[ISN] Nessus 3.0: The End of the Age of Open-Source Innocence?

Tue Dec 27 08:17:04 UTC 2005

http://www.linuxinsider.com/story/N0UXlcbNa4sr09/Nessus-30-The-End-of-the-Age-of-Open-Source-Innocence.xhtml

By Jennifer LeClaire
LinuxInsider 
12/22/05

"Here's the danger we are running into," said Alan Shimel, Chief
Strategy Officer for StillSecure. "People contribute resources to
these communities, whether it be time, money, or code. When they see
everything they give converted for the commercial success of an
individual rather than as a community as a whole, how long do you
think they are going to want to keep giving?"

Nessus, maker of one of the most popular open-source vulnerability
scanner programs available, changed its licensing agreement with the
release of version 3.0.0 on December 12, causing a bit of a stir among
security industry players that rely on the code as a component of
their commercial solutions. The latest version is not available under
the GPL license, but instead will be sold as a commercial product.

The recent licensing changes affect a broad spectrum of users,
including corporations, the open-source community, and even businesses
using services that use Nessus. So what exactly does this mean for
open source?  Is it the end of the age of innocence? What options do
interested parties have going forward?

Wider Implications?

William Hurley, CTO for Qlusters, Inc., a Linux data center operations
management software vendor, told LinuxInsider that the Nessus
announcement provides evidence that projects need community supporters
or they must go elsewhere.

"This announcement primarily affects the security community, and only
to a small extent the open-source movement. Many companies are still
making the transition to an open-source development model," Hurley
said.

"This announcement is testament to the fact that though single
projects like Nessus may need make dramatic shifts in order to secure
a viable future, open source overall is alive and well; continuing to
gather more and more support."

End of Innocence

That's one perspective. Here's another: Alan Shimel, Chief Strategy
Officer for StillSecure, a company that peddles a vulnerability
management platform, told LinuxInsider that the release of Nessus
3.0.0 marks the end of the age of innocence for open-source software.

"Here's the danger we are running into," he said. "People contribute
resources to these communities, whether it be time, money, or code.  
When they see everything they give converted for the commercial
success of an individual rather than as a community as a whole, how
long do you think they are going to want to keep giving?"

Shimel said it is similar to the Google (Nasdaq: GOOG)  discussion.  
Google makes US$60 billion a year, much of which comes from every day
Joes clicking on ads for search words. Shimel believes some in the
open-source community will be left with a bad taste in their mouths in
the wake of Nessus 3.0.0.

Differing Opinions

Not everyone in the software industry agrees with Shimel, of course.  
Scott Testa, COO of Mindbridge Software, a software and Web-based
consulting company, is one who sees the issue differently.

Simply stated, Testa told LinuxInsider that "Open-source software has
been around as long as computers have existed. Open-source software
will always be around. Some will be commercialized, others will remain
open."

Hurley agreed with Testa. Many companies, Hurley said, have already
evaluated some of the problems that relationships like Nessus/Tenable
produce and have chosen a blended open-source strategy in which they
dual-license products.

"Nessus is one of tens of thousands of open-source projects," Hurley
said. "Although very popular in its vertical market, it should not be
used to judge the overall fate of the open-source software movement."

Decisions, Decisions

In any case, Shimel said users are now forced to make a decision, with
three options available: use Nessus v3.0 for free but with a seven-day
delay in updates; pay Tenable fees required to obtain a direct feed
for updates; or transition to a commercial vulnerability management
system.

Regardless of the long-term implications for the open-source
community, the move to Nessus 3.0.0 has short-term implications for
security software vendors and users. What do individuals and
corporations do? Evaluations should be made on a case-by-case basis,
Hurley said.

Some may be ready to upgrade to one of the many commercial options,
others may not be able to justify the cost and will want to evaluate
other options like hosted or outsourcer scanning services.

"In the end, most will probably choose to use Nessus 3.0 for free with
the seven-day delay in updates because it's not intended to be a
real-time defense mechanism," Hurley said. "If Nessus was an IDS or
IPS, like Snort, a seven-day delay in updates would make it virtually
useless. However, this isn't the case with Nessus, and the seven-day
delay will probably be amenable to most users."

Absolutely Unacceptable

But on this point Hurley and Shimel also disagree. Shimel said waiting
up to seven days for an update is not a viable option. In certain
areas, waiting five to seven days for an update is not critical, but
with security, he said, it is paramount.

"If Microsoft (Nasdaq: MSFT)  issues a patch for critical Windows
vulnerability on Patch Tuesday, no one's security policy is going find
waiting until the following week to receive it acceptable," Shimel
said. "So you really have either no choice than to either to pay for
them or develop these on your own."

A Fourth Option

Hurley said there is a fourth option, one he calls the most viable for
most users: migrate to a different open-source vulnerability scanner.

"Nessus is not the only open-source vulnerability scanner available.  
It's simply, up until this point, the most popular," Hurley said. "A
quick search on SourceForge will provide users with several
alternatives to choose from."

This includes new projects, like OpenVas.org, that recently sprung up
in response to the Nessus announcement. These projects have chosen the
option to fork off of the Nessus code base and create viable
alternatives to Nessus, and its plug-ins, that can remain in the
open-source domain.