From: crazy frog crazy frog (i.m.crazy.frog@gmail.com)
Date: Tue Nov 08 2005 - 01:51:23 EST
not related to nessus but a genral trend in OSS world is that some
people start a project told that it is open source,take industry
support,make there product stable and one day close it down and went
commercial.
evey one cares for money thats it,they dont care where it comes from
open source or it come from closed source.ppls earn lots of money
using OSS.
so just wait and lets see in next few years how many open source
application goes commercial.
-- ting ding ting ding ting ding ting ding ting ding ding bam bam i m crazy frog :) "oh yeah oh yeah... another wannabe, in hackerland!!!" On 11/8/05, Justin Ferguson <jnferguson@gmail.com> wrote: > While I cannot state who I work for due to security reasons, I just > want to say that this is a perfect example of the difference between > 'theory' and 'reality'. In reality, OSS/FS is all over the government, > whether it be nessus or others. I can vouch for this from experience, > and while I personally think nessus is trash, i will state that we > have it deployed in manner environments, along with snort and other > OSS software. > > Best Regards, > > Justin Ferguson > > On 11/7/05, Justin.Ross@signalsolutionsinc.com > <Justin.Ross@signalsolutionsinc.com> wrote: > > You said: "This is absolute nonsense. Many government agencies and > > private enterprises with clued IT security folks already use Nessus and > > have for quite some time." > > > > I'm not going to defend Tenable or Nessus, but to call that statement > > "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information > > Assurance (IA) Implementation, dated February 6, 2003. > > > > "Binary or machine executable public domain software products and other > > software products with limited or no warranty such as those commonly known > > as freeware or shareware are not used in DoD information systems unless > > they are necessary for mission accomplishment and there are no alternative > > IT solutions available. Such products are assessed for information > > assurance impacts, and approved for use by the > > DAA. The assessment addresses the fact that such software products are > > difficult or impossible to review, repair, or extend, given that the > > Government does not have access to the original source code and there is > > no owner who could make such repairs on behalf of the Government." > > > > That's the instruction right there. Do certain government agencies use > > Nessus? Perhaps, would a DAA (designated approval authority) in any > > location be justified in removing it? Yes absolutely. Are there > > alternative IT solutions to Nessus which are not open source? Yes. > > > > I guarantee you that any military or defense agency that falls under > > 8500.2 has had to make justifications for it's use, without question or > > they will as soon as their accreditation expires (if they use Nessus). > > > > While I can't go into any details I can say I have seen Nessus not get > > chosen, because of this requirement. If we are talking small government > > agencies, like city/state... yea well big deal, I've never witnessed a > > state or local government agency willing to spend millions of dollars on a > > vulnerability scanner, you can be sure the fed's have spent a fortune on > > vuln scanner licenses, and that Nessus has missed out on most of it > > > > States/cities typically have far less resources, and generally throw > > everything they can into firewalls/IDS, then use free or Open source > > software- but its an apples to oranges comparison with the fed.1 > > > > I personally don't understand why Newt and Nessus can't be separate; nor > > why Nessus has to go closed source. Isn't that what newt was for? > > Regardless, I wouldn't say that comment was "nonsense" in some circles > > (DOD) it makes perfect cents... and dollars... > > > > Justin Ross > > MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP > > Senior Network Security Engineer > > Signal Solutions Inc. - http://www.signalcorp.com > > Email: Justin.Ross-at-signalsolutionsinc.com > > > > > > > > > > > > > > > > "Jay D. Dyson" <jdyson@treachery.net> > > 11/04/2005 09:03 AM > > > > To > > Penetration Testers <pen-test@securityfocus.com> > > cc > > > > Subject > > Re: Nessus - open or closed source? > > > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Fri, 4 Nov 2005, brandon.steili@gmail.com wrote: > > > > > Sounds about right. Here's a link: > > > http://www.networkworld.com/news/2005/101305-nessus.html > > > > Quoting from the article: > > > > "We want to bring Nessus to a larger audience, so > > Nessus 3.0 is going to be closed source, Gula said. > > If its not open source, a lot of government agencies > > and enterprises can use it, where before they wouldnt." > > > > This is absolute nonsense. Many government agencies and > > private > > enterprises with clued IT security folks already use Nessus and have for > > quite some time. In this move, all Tenable has ultimately done is pervert > > > > Nessus into a latter-day ISS clone. > > > > This shift toward commercialized closed-source silliness > > renders > > any use of Nessus untenable* in my book. I will no more recommend its > > future use than I would ISS. > > > > - -Jay > > > > * - No pun intended. > > > > ( ( _______ > > )) )) .-"There's always time for a good cup of coffee."-. >====<--. > > C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ | = > > |-' > > `--' `--' `------ Security through obscurity isn't. ------' `------' > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.2 (TreacherOS) > > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > > > iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK > > odWcfpRyZ/6ntr0yl7IWntE= > > =VQpM > > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------------------------------ > > Audit your website security with Acunetix Web Vulnerability Scanner: > > > > Hackers are concentrating their efforts on attacking applications on your > > website. Up to 75% of cyber attacks are launched on shopping carts, forms, > > > > login pages, dynamic content etc. Firewalls, SSL and locked-down servers > > are > > futile against web application hacking. Check your website for > > vulnerabilities > > to SQL injection, Cross site scripting and other web attacks before > > hackers do! > > Download Trial at: > > > > http://www.securityfocus.com/sponsor/pen-test_050831 > > ------------------------------------------------------------------------------- > > > > > > > > > > ------------------------------------------------------------------------------ > > Audit your website security with Acunetix Web Vulnerability Scanner: > > > > Hackers are concentrating their efforts on attacking applications on your > > website. Up to 75% of cyber attacks are launched on shopping carts, forms, > > login pages, dynamic content etc. Firewalls, SSL and locked-down servers are > > futile against web application hacking. Check your website for vulnerabilities > > to SQL injection, Cross site scripting and other web attacks before hackers do! > > Download Trial at: > > > > http://www.securityfocus.com/sponsor/pen-test_050831 > > ------------------------------------------------------------------------------- > > > > > > ------------------------------------------------------------------------------ > Audit your website security with Acunetix Web Vulnerability Scanner: > > Hackers are concentrating their efforts on attacking applications on your > website. Up to 75% of cyber attacks are launched on shopping carts, forms, > login pages, dynamic content etc. Firewalls, SSL and locked-down servers are > futile against web application hacking. Check your website for vulnerabilities > to SQL injection, Cross site scripting and other web attacks before hackers do! > Download Trial at: > > http://www.securityfocus.com/sponsor/pen-test_050831 > ------------------------------------------------------------------------------- > > ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT