From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Thu Nov 10 2005 - 04:25:16 EST
Justin.Ross@signalsolutionsinc.com wrote:
> Ever hit send and wish you could pull it back?
>
> "Open source software takes several forms:
> 1. A utility that has publicly available source code is acceptable.
> 2. A commercial product that incorporates open source software is
> acceptable because the
> commercial vendor provides a warranty.
> 3. Vendor supported open source software is acceptable.
> 4. A utility that comes compiled and has no warranty is not acceptable.
>
> Number 4 is a real issue for Nessus (not for Newt obviously). "
>
> I meant issues 3/4. Nessus is not vendor supported, nor comes with a
> warranty.
I'm really surprised you say this:
- as for 4, go check out ftp://ftp.nessus.org/pub/nessus/ and see for
yourself, Nessus/Tenable distributes _sources_ not _binaries._ Only
*some* Linux or BSD distributions ship binaries of Nessus and, when
they do so, they ship both the sources and the changes they've made to
the sources, as required by the GPL license Nessus is distributed
with. For example, Debian, "ships" Nessus in all mirrors worldwide
like this:
ftp://ftp.debian.org/debian/pool/main/n/nessus-core/
ftp://ftp.debian.org/debian/pool/main/n/nessus-libraries/
ftp://ftp.debian.org/debian/pool/main/n/nessus-plugins/
ftp://ftp.debian.org/debian/pool/main/libn/libnasl/
[ you'll see many binary packages there, for many different processor
architectures, and they are distributed alongside the original sources
(orig.tar.gz files) and Debian patches (diff.gz files)]
- as for 3 I really doubt that if Tenable was approached by a
government agency and asked for "vendor support" for Nessus they will
gladly give it out, for a fee. Actually, Tenable will provide an
agency, for a fee, for "Nessus in-an-appliance boxes" a.k.a. as
Lighting console, for which they provide full support:
http://www.tenablesecurity.com/products/lightning.shtml
Conclusion: 4 does *not* apply to Nessus from my PoV:
- 1 does, if you are using the Nessus version shipped by any Linux/BSD
distribution out there, or
- 2 does, if you go out and buy the Lightning Console appliance, and
- 3 does because the vendor can provide you support for the OSS they
distribute
IMHO Nessus clearly applies here and I fail to see how anyone would
say that 4 is an issue for Nessus.
Regards
Javier
PS: Notice, however, that point 4 *will* apply for Nessus v3
(binary-only, no sources) which Tenable has said they will ship in the
future
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT