Nessus 3.0: The End of the Age of Open-Source Innocence?

Nessus, maker of one of the most popular open-source vulnerability scanner programs available, changed its licensing agreement with the release of version 3.0.0 on December 12, causing a bit of a stir among security industry players that rely on the code as a component of their commercial solutions. The latest version is not available under the GPL license, but instead will be sold as a commercial product.

The recent licensing changes affect a broad spectrum of users, including corporations, the open-source community, and even businesses using services that use Nessus. So what exactly does this mean for open source? Is it the end of the age of innocence? What options do interested parties have going forward?

Wider Implications?

William Hurley, CTO for Qlusters, Inc., a Linux data center operations management software vendor, told LinuxInsider that the Nessus announcement provides evidence that projects need community supporters or they must go elsewhere.

"This announcement primarily affects the security community, and only to a small extent the open-source movement. Many companies are still making the transition to an open-source development model," Hurley said.

"This announcement is testament to the fact that though single projects like Nessus may need make dramatic shifts in order to secure a viable future, open source overall is alive and well; continuing to gather more and more support."

End of Innocence

That's one perspective. Here's another: Alan Shimel, Chief Strategy Officer for StillSecure, a company that peddles a vulnerability management platform, told LinuxInsider that the release of Nessus 3.0.0 marks the end of the age of innocence for open-source software.

"Here's the danger we are running into," he said. "People contribute resources to these communities, whether it be time, money, or code. When they see everything they give converted for the commercial success of an individual rather than as a community as a whole, how long do you think they are going to want to keep giving?"

Shimel said it is similar to the Google (Nasdaq: GOOG) discussion. Google makes US$60 billion a year, much of which comes from every day Joes clicking on ads for search words. Shimel believes some in the open-source community will be left with a bad taste in their mouths in the wake of Nessus 3.0.0.

Differing Opinions

Not everyone in the software industry agrees with Shimel, of course. Scott Testa, COO of Mindbridge Software, a software and Web-based consulting company, is one who sees the issue differently.

Simply stated, Testa told LinuxInsider that "Open-source software has been around as long as computers have existed. Open-source software will always be around. Some will be commercialized, others will remain open."

Hurley agreed with Testa. Many companies, Hurley said, have already evaluated some of the problems that relationships like Nessus/Tenable produce and have chosen a blended open-source strategy in which they dual-license products.

"Nessus is one of tens of thousands of open-source projects," Hurley said. "Although very popular in its vertical market, it should not be used to judge the overall fate of the open-source software movement."

Decisions, Decisions

In any case, Shimel said users are now forced to make a decision, with three options available: use Nessus v3.0 for free but with a seven-day delay in updates; pay Tenable fees required to obtain a direct feed for updates; or transition to a commercial vulnerability management system.

Regardless of the long-term implications for the open-source community, the move to Nessus 3.0.0 has short-term implications for security software vendors and users. What do individuals and corporations do? Evaluations should be made on a case-by-case basis, Hurley said.

Some may be ready to upgrade to one of the many commercial options, others may not be able to justify the cost and will want to evaluate other options like hosted or outsourcer scanning services.

"In the end, most will probably choose to use Nessus 3.0 for free with the seven-day delay in updates because it's not intended to be a real-time defense mechanism," Hurley said. "If Nessus was an IDS or IPS, like Snort, a seven-day delay in updates would make it virtually useless. However, this isn't the case with Nessus, and the seven-day delay will probably be amenable to most users."

Absolutely Unacceptable

But on this point Hurley and Shimel also disagree. Shimel said waiting up to seven days for an update is not a viable option. In certain areas, waiting five to seven days for an update is not critical, but with security, he said, it is paramount.

"If Microsoft (Nasdaq: MSFT) issues a patch for critical Windows vulnerability on Patch Tuesday, no one's security policy is going find waiting until the following week to receive it acceptable," Shimel said. "So you really have either no choice than to either to pay for them or develop these on your own."

A Fourth Option

Hurley said there is a fourth option, one he calls the most viable for most users: migrate to a different open-source vulnerability scanner.

"Nessus is not the only open-source vulnerability scanner available. It's simply, up until this point, the most popular," Hurley said. "A quick search on SourceForge will provide users with several alternatives to choose from."

This includes new projects, like OpenVas.org, that recently sprung up in response to the Nessus announcement. These projects have chosen the option to fork off of the Nessus code base and create viable alternatives to Nessus, and its plug-ins, that can remain in the open-source domain.