Re: [Openvas-distro-deb] Nessus to be removed from Debian, please switch to OpenVAS
[Posted August 12, 2009 by jake]
| From: |
| Tim Brown <timb-AT-nth-dimension.org.uk> |
| To: |
| openvas-distro-deb-AT-wald.intevation.org |
| Subject: |
| Re: [Openvas-distro-deb] Nessus to be removed from Debian, please switch to OpenVAS |
| Date: |
| Mon, 3 Aug 2009 01:38:03 +0100 |
| Message-ID: |
| <200908030138.21178.timb@nth-dimension.org.uk> |
| Cc: |
| debian-security-AT-lists.debian.org |
(Speaking as a Debian package maintainer, OpenVAS project initiator and
professional penetration tester.)
On Monday 03 August 2009 00:18:57 Simon Ward wrote:
> The last time I looked at OpenVAS, admittedly several months ago, it had
> nowhere near enough coverage in tests for remote vulnerability
> assessment. I'll be sure to check myself again soon, but I don't
> believe that has changed much, with a concentration on getting the
> automatically generated local security checks.
Whilst it is true that OpenVAS does not have full coverage of all known
vulnerabilities I can't actually think of a scanner that does. OpenVAS has
local checks for all mainstream F/OSS distributions (as well as a number of
commercial UNIX and Windows). Anyone deploying it to Debian infrastructure
can today give it local credentials for there system and be sure that it will
report any packages with versions affected by DSA something that isn't
possible with the GPL'd Nessus.
In specific relation to remote testing, it has almost everything the old
Nessus 2 GPL feed had plus a good deal more. There are a number of plugin
developers who are focussed only on this part of the picture. I can tell you
for example that there are checks that are in OpenVAS that are *not* in
Nessus 3/4 for example.
AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which
Tenable have since claimed are not GPL and for these the OpenVAS team are
actively developing replacements.
> With that in mind, I do not think the Nessus 2 packages should be
> removed at this time, and should continue to be available in parallel to
> OpenVAS.
Some further points to consider...
1) To the best of our knowledge OpenVAS is backwards compatible with Nessus 2,
3 and 4 feeds although legally use of the commercial feeds on anything other
than Tenable's product is a grey area
2) OpenVAS has a thriving development community (perhaps not on Debian's
scale) but we had 16 developers from 4 continents at the last developers
conference
3) As well as being an SPI associated project, there are 3 contributing DDs
4) Nessus 2 and the associated GPL feed is no longer being actively developed
which means that the results it produces will become less and less relevant
by comparison with OpenVAS
I don't see what there is to gain by asking Javier to split his efforts in
continuing to maintain Nessus when he has expressed a preference to allow
OpenVAS to take its place and has made significant contributions to make that
possible.
Tim
--
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
