Nessus 3.0: The End of the Age of Open-Source Innocence?

Nessus, maker of one of the most popular open-source vulnerability scanner programs available, changed its licensing agreement with the release of version 3.0.0 on December 12, causing a bit of a stir among security industry players that rely on the code as a component of their commercial solutions. The latest version is not available under the GPL license, but instead will be sold as a commercial product.

The recent licensing changes affect a broad spectrum of users, including corporations, the open-source community, and even businesses using services that use Nessus. So what exactly does this mean for open source? Is it the end of the age of innocence? What options do interested parties have going forward?

Wider Implications?

William Hurley, CTO for Qlusters, Inc., a Linux data center operations management software vendor, told LinuxInsider that the Nessus announcement provides evidence that projects need community supporters or they must go elsewhere.

“This announcement primarily affects the security community, and only to a small extent the open-source movement. Many companies are still making the transition to an open-source development model,” Hurley said.

“This announcement is testament to the fact that though single projects like Nessus may need make dramatic shifts in order to secure a viable future, open source overall is alive and well; continuing to gather more and more support.”

End of Innocence

That’s one perspective. Here’s another: Alan Shimel, Chief Strategy Officer for StillSecure, a company that peddles a vulnerability management platform, told LinuxInsider that the release of Nessus 3.0.0 marks the end of the age of innocence for open-source software.

“Here’s the danger we are running into,” he said. “People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?”

Shimel said it is similar to the Google discussion. Google makes US$60 billion a year, much of which comes from every day Joes clicking on ads for search words. Shimel believes some in the open-source community will be left with a bad taste in their mouths in the wake of Nessus 3.0.0.

Differing Opinions

Not everyone in the software industry agrees with Shimel, of course. Scott Testa, COO of Mindbridge Software, a software and Web-based consulting company, is one who sees the issue differently.

Simply stated, Testa told LinuxInsider that “Open-source software has been around as long as computers have existed. Open-source software will always be around. Some will be commercialized, others will remain open.”

Hurley agreed with Testa. Many companies, Hurley said, have already evaluated some of the problems that relationships like Nessus/Tenable produce and have chosen a blended open-source strategy in which they dual-license products.

“Nessus is one of tens of thousands of open-source projects,” Hurley said. “Although very popular in its vertical market, it should not be used to judge the overall fate of the open-source software movement.”

Decisions, Decisions

In any case, Shimel said users are now forced to make a decision, with three options available: use Nessus v3.0 for free but with a seven-day delay in updates; pay Tenable fees required to obtain a direct feed for updates; or transition to a commercial vulnerability management system.

Regardless of the long-term implications for the open-source community, the move to Nessus 3.0.0 has short-term implications for security software vendors and users. What do individuals and corporations do? Evaluations should be made on a case-by-case basis, Hurley said.

Some may be ready to upgrade to one of the many commercial options, others may not be able to justify the cost and will want to evaluate other options like hosted or outsourcer scanning services.

“In the end, most will probably choose to use Nessus 3.0 for free with the seven-day delay in updates because it’s not intended to be a real-time defense mechanism,” Hurley said. “If Nessus was an IDS or IPS, like Snort, a seven-day delay in updates would make it virtually useless. However, this isn’t the case with Nessus, and the seven-day delay will probably be amenable to most users.”

Absolutely Unacceptable

But on this point Hurley and Shimel also disagree. Shimel said waiting up to seven days for an update is not a viable option. In certain areas, waiting five to seven days for an update is not critical, but with security, he said, it is paramount.

“If Microsoft issues a patch for critical Windows vulnerability on Patch Tuesday, no one’s security policy is going find waiting until the following week to receive it acceptable,” Shimel said. “So you really have either no choice than to either to pay for them or develop these on your own.”

A Fourth Option

Hurley said there is a fourth option, one he calls the most viable for most users: migrate to a different open-source vulnerability scanner.

“Nessus is not the only open-source vulnerability scanner available. It’s simply, up until this point, the most popular,” Hurley said. “A quick search on SourceForge will provide users with several alternatives to choose from.”

This includes new projects, like OpenVas.org, that recently sprung up in response to the Nessus announcement. These projects have chosen the option to fork off of the Nessus code base and create viable alternatives to Nessus, and its plug-ins, that can remain in the open-source domain.

2 Comments

  • The article missed the most important option of a GPL’d piece of software.
    The user community can fork the last GPL version and continue development on its own. The is no need to switch or pay the commercial fees if a sufficiently large contributing community has developed around the product. If there isn’t a sufficient pool of developers available to keep it going, well, maybe its time for it to go.

    • The company has likewise missed one _important_ aspect of Copyright Law ™ …
      Many countries, especially in Europe, expressly prohibit completely giving up rights to produced works of coding, literature, etc.
      To my knowledge, therefore, the company may very soon run into the legal issue of not being permitted to sell/provide the service for money, as soon as _one_single_developer_ from e.g. Germany issues a revokal of right-to-use. In this case, the software _and_ it’s derivatives (mark the "derivatives") mentioned may _no_longer_ be used by the organization who has it’s right-to-use revoked.
      Interestingly, the revokal may apply to single entities, while still being generally granted to the rest of the world.
      Especially important to note is a completely other issue. The various contributors to the code delivered the patches and AM endments according to the GPL, which applies to the supplied code-fragments even though not expressly written. It is generally accepted, that code not expressly designated to be in the public-domain _is_not_public_domain_, but remains intellectual property of the author.
      The permission for usage against pay must in this case expressly be granted in written form by the original author.
      To migrate the GPLed code to "pay-ware" or closed-source is not permissable.
      As _service_, though, the updates, etc. may very well be priced, as long as the code itself remains in the GPL, the various customers, though, may (as the code remains in GPL) exchange and distribute the GPL-code in disregard of the timing-scheme intended by companies.
      To exactly analyse what applies, what not, where the drawbacks, and loopholes lie … is a job for the legaleses to deal with …
      /dossi
      P.S.: Some or all of the comments above may or may not apply to you depending upon local laws and regulations 😀
      P.P.S.: This represents a personal opinion of the author
      P.P.P.S.: This posting was created in germany 😀

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels