From: Justin.Ross@signalsolutionsinc.com
Date: Tue Nov 08 2005 - 16:32:45 EST
Ever hit send and wish you could pull it back?
"Open source software takes several forms:
1. A utility that has publicly available source code is acceptable.
2. A commercial product that incorporates open source software is
acceptable because the
commercial vendor provides a warranty.
3. Vendor supported open source software is acceptable.
4. A utility that comes compiled and has no warranty is not acceptable.
Number 4 is a real issue for Nessus (not for Newt obviously). "
I meant issues 3/4. Nessus is not vendor supported, nor comes with a
warranty.
Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CCSI, CISSP
Senior Network Security Engineer
Signal Solutions Inc. - http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com
Justin Ross/SIERRA_VISTA/SSI
11/08/2005 02:17 PM
To
"Jay D. Dyson" <jdyson@treachery.net>
cc
pen-test@securityfocus.com
Subject
Re: Nessus - open or closed source?
"And for "not going to defend Tenable or Nessus," you sure as hell went to
a lot of verbiage "not defending" that silliness."
Yeah, I have a bad habit of backing up my statements and commentary with
facts, even if it increases the length of my email. I guess I'll have to
practice by making unsupported and random statements. :)
Having said that, I have no doubt, government agencies (DOE, DOJ, DHS,
etc.), and "perhaps" even the military use FS/SW/OSS. In regards to the
military, it can use anything provided there is a great need or the DAA
approves it.
The military/DoD is a government agency/entity/department, which could
fall into the "many government agencies" category of your statement.
Considering it is one, if not thee most-funded and most likely to spend
the greatest amount on InfoSec/IT, in fact probably moreso then any other
government agency and 5 other agencies included with it. I felt it would
be remiss to not mention it, I wasn't putting words into your mouth or
discrediting your statement regarding "many government agencies... use
nessus...", in fact I agree with it.
Looking at Ron Gula's quoted statement on Network World: "“If it’s not
open source, a lot of government agencies and enterprises can use it,
where before they wouldn’t."
The DoD has a requirement that effects, and is absolutely related to what
you call/called "nonsense" and "silliness". That's why I pointed it out.
That's not a defense of Nessus or Tenable, just the facts, that would seem
to support and qualify his statement.
The decision of whether or not a piece of software is FS/SW/OSS is
ultimately decided by the DAA, doesn't matter what Wikipedia says, but
the Desktop Application STIG clearly states:
Open source software takes several forms:
1. A utility that has publicly available source code is acceptable.
2. A commercial product that incorporates open source software is
acceptable because the
commercial vendor provides a warranty.
3. Vendor supported open source software is acceptable.
4. A utility that comes compiled and has no warranty is not acceptable.
Number 4 is a real issue for Nessus (not for Newt obviously).
Also the policies/guidelines all contain a certain amount of "grey space"
even in definitions, so as not to paint the government into a corner when
they really feel they need something. I agree personally that Open Source
Nessus could/would be approved by a majority of the DAA's, but as of now,
where the DoD (including Army, Navy, Air Force, Marines, DISA, etc.) is
concerned it has to be justified with detailed mitigation strategies, etc.
during the accreditation/approval process.
Going closed source wouldn't seem to hurt them from a competitive
commercial aspect, but whether that will result in more sales/profits,
I'll defer to the analysts, financial forecasters, and astrologers.
Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
Senior Network Security Engineer
Signal Solutions Inc. - http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com
"Jay D. Dyson" <jdyson@treachery.net>
11/07/2005 06:08 PM
To
Justin Ross/SIERRA_VISTA/SSI@Signal_Solutions
cc
pen-test@securityfocus.com
Subject
Re: Nessus - open or closed source?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 7 Nov 2005, Justin.Ross@signalsolutionsinc.com wrote:
> I'm not going to defend Tenable or Nessus, but to call that statement
> "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information
> Assurance (IA) Implementation, dated February 6, 2003.
Not all government agencies are DoD. And I was not
speaking of,
nor did I reference, ANY military or defense agency when I made that
remark. I stated, and I quote "Many government agencies" and I stand by
that remark.
And for "not going to defend Tenable or Nessus," you sure
as hell
went to a lot of verbiage "not defending" that silliness.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ | =
|-'
`--' `--' `------ Security through obscurity isn't. ------' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQFDb/p7dHgnXUr6DdMRAo8kAJ9ajBycWMoAS7Bq7PmhbTTpYc0YPACfSsFy
iz48I16qvTqTLRcTDHploIQ=
=rm1Z
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT