From: Justin Ferguson (jnferguson@gmail.com)
Date: Mon Nov 07 2005 - 22:52:04 EST
While I cannot state who I work for due to security reasons, I just
want to say that this is a perfect example of the difference between
'theory' and 'reality'. In reality, OSS/FS is all over the government,
whether it be nessus or others. I can vouch for this from experience,
and while I personally think nessus is trash, i will state that we
have it deployed in manner environments, along with snort and other
OSS software.
Best Regards,
Justin Ferguson
On 11/7/05, Justin.Ross@signalsolutionsinc.com
<Justin.Ross@signalsolutionsinc.com> wrote:
> You said: "This is absolute nonsense. Many government agencies and
> private enterprises with clued IT security folks already use Nessus and
> have for quite some time."
>
> I'm not going to defend Tenable or Nessus, but to call that statement
> "nonsense" is inaccurate in light of DoD Instruction 8500.2, Information
> Assurance (IA) Implementation, dated February 6, 2003.
>
> "Binary or machine executable public domain software products and other
> software products with limited or no warranty such as those commonly known
> as freeware or shareware are not used in DoD information systems unless
> they are necessary for mission accomplishment and there are no alternative
> IT solutions available. Such products are assessed for information
> assurance impacts, and approved for use by the
> DAA. The assessment addresses the fact that such software products are
> difficult or impossible to review, repair, or extend, given that the
> Government does not have access to the original source code and there is
> no owner who could make such repairs on behalf of the Government."
>
> That's the instruction right there. Do certain government agencies use
> Nessus? Perhaps, would a DAA (designated approval authority) in any
> location be justified in removing it? Yes absolutely. Are there
> alternative IT solutions to Nessus which are not open source? Yes.
>
> I guarantee you that any military or defense agency that falls under
> 8500.2 has had to make justifications for it's use, without question or
> they will as soon as their accreditation expires (if they use Nessus).
>
> While I can't go into any details I can say I have seen Nessus not get
> chosen, because of this requirement. If we are talking small government
> agencies, like city/state... yea well big deal, I've never witnessed a
> state or local government agency willing to spend millions of dollars on a
> vulnerability scanner, you can be sure the fed's have spent a fortune on
> vuln scanner licenses, and that Nessus has missed out on most of it
>
> States/cities typically have far less resources, and generally throw
> everything they can into firewalls/IDS, then use free or Open source
> software- but its an apples to oranges comparison with the fed.1
>
> I personally don't understand why Newt and Nessus can't be separate; nor
> why Nessus has to go closed source. Isn't that what newt was for?
> Regardless, I wouldn't say that comment was "nonsense" in some circles
> (DOD) it makes perfect cents... and dollars...
>
> Justin Ross
> MCP+I, MCSE, CCNA, CCSA, CCSE, CISSP
> Senior Network Security Engineer
> Signal Solutions Inc. - http://www.signalcorp.com
> Email: Justin.Ross-at-signalsolutionsinc.com
>
>
>
>
>
>
>
> "Jay D. Dyson" <jdyson@treachery.net>
> 11/04/2005 09:03 AM
>
> To
> Penetration Testers <pen-test@securityfocus.com>
> cc
>
> Subject
> Re: Nessus - open or closed source?
>
>
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 4 Nov 2005, brandon.steili@gmail.com wrote:
>
> > Sounds about right. Here's a link:
> > http://www.networkworld.com/news/2005/101305-nessus.html
>
> Quoting from the article:
>
> "We want to bring Nessus to a larger audience, so
> Nessus 3.0 is going to be closed source, Gula said.
> If its not open source, a lot of government agencies
> and enterprises can use it, where before they wouldnt."
>
> This is absolute nonsense. Many government agencies and
> private
> enterprises with clued IT security folks already use Nessus and have for
> quite some time. In this move, all Tenable has ultimately done is pervert
>
> Nessus into a latter-day ISS clone.
>
> This shift toward commercialized closed-source silliness
> renders
> any use of Nessus untenable* in my book. I will no more recommend its
> future use than I would ISS.
>
> - -Jay
>
> * - No pun intended.
>
> ( ( _______
> )) )) .-"There's always time for a good cup of coffee."-. >====<--.
> C|~~|C|~~| \------ Jay D. Dyson - jdyson@treachery.net ------/ | =
> |-'
> `--' `--' `------ Security through obscurity isn't. ------' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQFDa4ZAdHgnXUr6DdMRAnCuAKCKFtUvaEewRbuV/dm6BKRollYlegCgytYK
> odWcfpRyZ/6ntr0yl7IWntE=
> =VQpM
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
>
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT