Another Reason Why Nessus3 wont be Released Under the GPL?
Ron Gula, CTO and CEO of Tenable, was interviewed by Federico Biancuzzi over at SecurityFocus. Federico asked Ron why Tenable decided not to release Nessus3 under the GPL license, and here is what he had to say:
"Ron Gula: Customer demand. Organizations want a free product that they can use, and a place they can get commercial support and training from if needed. I'd also like to point out that although Nessus 3 is not released under the GPL, Tenable is still actively maintaining Nessus 2. We just released an update for Nessus 2.2 with lots of improvements.
I thought you chose to develop a closed source tool to have more control on the code, and more opportunities to get profits. Why did your customers ask you to rewrite a closed source version? What type of advantage should they get from a closed source version?
Ron Gula: There [was a] very small benefit to working with one set of code, but the overwhelming reason was to have a better relationship with our user base - a majority of which can't really use GPL code. Of course everyone does, but in this day an age of SOX, FISMA and 'process' a lot of folks are having to replace open source solutions with technology that is supportable and has licenses inline with whatever corporate policy is out there."
I called up Mike Horton, a friend of mine, and asked him about Ron Gula's comments. Mike has been involved with a considerable amount of SOx IT process work since the past few months. I asked him if SOx prohibits the use of open source scanning software, and this was his response: "In short - No. SOx specifies no technology requirements to any such degree. At first I was thinking that Tenable's switch to closed source is based more on efficiency and cost of resources. But they are still actively maintaining version 2 and put out a new version 3 that is still free (no cost). In thinking about his comments in the interview further, another possible and more plausible reason he may be alluding to in relation to SOx is easier 'control' of change management for the company using Nessus for their SOx security testing. Software change management is a major part of the IT portion of SOx being tested by companies out there. Now, my understanding is that most companies are not carrying the need for change management controls for SOx all the way to the tools used for the security testing/auditing. The primary focus of the IT portion of SOx is to review controls in place for the company's financial oriented software applications and the systems directly supporting them. And as I understand, that is what many companies are focusing their efforts on. But, because there are no clear requirements for how SOx compliance should be tested, I can also imagine a fair number of companies are also going down the path of ensuring change controls are in place for the code bases of supporting applications, such as Nessus. In this scenario, if the source of the tool is open, then it 'could' be altered, and so it would need to have change management controls in place to ensure it is only changed when it is supposed to be changed. For these companies, if Tenable were to provide a closed source version for them to use as a part of their security controls for SOx compliance, then they would not have to show proper change management control for the code, which would make life a bit easier for them."
In my previous entry about this issue, I presented Renaud Deraisons [also of Tenable] comments on why Nessus wont be GPLd.
"Virtually nobody has ever contributed anything to improve the scanning _engine_ over the last 6 years. I'm not talking about shoe- horning DB support in nessusd, but really to contribute things which make the scans faster, or Nessus more powerful.
Michel Arboi, a friend of mine, is one exception to that, and Nicolas Pouvesle, a colleague at Tenable, is another exception to that.
A number of companies are _using_ the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our own competition and we want to put an end to that. Nessus3 contains an improved engine, and we don't want our competition to claim to have improved their scanner."
Renauds reasoning on why Nessus3 wont be GPLd seem a lot more sincere and straight-forward. After speaking with Mike Horton, I can see why Tenable may want to release a closed source distribution of Nessus, but I find it odd that Renaud and Gula presented two completely different reasons when asked why Nessus3 wont be under the GPL. Perhaps Gula and Renaud should have a chat, and come up with a consistent answer when queried on this topic - I'm sure Tenable is frequently going to be asked to comment on this issue in the near future.
Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.
Comments on this weblog
Return to weblogs.oreilly.com.