User: Password:
|
|
Subscribe / Log in / New account

Re: [Openvas-distro-deb] Nessus to be removed from Debian, please switch to OpenVAS

From:  Tim Brown <timb-AT-nth-dimension.org.uk>
To:  openvas-distro-deb-AT-wald.intevation.org
Subject:  Re: [Openvas-distro-deb] Nessus to be removed from Debian, please switch to OpenVAS
Date:  Mon, 3 Aug 2009 01:38:03 +0100
Message-ID:  <200908030138.21178.timb@nth-dimension.org.uk>
Cc:  debian-security-AT-lists.debian.org
Archive-link:  Article

(Speaking as a Debian package maintainer, OpenVAS project initiator and 
professional penetration tester.)

On Monday 03 August 2009 00:18:57 Simon Ward wrote:

> The last time I looked at OpenVAS, admittedly several months ago, it had
> nowhere near enough coverage in tests for remote vulnerability
> assessment.  I'll be sure to check myself again soon, but I don't
> believe that has changed much, with a concentration on getting the
> automatically generated local security checks.

Whilst it is true that OpenVAS does not have full coverage of all known 
vulnerabilities I can't actually think of a scanner that does.  OpenVAS has 
local checks for all mainstream F/OSS distributions (as well as a number of 
commercial UNIX and Windows).  Anyone deploying it to Debian infrastructure 
can today give it local credentials for there system and be sure that it will 
report any packages with versions affected by DSA something that isn't 
possible with the GPL'd Nessus.

In specific relation to remote testing, it has almost everything the old 
Nessus 2 GPL feed had plus a good deal more.  There are a number of plugin 
developers who are focussed only on this part of the picture.  I can tell you 
for example that there are checks that are in OpenVAS that are *not* in 
Nessus 3/4 for example.

AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which 
Tenable have since claimed are not GPL and for these the OpenVAS team are 
actively developing replacements.

> With that in mind, I do not think the Nessus 2 packages should be
> removed at this time, and should continue to be available in parallel to
> OpenVAS.

Some further points to consider...

1) To the best of our knowledge OpenVAS is backwards compatible with Nessus 2, 
3 and 4 feeds although legally use of the commercial feeds on anything other 
than Tenable's product is a grey area
2) OpenVAS has a thriving development community (perhaps not on Debian's 
scale) but we had 16 developers from 4 continents at the last developers 
conference
3) As well as being an SPI associated project, there are 3 contributing DDs
4) Nessus 2 and the associated GPL feed is no longer being actively developed 
which means that the results it produces will become less and less relevant 
by comparison with OpenVAS

I don't see what there is to gain by asking Javier to split his efforts in 
continuing to maintain Nessus when he has expressed a preference to allow 
OpenVAS to take its place and has made significant contributions to make that 
possible.

Tim
-- 
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>


(Log in to post comments)


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds