Licensing Changes Coming for the Nessus Vulnerability Scanner

Licensing Changes Coming for the Nessus Vulnerability Scanner

Tenable, vendor of Nessus, has changed its licensing structure for the vulnerability scanner. Starting August 1, 2008, the 'RegisteredFeed', used to obtain signatures, will no longer be available. Users of the product have the option of obtaining either the 'HomeFeed' or the 'ProfessionalFeed'. HomeFeed remains free and is licensed only for use on personal home networks. It has the same vulnerability updates contained in the ProfessionalFeed. The new licensing policy does not allow commercial and government users to scan with the latest updates without an upgrade to ProfessionalFeed. The cost of the ProfessionalFeed will be $1200 a year, and includes compliance checks (PCI, etc.). The ProfessionalFeed also provides subscribers with the latest vulnerability and patch audits, configuration and content audits, and commercial support for their Nessus 3 installation.

For Additional Information Refer to:

http://www.nessus.org/news/data/nessus_feed_letter.pdf
http://www.nessus.org/documentation/index.php?doc=feed-faq
http://www.mckeay.net/2008/05/14/changes-to-the-nessus-license/

"Google Gives Away Free Web Application Security Scanner"

"Google Gives Away Free Web Application Security Scanner"

Jeremy Kirk, IDG News Service
Thursday, July 03, 2008 5:20 AM PDT

Google has released for free one of its internal tools used for testing
the security of Web-based applications.

Ratproxy, released under an Apache 2.0 software license, looks for a
variety of coding problems in Web applications, such as errors that
could
allow a cross-site scripting attack or cause caching problems.

"We decided to make this tool freely available as open source because we

feel it will be a valuable contribution to the information security
community, helping advance the community's understanding of security
challenges associated with contemporary web technologies," wrote
Google's
Michal Zalewski on a company security blog.
(http://googleonlinesecurity.blogspot.com/2008/07/meet-ratproxy-our-pass
ive-web-security.html)

Ratproxy -- released as version 1.51 beta -- is quick and less intrusive

than other scanners in that it is passive and does not generate a high
volume of attack-simulating traffic when running, Zalewski wrote. Active

scanners can cause problems with application performance.

The tool sniffs content and can pick out snippets of JavaScript from
style
sheets. It also supports SSL (Secure Socket Layer) scanning, among other

features.

Since it runs in a passive mode, Ratproxy highlights areas of concern
that
"are not necessarily indicative of actual security flaws. The
information
gathered during a testing session should be then interpreted by a
security
professional with a good understanding of the common problems and
security
models employed in web applications," Zalewski wrote.

Google has posted an overview of Ratproxy as well as a download link to
the source code. Code licensed under the Apache 2.0 license may be
incorporated in derivative works, including commercial ones, but the
origin of the code must be acknowledged.

Weak web application security continues to embarrass companies,
potentially causing the loss of customer or financial data.

A 2006 survey by the Web Application Security Consortium found that
85.57
percent of 31,373 sites were vulnerable to cross-site scripting attacks,

26.38 percent were vulnerable to SQL injection and 15.70 percent had
other
faults that could lead to data loss.

As a result, security vendors have moved to fill the need for better
security tools, with large technology companies acquiring smaller,
specialized companies in the field.

In June 2007, IBM bought Watchfire, a company that focused on Web
application vulnerability scanning, data protection and compliance
auditing. Two weeks later, Hewlett-Packard said it would buy SPI
Dynamics,
a rival of Watchfire whose software also looks for vulnerabilities in
Web applications as well as performing compliance audits."


See also
http://code.google.com/p/ratproxy/wiki/RatproxyDoc
http://code.google.com/p/ratproxy/downloads/list

Open source security gets thumbs up

The quality of open source code has improved over the last two years, according to an audit sponsored by the US Department of Homeland Security, reports The Register.

The security and quality of more than 250 open source projects - including Apache, Linux, Firefox and PHP - was assessed using code analysis tools from Coverity as part of the federal government’s Open Source Hardening Project. Coverity set up a scan site that invited individual developers to put their code through its paces with its static source code analysis tool, Coverity Prevent.

The same approach was used to analyse 250 popular open source projects, containing more than 55 million lines of code, on a regular basis. This analysis revealed a 16 per cent reduction in “static analysis defect density” across popular projects over the last two years, reflecting the discovery of 8,500 individual defects. The site divides open source projects into rungs on a ladder based on how far each project gets in fixing bugs. [The Register]

Security Product Review: Nessus Vulnerability Scanner by Tenable

Security Product Review: Nessus Vulnerability Scanner by Tenable

From time to time, I will be conducting product reviews of a security tool, application or website that I find to be very useful.

As a System Security Assessor, I often use and test many different tools and applications to do my job. One that has amazed me in recent years with excellent performance and results is the Nessus Vulnerability Scanner by Tenable.

Nessus is a free program designed to automate the testing and discovery of known security problems on the network and computer systems. For a free tool, Nessus has many useful capabilities such as using the Nessus Attack Scripting Language (NASL), which allows security professionals to use a simple language to describe individual attacks in conjunction to the provide vulnerability database based on the Common Vulnerabilities and Exposures schema. Another powerful feature of Nessus is the client server technology that allow for distributive architecture. The server portion runs on most flavors of Unix and Linux including the Mac OS X operating system while the clients are available for both Windows and Unix/Linux.

In my testing of Nessus against the more expensive commercial applications such as Foundstone’s Foundscan Security Scanner version 5 and Internet Security Scanner (ISS), Nessus faired much better than ISS in respects to initial setup, time of completion and less false positives. Against Foundscan, Nessus fell a little short in the scanning options and reporting.

My conclusion, for the price and results, Nessus is an excellent primary or secondary tool to use for your security needs. Tenable also offer support at a cost for those who needs it. Check it out and decide for yourself. You can find more information on Nessus at:

www.securityorb.com or www.nessus.org