|From:||Tim Brown <timb-AT-nth-dimension.org.uk>|
|Subject:||Re: [Openvas-distro-deb] Nessus to be removed from Debian, please switch to OpenVAS|
|Date:||Mon, 3 Aug 2009 01:38:03 +0100|
(Speaking as a Debian package maintainer, OpenVAS project initiator and professional penetration tester.) On Monday 03 August 2009 00:18:57 Simon Ward wrote: > The last time I looked at OpenVAS, admittedly several months ago, it had > nowhere near enough coverage in tests for remote vulnerability > assessment. I'll be sure to check myself again soon, but I don't > believe that has changed much, with a concentration on getting the > automatically generated local security checks. Whilst it is true that OpenVAS does not have full coverage of all known vulnerabilities I can't actually think of a scanner that does. OpenVAS has local checks for all mainstream F/OSS distributions (as well as a number of commercial UNIX and Windows). Anyone deploying it to Debian infrastructure can today give it local credentials for there system and be sure that it will report any packages with versions affected by DSA something that isn't possible with the GPL'd Nessus. In specific relation to remote testing, it has almost everything the old Nessus 2 GPL feed had plus a good deal more. There are a number of plugin developers who are focussed only on this part of the picture. I can tell you for example that there are checks that are in OpenVAS that are *not* in Nessus 3/4 for example. AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which Tenable have since claimed are not GPL and for these the OpenVAS team are actively developing replacements. > With that in mind, I do not think the Nessus 2 packages should be > removed at this time, and should continue to be available in parallel to > OpenVAS. Some further points to consider... 1) To the best of our knowledge OpenVAS is backwards compatible with Nessus 2, 3 and 4 feeds although legally use of the commercial feeds on anything other than Tenable's product is a grey area 2) OpenVAS has a thriving development community (perhaps not on Debian's scale) but we had 16 developers from 4 continents at the last developers conference 3) As well as being an SPI associated project, there are 3 contributing DDs 4) Nessus 2 and the associated GPL feed is no longer being actively developed which means that the results it produces will become less and less relevant by comparison with OpenVAS I don't see what there is to gain by asking Javier to split his efforts in continuing to maintain Nessus when he has expressed a preference to allow OpenVAS to take its place and has made significant contributions to make that possible. Tim -- Tim Brown <mailto:email@example.com> <http://www.nth-dimension.org.uk/>
Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds