The latest Nessus roadmap states that Nesssus 3 will NOT be released under the GPL. Before I talk about why this is not a big issue for me, let me first state that I have been a big supporter of the Nessus project. I have written two articles about it, as well as a chapter on NASL in my latest book, Network Security Tools: Writing, Hacking, and Modifying Security Tools. I always make it a point to talk about Nessus when I speak at conferences on information security topics.
Here is why this announcement doesn’t bother me at all: because the Nessus plugins will continue to be open source. NASL is a scripting language, and therefore all the plugins will continue to be in clear text. In my opinion, the power of Nessus lies in the ability of the user to open up a particular Nessus plugin to determine how it works, and to confirm false positives. As long as Nessus continues to give me this ability, I will continue to use and support it.
For those wondering, here is another thread where Renaud Deraison describes why Nessus 3 won’t be released under the GPL:
Virtually nobody has ever contributed anything to improve the scanning _engine_ over the last 6 years. I'm not talking about shoe- horning DB support in nessusd, but really to contribute things which make the scans faster, or Nessus more powerful.
Michel Arboi, a friend of mine, is one exception to that, and Nicolas Pouvesle, a colleague at Tenable, is another exception to that.
A number of companies are _using_ the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our own competition and we want to put an end to that. Nessus3 contains an improved engine, and we don't want our competition to claim to have improved "their" scanner.
Understood. And more power to them. Nessus is a great tool, and I look forward to using version 3.
Nitesh Dhanjani is a well known security researcher, author, and speaker.
oreillynet.com Copyright © 2006 O'Reilly Media, Inc.