Tenable license discussion - Nessus engine

Ron Gula rgula at tenablesecurity.com
Wed Jan 26 16:44:03 EST 2005 

Hi Robert,

>I need to reply to Renaud, Ron and Tenable and have not done so - just lazy
>I guess.  I asked very specific questions about the Tenable/Nessus
>relationship and their business plans.  They have been amazingly honest and
>forth-coming.  I know most corporations would be this open.

Maybe you meant "would 'not' be so open" ?

I'm curious what your concern with Nessus is? Are you a consultant, a
vendor, a security researcher, .etc? If we new what your specific issues
with Nessus and the changes were, we can either agree to disagree or
try to clarify.

>   1.  The majority of the plugins will be proprietary to Tenable.  There is
>no real room to have any real involvement by an open-source community when
>the submissions will compete (and  push-come-to-shove loose to the Tenable
>submissions), so the future of Nessus plugins will be to support Tenable
>activities

Technically, this is Tenable's policy. However, our intent is not to
shut out open-source developers. We've taken more input to Nessus now
then before. Of course, the other view to this is that we *hardly* got
submissions from the open source community on Microsoft Tuesdays or
during worm outbreaks. Don't get me wrong, we got *some*, but nothing
that approaches the commitment to maintaining a lab, doing QA on the
NASLs, maintaining the NASLs, killing false positives in old checks,
.etc.

>   2.  The core Nessus system will become proprietary Tenable (as alluded to
>by Renaud's remarks to this message).

Not so.

>Far as I can tell by the responses by most on this list, this seems to be
>fine with most Nessus users.  As I have stated - Nessus is a critical
>resource for the entire world, if you include cyber-terrorism looming, and
>such.

This is FUD. I really feel there will not be a cyber-terrorism event
anytime soon.

>Once Nessus is closed and Tenable, and if Tenable were to collaps, be
>sold to another company, or whatever - Nessus will be gone.

The same was true before Tenable became involved with Renaud. Previously,
the number of people involved with Nessus could be counted on one hand.
Now you need a spread sheet to keep track of who is doing what with testing,
research, working with the OS vendors, .etc. *and* the original Nessus
people are still very much running things as they see fit.

And one other thing, you have absolutely no basis to make **any** claims
about what will happen to Nessus if/when something good/bad happens to
Tenable.

 >  So, my interest is more than *idle*.

I'm still not sure what your interest is. My guess (and I have no basis
for this) is that you were using Nessus to somehow make money, deliver a
service, .etc or that you need the latest Nessus checks but can't afford
$1200 a year per scanner.

Ron Gula, CTO
Tenable Network Security

More information about the Nessus mailing list