From: Miller, Joseph A (joseph.miller@eds.com)
Date: Tue Nov 08 2005 - 09:47:26 EST
Justin,
I'm breaking into this thread late in the game. In 'reality' it does not
matter if it is trash or not. Because we all run as many tools as
possible. Does Nessus hit on something that ISS missed, yes sometimes,
does ISS hit something that Nessus missed... Yes sometimes... Doing due
diligence and using all the tools you can find to help in your quest to
perform whatever task you may be performing with these tools, the
presence of the option to use it, and see if it helps is better than
nothing. Even one or two of this happening will make the case for having
more than one assessment tool.
If these tools eventually became less and less efficient then we would
all stop using them, and move on, and a new tool would appear asking for
cash hand over fist per usual, and we buy the latest greatest. However,
I can't imagine liking or disliking a tool that helps cross-check
vulnerability assessments. Perhaps you can only afford so many, but all
> some > none. If you can't afford more than one, then sure that IS a
hard bargain, because you will potentially miss things without the
overlapping of tool checks. If there was one perfect solution, we'd all
use it.
Regards, Drew
-----Original Message-----
From: Justin Ferguson [mailto:jnferguson@gmail.com]
Sent: Monday, November 07, 2005 10:52 PM
To: Justin.Ross@signalsolutionsinc.com
Cc: pen-test@securityfocus.com; Jay D. Dyson
Subject: Re: Nessus - open or closed source?
While I cannot state who I work for due to security reasons, I just want
to say that this is a perfect example of the difference between 'theory'
and 'reality'. In reality, OSS/FS is all over the government, whether it
be nessus or others. I can vouch for this from experience, and while I
personally think nessus is trash, i will state that we have it deployed
in manner environments, along with snort and other OSS software.
Best Regards,
Justin Ferguson
On 11/7/05, Justin.Ross@signalsolutionsinc.com
<Justin.Ross@signalsolutionsinc.com> wrote:
> You said: "This is absolute nonsense. Many government agencies and
> private enterprises with clued IT security folks already use Nessus
> and have for quite some time."
>
> I'm not going to defend Tenable or Nessus, but to call that statement
> "nonsense" is inaccurate in light of DoD Instruction 8500.2,
> Information Assurance (IA) Implementation, dated February 6, 2003.
>
> "Binary or machine executable public domain software products and
> other software products with limited or no warranty such as those
> commonly known as freeware or shareware are not used in DoD
> information systems unless they are necessary for mission
> accomplishment and there are no alternative IT solutions available.
> Such products are assessed for information assurance impacts, and
> approved for use by the DAA. The assessment addresses the fact that
> such software products are difficult or impossible to review, repair,
> or extend, given that the Government does not have access to the
> original source code and there is no owner who could make such repairs
on behalf of the Government."
>
> That's the instruction right there. Do certain government agencies use
> Nessus? Perhaps, would a DAA (designated approval authority) in any
> location be justified in removing it? Yes absolutely. Are there
> alternative IT solutions to Nessus which are not open source? Yes.
>
> I guarantee you that any military or defense agency that falls under
> 8500.2 has had to make justifications for it's use, without question
> or they will as soon as their accreditation expires (if they use
Nessus).
>
> While I can't go into any details I can say I have seen Nessus not get
> chosen, because of this requirement. If we are talking small
> government agencies, like city/state... yea well big deal, I've never
> witnessed a state or local government agency willing to spend millions
> of dollars on a vulnerability scanner, you can be sure the fed's have
> spent a fortune on vuln scanner licenses, and that Nessus has missed
> out on most of it
>
> States/cities typically have far less resources, and generally throw
> everything they can into firewalls/IDS, then use free or Open source
> software- but its an apples to oranges comparison with the fed.1
>
> I personally don't understand why Newt and Nessus can't be separate;
> nor why Nessus has to go closed source. Isn't that what newt was for?
> Regardless, I wouldn't say that comment was "nonsense" in some circles
> (DOD) it makes perfect cents... and dollars...
>
> Justin Ross
> MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
> Senior Network Security Engineer
> Signal Solutions Inc. - http://www.signalcorp.com
> Email: Justin.Ross-at-signalsolutionsinc.com
>
>
>
>
>
>
>
> "Jay D. Dyson" <jdyson@treachery.net>
> 11/04/2005 09:03 AM
>
> To
> Penetration Testers <pen-test@securityfocus.com> cc
>
> Subject
> Re: Nessus - open or closed source?
>
>
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 4 Nov 2005, brandon.steili@gmail.com wrote:
>
> > Sounds about right. Here's a link:
> > http://www.networkworld.com/news/2005/101305-nessus.html
>
> Quoting from the article:
>
> "We want to bring Nessus to a larger audience, so
> Nessus 3.0 is going to be closed source, Gula said.
> If its not open source, a lot of government agencies
> and enterprises can use it, where before they
wouldnt."
>
> This is absolute nonsense. Many government agencies
> and private enterprises with clued IT security folks already use
> Nessus and have for quite some time. In this move, all Tenable has
> ultimately done is pervert
>
> Nessus into a latter-day ISS clone.
>
> This shift toward commercialized closed-source
> silliness renders any use of Nessus untenable* in my book. I will no
> more recommend its future use than I would ISS.
>
> - -Jay
>
> * - No pun intended.
>
> ( (
_______
> )) )) .-"There's always time for a good cup of coffee."-.
>====<--.
> C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ |
=
> |-'
> `--' `--' `------ Security through obscurity isn't. ------'
`------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK
> odWcfpRyZ/6ntr0yl7IWntE=
> =VQpM
> -----END PGP SIGNATURE-----
>
> ----------------------------------------------------------------------
> -------- Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
>
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting and other
> web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
>
>
>
> ----------------------------------------------------------------------
> -------- Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are futile against web application hacking. Check
> your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
>
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT