[ISN] Nessus security tool closes its source
InfoSec News
isn at c4i.org
Mon Oct 10 00:09:15 EDT 2005
http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html
By Renai LeMay
Special to CNET News.com
October 6, 2005
The source code of one of the world's most popular free security tools
will no longer be available to all, its creator has announced, saying
the software's open-source license was fueling competition.
Renaud Deraison, the primary author of the Nessus vulnerability
scanner, broke the news in a message to the software's e-mail list
Wednesday. "Nessus 3 will be available free of charge...but will not
be released under the GPL," or General Public License, Deraison wrote.
Nessus, which Deraison says is used by 75,000 organizations worldwide,
scans networks for vulnerabilities.
The developer, who has been working on the product since at least
1998, said commercial pressures facing Tenable Network Security, the
company he started in 2002 around Nessus, was forcing him to stop
making the software's source code available.
"A number of companies are using the source code against us, by
selling or renting appliances, thus exploiting a loophole in the GPL,"
he wrote in a later e-mail, justifying his decision. "So in that
regard, we have been fueling our competition, and we want to put an
end to that. Nessus 3 contains an improved engine, and we don't want
our competition to claim to have improved 'their' scanner."
The developer also expressed disappointment over the lack of community
participation in developing the software, despite its open-source
license.
"Virtually nobody has ever contributed anything to improve the
scanning engine over the last six years," he wrote, noting that there
had been minor exceptions.
Deraison said the existing version 2 of Nessus would continue to be
available under the GPL license and receive bug fixes and regular
updates. The large library of plug-ins to the software would also
continue to distributed in a way that would allow parties to examine
their source code.
Tenable will also cut down the number of system architectures that
version 3 of Nessus will support, and one core part of Nessus--its
graphical user interface will be split off into a separate,
open-source project, Deraison added.
The developer's decision attracted immediate criticism, notably from
the security expert known only as Fyodor. The programmer is the author
of Nmap, a complementary network-scanning tool to Nessus, which is
widely used among security professionals.
"Tenable argues that this move is necessary to further improve Nessus
and/or make more money. Perhaps so, but the Nmap project has no plans
to follow suit," Fyodor wrote in an e-mail, alerting his software's
user base of the license change. "Nmap has been GPL since its creation
more than eight years ago, and I am happy with that license," he
continued.
Another critic posted concerns to the Nessus mailing list that Tenable
would eventually get tired of supporting the open-source version 2 of
the software and simply forget about it.
He raised the possibility that the community could "fork" version 2 of
the software--that is, start developing a divergent version of Nessus
from the one officially supported by Tenable.
New kid on the block Deraison said version 3 of Nessus would contain
several noteworthy improvements but be broadly backwards-compatible
with version 2. The two will be able to share most of the plug-ins
that are crucial to the software's operation.
"Nessus 3 is much faster than Nessus 2 and less resource-intensive,"
the developer wrote. "Your mileage may vary, but when scanning a local
network, Nessus 3 is, on average, twice as fast as Nessus 2, with
spikes going as high as five times faster when scanning desktop
Windows systems."
"Nessus 3 also contains a lot of built-in features and checks to debug
crashes and misbehaving plug-ins more easily, and to catch
inconsistencies earlier," he wrote.
Renai LeMay of ZDNet Australia reported from Sydney.
Copyright ©1995-2005 CNET Networks, Inc. All rights reserved.
More information about the ISN
mailing list