On Mon, Jan 06, 2003 at 09:16:09AM -0700, William Smith wrote:
>
> So what does this mean for the nessus community? Any chance that there
> will be a "Nessus Pro" fork or something like that, like Tripwire and
> Sendmail? Or does Tenable Security plan on following a Redhat model and
> keeping everything free?
I'm glad you're asking, I was about to announce that officially.
As some of you have noticed, Ron Gula (the original author of the Dragon
IDS) and myself founded Tenable Network Security (www.tenablesecurity.com).
The purpose of TNS is to sell distributed vulnerability assessment products that
scale very well, both in term of speed (ie: all the class Bs can be
scanned overnight) and in terms of use of the reports (ie: all the
multiple security teams actually do something with the reports, the
CIO sees that work is underway, the teams can share tips and help on how
they solved a given vulnerability). For more details, see our white
papers on our web site.
At the heart of our product, we use Nessus, while keeping it fully GPLed
(we _don't_ have a private CVS tree for Nessus nor top-secret patches) -
we work on different products which happen to use Nessus. As a proof of
good faith, you may have seen the result of all the optimization of the
code that is being done - the plugins in Nessus 1.2.7 are way faster,
NASL2 is available via CVS today (cvs -z3 co -rNASL2 libnasl). I also
set up http://bugs.nessus.org/ to better keep track of what's wrong and
in the end provide everyone with a software of higher quality, so
there's full transparency (i'm not letting bugs on purpose so that
people buy a "special" Nessus from TNS). [.If you want to BETA test it for
free, feel free to contact rgula@tenablesecurity.com]
While we will continue to maintain Nessus and publish it under the
GPL, we do not plan to do the same with the rest of our products.
Those among you who know me personally know that I'm not an open-source
zealot at all - OpenSource is a medium of distribution with multiple
pros and cons, proprietary software is just another way. I also do not
think it would make much sense to give away a distributed version of
Nessus for anyone to take - if you're in charge of a big network, you
probably have a budget for security.
How will this affect the Nessus community ? Well, if you're a hardcore
Nessus user, nothing changes for you, except that you now know that I
will continue to lead its developement for some time. If you use Nessus
routinely but want it to be distributed, there's now a product out there
to help you to do that.
I'm really excited with TNS, and I sincerely think that the company will
be seen by the Nessus community as the nice sponsor behind the free
scanner. I saw what happened with a couple of free projects which went
semi-commercial and the dismay of the associated communities, and I
really want to avoid that. I've suffered from those, I won't inflict
that to anyone.
I'll shortly move to the US (and become a cow-boy), I hope I'll meet
happy Nessus users over there,
-- Renaud
>
> So what does this mean for the nessus community? Any chance that there
> will be a "Nessus Pro" fork or something like that, like Tripwire and
> Sendmail? Or does Tenable Security plan on following a Redhat model and
> keeping everything free?
I'm glad you're asking, I was about to announce that officially.
As some of you have noticed, Ron Gula (the original author of the Dragon
IDS) and myself founded Tenable Network Security (www.tenablesecurity.com).
The purpose of TNS is to sell distributed vulnerability assessment products that
scale very well, both in term of speed (ie: all the class Bs can be
scanned overnight) and in terms of use of the reports (ie: all the
multiple security teams actually do something with the reports, the
CIO sees that work is underway, the teams can share tips and help on how
they solved a given vulnerability). For more details, see our white
papers on our web site.
At the heart of our product, we use Nessus, while keeping it fully GPLed
(we _don't_ have a private CVS tree for Nessus nor top-secret patches) -
we work on different products which happen to use Nessus. As a proof of
good faith, you may have seen the result of all the optimization of the
code that is being done - the plugins in Nessus 1.2.7 are way faster,
NASL2 is available via CVS today (cvs -z3 co -rNASL2 libnasl). I also
set up http://bugs.nessus.org/ to better keep track of what's wrong and
in the end provide everyone with a software of higher quality, so
there's full transparency (i'm not letting bugs on purpose so that
people buy a "special" Nessus from TNS). [.If you want to BETA test it for
free, feel free to contact rgula@tenablesecurity.com]
While we will continue to maintain Nessus and publish it under the
GPL, we do not plan to do the same with the rest of our products.
Those among you who know me personally know that I'm not an open-source
zealot at all - OpenSource is a medium of distribution with multiple
pros and cons, proprietary software is just another way. I also do not
think it would make much sense to give away a distributed version of
Nessus for anyone to take - if you're in charge of a big network, you
probably have a budget for security.
How will this affect the Nessus community ? Well, if you're a hardcore
Nessus user, nothing changes for you, except that you now know that I
will continue to lead its developement for some time. If you use Nessus
routinely but want it to be distributed, there's now a product out there
to help you to do that.
I'm really excited with TNS, and I sincerely think that the company will
be seen by the Nessus community as the nice sponsor behind the free
scanner. I saw what happened with a couple of free projects which went
semi-commercial and the dismay of the associated communities, and I
really want to avoid that. I've suffered from those, I won't inflict
that to anyone.
I'll shortly move to the US (and become a cow-boy), I hope I'll meet
happy Nessus users over there,
-- Renaud