Nessus 3.0 and the trend.

With Nessus 3.0′s promising enhancements and updates, one would normally
rush into updating. Unfortunately, it’s not provided as it used to be.
Only specific Linux distributions and FreeBSD 5/6 have been chosen as the
initial binary releases–only the CVS repository is available. What about
those using Solaris or Windows? Well, they’ll have to wait their turn. It
seems Tenable Network Security is doing what seems to be a scary trend.
Open Source, Tested, Used, Trusted, Mature, Limited Support/Availability.
With Snort, the community rules are horrible, the registered member’s
rules are mediocre and you need to pay for the VRT certified rules. RedHat
did the same thing, but instead of completely telling the open source
community to shove it, they released Fedora. Well, how else are they going
to use the open source community as a test bed? It seems the days of free
speech are coming to an end while the days of free beer are gaining
ground. Money makes the world go ’round but don’t tease us geeks with free
stuff. I hope my view and paranoia is entirely wrong and this is just a
figment of my imagination, else the open source community has a one-way ticket to the history books.

  • Matthew Murphy

    Unfortunately, it would seem that you are right.

    When a product like Snort or Nessus achieves such high rates of technology lock-in as both have, it leads to a “money-mining” reaction like what we’ve seen with Nessus 3.0. Once a product becomes well-known for its quality, it is not at all uncommon for firms to charge for that quality.

    That is particularly true for quasi-corporate entities like SourceFire and Tenable, who have different objectives than all-open houses like the Apache Software Foundation, Free Software Foundation, etc.

  • David Cantrell

    What’s the problem with checking it out of CVS and building it yourself?

  • beefdart

    > What’s the problem with checking it out of CVS and building it yourself?

    Because v3 is no long GPLed… The engine is totally different, and the source in no longer availible for the current branch at all…

    You are still more than welcome to run/use/fork the 2x branch though, as long ad you abide by the GPL.

  • jsk

    Let’s not over-react here. Renaud did what he had to do with Nessus to prevent OTHER companies from reaping rewards for his work.. which they can still do with 2.x.x. There were apparently multiple companies that were loading nessus into a hardware appliance and selling it as a vulnerability management program.

    Either way, I will never understand why people fault the guy for trying to make money. While all of us Security Professionals make 6 figures, the guy that wrote the tool needs to be living on welfare? gimmeafreakinbreak..

  • Steven

    It’s not the business side I’m complaining about, it’s the abuse of the open source community. With our patch and bug submissions, our usage and testing, they make the money? Coding is only 50% of development. Testing and debugging is the other 50%.
    Yes, we get to use the software, but what are we to do when we’re left in the rain because they no longer think we’re necessary? This is a moral stance, not the hatred of closed source and big business.

  • jerry

    How much have you contributed to Nessus, Steven? I know that I’ve been using Nessus for years and I haven’t contributed a thing…well, I think maybe I reported a problem once…not a solution, just the problem.

    I know personally of a number of commercial programs that include Nessus as a part of their vulnerability scanning engine. I guess that’s permissible within the license but it doesn’t seem right. It seems that if somebody is going to resell Renaud’s work, they ought to pay for a license of some kind.

    If Renaud has to give up supporting Nessus because he has to concentrate on feeding his family, we all lose. I have no problem at all with Nessus or Snort or anything else moving to a business model that allows it to maintain the product that has grown to be the number 1 vulnerability scanning program.

  • aviram

    There’s no need to repeat discussions that were done elsewhere and can be easily found with google. Several people that have been actively involved in nessus development commented on “the community did not contribute to nessus” myth.

    Specifically, your question “How much have you contributed to Nessus” can be adequately answered by several people who write in this blog forum, and as far as I know, they all share Steven’s opinion wholeheartedly.

    But in any event, I don’t think Steven tried to open a discussion about whether it was “ok” to close nessus – I believe he was talking about an unfortunate trend that should concern all open source supporters.