that's your business model.

It's an issue of perception, however, not necessarily reality. It's also an issue of whether you feel you can BE competitive on a level playing field - obviously this guy doesn't.

That doesn't make his choice the right one - it's just his choice. I think it will cost him in the future.

Open source doesn't mean you don't have competitors. Every project stands or falls on its merits in the marketplace of ideas. That's why we have something like a thousand Linux distros - most of which are utterly irrelevant to most users and utterly irrelevant to the position of Linux in the marketplace of users.

And open source as a SOURCE of business models is not different. The question is whether you can develop a business model that allows you to make money - or even get "rich" (whatever "rich" means to you), if you're smart enough - and that's really not relevant to open source as a development model.

Some people deride open source as a bunch of geeks working for free while somebody else gets rich off their efforts. While this may in fact happen on occasion, it isn't a direct consequence of the OSS development model.
The only place where it might be an issue is in developing something that can be seized on by a company like Microsoft which ALREADY has an monopoly position due to its closed source model and its business practices and then turned against the OSS developer. The GPL was intended to prevent this by disallowing the incorporation of OSS software into a proprietary product and closing off access to the source.

But the GPL says nothing about somebody taking an OSS product, incorporating it into a different (preferably better) OSS product, and thus obsoleting the original OSS product. The OSS COMMUNITY says that you SHOULD return value to the original OSS product. But that doesn't always happen, nor should it always happen.

If you develop an OSS product, and try to make a business out of it, you should be smart enough to assume that other people will take your product and try to develop a business around it as well - and conduct yourself accordingly. If you believe in the OSS model, you can find ways to continue to develop using that model and still compete effectively.

The Nessus guy just doesn't believe in the OSS model, it's that simple.

Hold your horses

[xfletch]

Before the open source hordes come rampaging it is worth noting that Nessus is still free.

Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software.

They are looking to make money on their support of the product, which is a well astablished model.

Re:Hold your horses

[Kjella]

They are looking to make money on their support of the product, which is a well astablished model.

And fully possible without closing the source. The name can be protected by trademark, and people will rather have the developers supporting it than someone else. Besides, there is no reason to assume it will continue to be free. Basicly, it's no longer an OSS project, it's freeware given away by a business. Been there, in general rarely been happy with it. Expect NessusPlus for $$$ soon.

More info links

[lampiaio]

Wikipedia entry
Official Website

sorry, bad karma makes people do this kind of post...
:(

Seems simple enough...

You own the project. You can decide whether it's open source or not.

However, some questions:

1. Can someone more familiar with the licensing process elaborate on the pandora's box here?

Imagine that you are a code contributor who in **good faith** contributed a patch or entire modules under the assumption that such contributions were going to be under that open source license. Now that the company pulls the source and closes it down, does that mean they took your work and will use it for their closed source purposes without your consent? Profit from it? Can you revoke their access to it? I can't imagine that such licenses have a statement of what happens to the code once it leaves your hands and goes into the archive... Imagine: "All your work becomes property of our CVS tree and cannot be returned if the tree becomes closed."

2. Why wouldn't they just keep the CVS tree accessible by main developers and give only those important people commit access?

Like pretty much any large project (*BSD, Linux kernel) does? Yep, I know -- they make it so those without such access cannot check out code just to see if they want to be part of the project in the first place. But could they be convinced if enough people show interest? I guess that's the problem -- too many users, not enough developers or users with enough motivation/ability to make useful changes and additions.

3. How long until we see OpenNessus or (insert clever derivative name here)?

Just like other projects with licensing/source/philosophical issues - make a fork of the last available code and try to go their own way. Just like OpenBSD from NetBSD, IPCOP from Smoothwall, etc. etc.

Just curious.

This only goes to show...

[TechnoGuyRob]

...that as technology grows more and more sophisticated, companies will start outsourcing more and more. It used to be affordable to hire a guy or two as permanent company staff to manage your website or network servers. But now you need to ask an entire different company to provide you the services necessary for network administration.

Hopefully, Nessus 3 will also solve some of the problems Nessus has been having. According to Wikipedia, "some of Nessus's vulnerability tests can cause vulnerable services or operating systems to crash." For those who are wondering, Nessus scans vulnerabilities mostly on the application and network layer. Usually it port scans open ports for vulnerabilities, and looks for various network problems such as computers on promiscuous mode, etc.

For any of you network admins out there, a friend of mine has a medium business LAN and has been using Nessus, and it's working very smoothly for him; however, I recommend looking more into it before making any quick decisions based on Slashdot articles.

End of the day, you don't eat good intentions

[xtal]

It's unfortunate it went closed source versus a service-supported model, but in the real world, there's cheques to sign. If one group is doing the efforts and not being compensated, that's the cathedral model, and cathedrals have collection plates. Open source works best when users are developers. That also explains the state of most of the user interfaces on the more complicated projects. (sarcasm, but with a grain of truth)

Something else I've noticed is open source works well on widgets and shared components and APIs. Once the toolset becomes very focused and vertical in appeal, the model works less well - unless the users are also developers.

It will be interesting to see how the forked version works.

Smoothwall has done a good job with their approach. We'll see how it continues in the future.

open source != open source project

[penguin-collective]

'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.'

If your open source project is popular but you don't manage to attract contributors, the fault is likely with the people managing the open source project: any popular project potentially has hundreds of contributors.

Just writing software, making it open source, and having it become popular doesn't create an "open source project"--you have to design and manage the project as an open source project. You have to make it easy for people to contribute, organize the code appropriately, be nice to potential contributors, and give people an incentive to contribute.

(Just one data point: last I looked at Nessus, it didn't look like a good foundation to build on for our needs.)

So Here's The Deal

[Effugas]

OK, so this is a fairly painful post to make. Ron Gula and Renaud Deraison were the first guys to bring me out for an interview after I graduated from college, and I've been supporting their attempts to manage those who really do just steal Nessus. But, in the interest of intellectual honesty, I've been asking around regarding the closing of the Nessus source.

First of all, according to multiple sources, apparently the reason why there isn't a significant number of free plugins is because Renaud et al simply don't accept them, or when they do accept them, they substantially rewrite them enough such that a non-free version is what eventually makes it into the source. Now, I don't know this from personal experience -- and Renaud et al are welcome to deny this -- but this preference for suppressing the GPL component of Nessus has been strong enough that contributed free plugins have been suppressed because of overlap with non-free.

Such behavior does not grow a developer community. Tenable has implied that there's alot of leeches out there, and while indeed they have to suffer the most pernicious of parasites (companies that just rebrand their code!), there's good evidence that says the reason they don't get much code from the community is that they supposedly refuse what they do get.

I wouldn't speak up on this, but I have to balance my continuing appreciation for Renaud et al's work (which, mind you, still has a very nice license for our needs) against the need to stem accusations that nobody ever tried to give back to Nessus. People have tried.

What do you mean, "Funny"??

[lampiaio]

"Funny" gives me no karma points! Get those informatives moving!

There is a fork

[timbrown]

Speaking as one of the folks behind the OpenVAS (www.openvas.org) fork, there are plenty of people interested in maintaining an open source alternative. Interestingly many of these people have attempted to work with Tenable in the past and have had their contributions ignored. IMO Tenable didn't understand how they could make money off the Nessus project without closing the source.

As a side point, it would be interesting to understand how Tenable have dealt with contributions that they did accept for version 2 - have they been removed completely from version3?

Re:Wrong

[Yaztromo]

But even one segment of code from an outside author, released to them under GPL, would require the release of their SW's source under the included code's GPL.

The simple solution to which is simply to remove the contributed code completely, and independently re-implement its functionality (if having that functionality is desired and/or necessary).

I had to do something similar (but for a release in the opposite direction -- from closed source to OSS) for the jSyncManager Project. The version 1.0 series was coded entirely by myself, and was only ever released as closed source software (albeit as 100% free-as-in-beer software via the web; I completed v1.0 of this project as a thesis project, and felt that getting outside help by allowing others to inspect and comment on the code might have been considered "cheating" by some). A few weeks after v1.0 was released, I was hired by IBM Canada as a software developer.

The problem then became that nasty contract provision you have to sign when you join a company like IBM: the "what's yours is ours, and what's ours is ours" agreement, which basically states that anything you develop while employed by the company, even if it is completely on your own time and uses nothing learned from your employment at the company, belongs to the company. Fortunately, I was able to list existing technologies I had developed prior to joining IBM on said contract -- they were exempt so long as I stopped working on them while employed by the company.

There was, however, significant interest in the technology within IBM, and an IBM branded version called "ManplatoSync for Java" eventually made its way to IBM's alphaWorks website. It included a significant rewrite of the GUI code, along with some new functionality, parts of which were contributed by other IBM employees. The intention was always to release the sources under the IBM Public License -- but the legal eagles who had continuing discussions (which I wasn't part of), and kept holding off on a source release (the whole discussion of which apparantly died once I was released from the company).

When I was later let go from the company, and free from their restrictions as to what I could and couldn't work on, I decided I wanted to release the jSyncManager as Open Source Software. But I couldn't just take ManplatoSync for Java and re-brand it back to the jSyncManager -- it was encumbered with IBM copyrights. I couldn't even retain functionality since jSyncManager v1.0 which I myself had written in those intervening 2.5 years, because it too was considered IBM property (nevermind the fact that I wrote it and didn't get paid one single red cent by IBM for any of it. Indeed, when I was later invited to speak on the technology at various conferences, the company forced me to use my own vacation time to do so).

At that point, I had two choices: give up and find something else to work on, or suck it up and go back to the pre-IBM sources and work from there. And that's what in the end I decided to do: I took my pre-IBM sources, made them Open Source, and then worked my ass off to re-implement all of the lost functionality (along with a lot of functionality that the IBM releases never had, like USB device support and network data synchronization), and released it all as GPL/LGPL software.

The Nessus team could very well have elected to do something similar -- just strip out any external contributions, and then work from there. The unfortunate thing about going from Openn Source to Closed Source, however, is that contributors are now forced to take the teams word for it that they stripped out any such contributions (assuming that they didn't re-assign copyright to the Nessus project when they were submitted -- something I've never asked any of my contributors to do), as you can't look at the source to see if your code is still in it (i