I'm sure most of security professionals out there and admins in general are familiar with the wonderful, powerful, industry strength and most popular Open Source Vulnerability Scanner: Nessus. After all of these successful years I don't think Nessus needs testimonials about what it is. Truely it is one of the software which makes all its way to the hall of fame in the wide world of software.

On Wednessday, 5th Oct 2005, Renaud Deraison, the key personnel in Nessus project announced that the upcoming Nessus 3 would not be released under the GPL. However still it would be free. Renaud also clarified things a little by saying,
We are still not aware about the license which Nessus 3 will be released under. Since Renaud talked about binary-only Nessus it seems like that it's not going to be open source anymore. Even with Nessus 2 series continued, FOSS world will feel the Nessus 3 impact. Especially when it would be like this,
We still didn't hear the rationale bihind the scene, but what we feel is far from great. At least still it's free. But on the other hand it's just a beginning of a new path.

All we know is , ....
We need Nessus, and wish it to be Open.


Edit: Sorry for the typo in the title, nothing else was changed.

It's more than likely than someone will come up with an open branch based on v2, just as it happened with ssh - openssh. If it's ever released under the GPL, I don't know if v3 may use code from the new one.

Nessus 2 branch is open and readily maintained by Nessus project. I hate to think of an OpenNessus since it has always been Open. Renaud has announced that Nessus 2 would remain so (it would be so anyway because it was under an open source license). Only Nessus 3 would be closed in order to prevent commercial vendors from beating them in their own game using their own tool, like the claims "we are using customised and highly enhanced Nessus open engine in our vulnerability scanner product"

However I still won't agree about the move. Utterly hope they'll re-think about the licensing issue.

I think the idea of a fork in this case is as bad as can be. Why waste the effort and energy (in a critical and developing area such as vulnerability assessment), just re-inventing the wheel?

Nessus is a product worth more trying,... trying to keep as open source.

A "vulnerability scanner" that is, itself, a closed black-box? What good is that?

Sounds like they need to shop for a different set of venture capitalists . . .

I agree that being open is the best for such a tool. I also think Nessus need some backing. Ubuntu had a milionaire like Mark Shuttleworth, perhaps there's someone out there who's enthusiastic enough to give a helping hand. Or perhaps a community fund like Blender3D fund. (Just thinking aloud, since Nessus is one of my favourite tools)

This is what Renaud Deraison said about the background of their decision.
He also had a complaint about the FOSS community.
People like NMap developer has different thoughts.

Here's what Ron Gula, CTO and co-founder of Tenable Network Security, which sponsors the Nessus project had to say.

Then in the same interview Renaud said,
This made me feel really bad. I was (and is) very enthusiastic about Nessus. I really was hoping, if I could contribute someday. And I was even starting with NASL2. But now ....anyway I'll keep up with 2 branch.

Keeping a software, open source is not bad. I know of large (very large) corporate environments (cannot disclose) who hapily use open source Nessus. Well, simply I don't buy the idea that open source would not (at all) fit to corporate environments. May be we need some more assessment work and QA stuff done. But that is not something one cannot achieve. Sorry, Ron and Renaud, I cannot agree with your decision. I wish it's still flexible.

Ron also said,
One of my friends asked me, 'so they had the plan in their mind for sometime?" I don't want to believe that.

For more information and some other insights please refer to this NewsForge article

Well, maybe the root cause of the problem is simply competition. Maybe as more and more people are out there doing the same basic thing, they're all squeezing one-another out.

I think that we will see that this move on Nissus's part will prove to be their corporate death-knell, not the least stroke of which being how they "turned their back on GPL" to do it, then scrambled around for self-serving "justifications" to make themselves feel like they had not just made an irrevocable blunder. No one inside the company is going to disagree with the boss, of course. But, it is very hard to change the rules of the game upon which your company was founded. "Remember 'Diet Coke.'" All of those executives had utterly convinced themselves that this stuff -- which basically tasted like Pepsi -- was a great and innovative idea. All of their advisors agreed. Public relations pieces were dutifully written and published. The market, however, did not agree. A less-wealthy company would have been killed.

Maybe it was a mistake to have used GPL in the first place... hindsight 20-20 and all of that... but to have opened the door and to now attempt to shut the same door, I believe, just isn't going to work.

A network-security outfit should probably base its business model on what was done like a place like CounterPane: sell "your network is secure." It's the difference between selling burglar-alarms and selling burglar-alarm monitoring.

My general thoughts on this are here. I agree that it's a shame to see such a useful utility go closed source and am glad to see people like Fyodor firmly stating other useful apps won't be following suit. In the end though, Tenable seems to have misunderstood the GPL, as what Renaud calls a "loophole" is actually one of the points of the GPL - to avoid vendor locking.

--jeremy

FYI: fork of nessus 2 code is already underway. This is from FD mailing list:

And there exists still another at http://sussen.sourceforge.net/ (nessus spelled backwards) and http://porz-wahn.berlios.de/homepage/about.php

Such big number of forks doesn't look good. We'll see how many of them will survive. I hope at least one will.

Unfortunately I think some of these are more kneejerk reactions then well thought out forks. A proper fork is going to take time, effort, dedication and a realistic plan. I have confidence that someone will do it though.

--jeremy

I say good for them, If they close it and get a larger userbase because of it.. then it was a good idea. It's still free and it was already stated there was almost 0 contribution to the code. What benefit did they have to leave it open?

I work at a company that does not like OpenSource software at all. It takes an act of god and a couple of company lawyers to approve the use of opensource software. So I completely understand their point. As stated v2 is still GPL. Hit up one of the forks if you are against using closed source software.

By no means I take your post as offensive, trey85stang. But I'd like to add something. I'm not an anti-commercial software person. What I believe is that both FOSS and commercial (closed source) software has to be there. And I do not still agree with the Tenable's decision to close the source of the Nessus project.

One fact, I agree is that there are companies who are not so open to FOSS. But that I don't buy as a justification of closing the source. If they give it away for free without support, the companies would still have almost all the reasons not to opt for it. If they are going to provide a commercially supported version, they could do it even with the source still open.

And for the companies who say a stern "no" to open source, they really are missing something. I'm also working for (and worked for and know of) companies literally live on their information systems. But most have their share of open source software deployed throughout the corporation. Some have evaluation personnel aor R&D teams, enabling them to cut cost not the effect or productivity. Yes, there are companies who really have to use fully commerially supported products. But most of the companies out there say no to open source because they are not bold enough, mostly to migrate (for good reasons, like budget or fear: No one got fired for choosing Microsoft).

Well, you might say, "what's the point of complaining, when it is still free?"

Yes, it is free. At least for now. Just imagine that Nessus 3 catches with corporate sector really well and suddenly they decide to discontinue the free version? I call that vendor locking (not closing the loophole). This is not the whole story. As Jeremy said, running a successful FOSS project is not just having a good code, it's lot more. I'm not going to point out anymore on this matter, for it's all about Open Source philosophy.

Then again if you are not too happy about the success rate of open source products in the board room, then enter the commercial open source. Keep the source open. Sell your own with added values. This I believe is what Tenable utterly failed to do or try. They failed at value adding. And as a desparate move (as said by Renaud) they close the gate to the others.

I'm not saying that the competition for commercial open source is always fair and easy. I know it's a tough game. But I simply don't think that Tenable tried enough.

The other factor has the largest impact, or I believe so. Tenable said there was virtually no community contribution. At this time it might be true to the main engine. But about plugin writers; not all are Tenable employees. Still I agree that anyone would like to see more community contribution in core areas. Well, we could have tried a bit harder, letting people know that their support was needed than ever, before announcing "game over". One more thing is their '7 day delay for public' story. Maybe that ws just a value adding service, yet, may be .....

Anyway I still am very gratefull for Renaud and the team very much for initiating such a great product, but not for closing the source.

And, about the Forks:

I agree with Jeremy and Mara.