Tenable's license changes (and why the license changed)
Ron Gula
rgula at tenablesecurity.com
Sun Jan 23 10:49:31 EST 2005
At 07:09 AM 1/23/2005, Robert Keith wrote:
>Through poking around, I found internal company discussions that "nCircle,
>Foundstone and Symantec" was relying on Nessus (at least as a
>technology/vulnerability source).
Robert,
Please don't make claims like this on the mailing list (which we hope
at Tenable continues to be un-moderated). If you have evidence of companies
embedding Nessus technology into their products, please feel free to share
it with Tenable privately, but the best of my knowledge, none of the
companies you specified have shipped a plugin or piece of source code
from the Nessus project. I belive that Symantec uses (or used to use)
Nessus for some of their managed scanning services.
>Oval seems like an excellent source for vulnerability information, though
>this information still needs a Nessus/plugin implementation to provide
>network based VA. I would imagion a complete CVE/Oval source could be used
>to generate plugins (though critical fields in the XML are missing to make
>that work).
To quote a senior excellent senior government fellow associated with OVAL
who I won't name ;) OVAL is the chance for the gov't to change the model
of checking for vulnerabilities. Instead of saying, here is a list of
vulnerability names you need to test for, they can now say, here is a lists
of specific tests you need to test for.
Renaud has some issues with how OVAL has been designed, but for the most
part, we've really been trying to expand Nessus (and NeWTs) coverage of
what *patches* are missing on target UNIX and Windows devices.
My issue with OVAL is that it assumes you have host-based access to run
the check. This may be the case, but maybe your only recourse is a remote
scan where you need to interrogate daemons or you maybe deploy passive
scanning (like Tenable's NeVO) where you have NO PERMISSION at all to
scan or get on the host. Even in today's error of being audited for various
compliance standards, Tenable still runs into very large and public firms
that don't to security profiling of their mains servers for a variety of
political and operational reasons.
Ron Gula, CTO
Tenable Network Security
More information about the Nessus
mailing list