The Ashimmy Blog

I have written extensively in the past, about the release of Nessus 3.0 and the fact that it is not released under the GPL and is not an open source product.  I have also written about how many users, both vendors using it in their products, as well as end users remain blissfully ignorant of their continued violation of its usage license.  Well at RSA, I had my yearly chat with Ron Gula, the CEO of Tenable Network Security. Though I see Ron from time to time at security events and even occasionally exchange emails, it seems that at RSA for the past couple of years, we find some time and actually have a chance to catch up and talk shop.  Ron for those who don't know, has a long history in the security business, having among other things developed the Dragon IDS system. I was pleasantly surprised to hear that Ron actually reads my blog once in a while and congratulated me on the Steelers Super Bowl victory (he is a Ravens fan).  We spoke for a while about the various articles and press interviews we both did around the release of Nessus 3.0.  He also clarified some of the things he and Tenable have done and their reasons for it.  Without first asking his permission, I don't feel comfortable making it all public here, but suffice to say, he has to his mind, his own sound business reasons for what Tenable is doing around licensing.  One thing he did tell me though, that I want to make clear, is that  there are several different licenses and copyrights at play with Nessus.  Even if you are using Nessus 2.x, which is released under the GPL, the NASL plug-ins developed by Tenable after a certain date (my belief is after 12/04), are not released under the GPL.  Pursuant to the license for the NASL plug-ins, you cannot use them if you are using them in a non-registered version of Nessus which is integrated into another application. 

The implications of this are huge.  If you are using a product that has an integrated Nessus scanner (these include many vulnerability management products, as well as many network access control products and even some IPS systems), and your vendor is not writing their own NASL scripts (using the nessus.org feed), both they and you are in violation of the license and copyright.  The damages for such a violation are substantial.  You would be surprised at some of the companies who are playing fast and loose with this sword hanging over thier heads.  I can't understand it and I really can't understand why the media does not make a bigger issue of it.  How can they review a product using Nessus without raising the issue and having the vendor answer it?  I don't know if Tenable will ever sue or take action against those who are violating the license.  They may choose to continue developing Nessus and make it impossible for those using the product and NASL scripts without permission to continue to use it. One thing for sure, you should make sure you are on the right side of this issue!