Re: Nessus - open or closed source?

From: Justin Ferguson (jnferguson_at_gmail.com)
Date: 11/08/05

  • Next message: crazy frog crazy frog: "Re: Nessus - open or closed source?"
    Date: Mon, 7 Nov 2005 19:52:04 -0800
    To: "Justin.Ross@signalsolutionsinc.com" <Justin.Ross@signalsolutionsinc.com>
    
    

    While I cannot state who I work for due to security reasons, I just
    want to say that this is a perfect example of the difference between
    'theory' and 'reality'. In reality, OSS/FS is all over the government,
    whether it be nessus or others. I can vouch for this from experience,
    and while I personally think nessus is trash, i will state that we
    have it deployed in manner environments, along with snort and other
    OSS software.

    Best Regards,

    Justin Ferguson

    On 11/7/05, Justin.Ross@signalsolutionsinc.com
    <Justin.Ross@signalsolutionsinc.com> wrote:
    > You said: "This is absolute nonsense. Many government agencies and
    > private enterprises with clued IT security folks already use Nessus and
    > have for quite some time."
    >
    > I'm not going to defend Tenable or Nessus, but to call that statement
    > "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information
    > Assurance (IA) Implementation, dated February 6, 2003.
    >
    > "Binary or machine executable public domain software products and other
    > software products with limited or no warranty such as those commonly known
    > as freeware or shareware are not used in DoD information systems unless
    > they are necessary for mission accomplishment and there are no alternative
    > IT solutions available. Such products are assessed for information
    > assurance impacts, and approved for use by the
    > DAA. The assessment addresses the fact that such software products are
    > difficult or impossible to review, repair, or extend, given that the
    > Government does not have access to the original source code and there is
    > no owner who could make such repairs on behalf of the Government."
    >
    > That's the instruction right there. Do certain government agencies use
    > Nessus? Perhaps, would a DAA (designated approval authority) in any
    > location be justified in removing it? Yes absolutely. Are there
    > alternative IT solutions to Nessus which are not open source? Yes.
    >
    > I guarantee you that any military or defense agency that falls under
    > 8500.2 has had to make justifications for it's use, without question or
    > they will as soon as their accreditation expires (if they use Nessus).
    >
    > While I can't go into any details I can say I have seen Nessus not get
    > chosen, because of this requirement. If we are talking small government
    > agencies, like city/state... yea well big deal, I've never witnessed a
    > state or local government agency willing to spend millions of dollars on a
    > vulnerability scanner, you can be sure the fed's have spent a fortune on
    > vuln scanner licenses, and that Nessus has missed out on most of it
    >
    > States/cities typically have far less resources, and generally throw
    > everything they can into firewalls/IDS, then use free or Open source
    > software- but its an apples to oranges comparison with the fed.1
    >
    > I personally don't understand why Newt and Nessus can't be separate; nor
    > why Nessus has to go closed source. Isn't that what newt was for?
    > Regardless, I wouldn't say that comment was "nonsense" in some circles
    > (DOD) it makes perfect cents... and dollars...
    >
    > Justin Ross
    > MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
    > Senior Network Security Engineer
    > Signal Solutions Inc. - http://www.signalcorp.com
    > Email: Justin.Ross-at-signalsolutionsinc.com
    >
    >
    >
    >
    >
    >
    >
    > "Jay D. Dyson" <jdyson@treachery.net>
    > 11/04/2005 09:03 AM
    >
    > To
    > Penetration Testers <pen-test@securityfocus.com>
    > cc
    >
    > Subject
    > Re: Nessus - open or closed source?
    >
    >
    >
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > On Fri, 4 Nov 2005, brandon.steili@gmail.com wrote:
    >
    > > Sounds about right. Here's a link:
    > > http://www.networkworld.com/news/2005/101305-nessus.html
    >
    > Quoting from the article:
    >
    > "We want to bring Nessus to a larger audience, so
    > Nessus 3.0 is going to be closed source, Gula said.
    > If its not open source, a lot of government agencies
    > and enterprises can use it, where before they wouldnt."
    >
    > This is absolute nonsense. Many government agencies and
    > private
    > enterprises with clued IT security folks already use Nessus and have for
    > quite some time. In this move, all Tenable has ultimately done is pervert
    >
    > Nessus into a latter-day ISS clone.
    >
    > This shift toward commercialized closed-source silliness
    > renders
    > any use of Nessus untenable* in my book. I will no more recommend its
    > future use than I would ISS.
    >
    > - -Jay
    >
    > * - No pun intended.
    >
    > ( ( _______
    > )) )) .-"There's always time for a good cup of coffee."-. >====<--.
    > C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ | =
    > |-'
    > `--' `--' `------ Security through obscurity isn't. ------' `------'
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.2 (TreacherOS)
    > Comment: See http://www.treachery.net/~jdyson/ for current keys.
    >
    > iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK
    > odWcfpRyZ/6ntr0yl7IWntE=
    > =VQpM
    > -----END PGP SIGNATURE-----
    >
    > ------------------------------------------------------------------------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking applications on your
    > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    >
    > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    > are
    > futile against web application hacking. Check your website for
    > vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks before
    > hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > -------------------------------------------------------------------------------
    >
    >
    >
    >
    > ------------------------------------------------------------------------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking applications on your
    > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    > login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    > futile against web application hacking. Check your website for vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > -------------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: crazy frog crazy frog: "Re: Nessus - open or closed source?"

    Relevant Pages

    • RE: Pen-Test and Social Engineering
      ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: Pen-Test and Social Engineering
      ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: Nortel Contivity 2600
      ... simplicity and security is a combination of things that have been suggested. ... Put the inside interface in a DMZ of its own with an IPS device between ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • Re: Cracking WEP and WPA keys
      ... SecurityFocus wi-fi security mailing list. ... >>802.11G PCMCIA card, and the Linux server was running Samba to talk to ... >>Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Windows XP SP2 and Security Tools
      ... issues that were in SP2. ... Windows XP SP2 and Security Tools ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are ...
      (Pen-Test)