Nessus security tool closes its source

Developer makes popular free scanner proprietary, saying competitors were taking advantage of its open-source status.

Renai LeMay Special to CNET News
3 min read
The source code of one of the world's most popular free security tools will no longer be available to all, its creator has announced, saying the software's open-source license was fueling competition.

Renaud Deraison, the primary author of the Nessus vulnerability scanner, broke the news in a message to the software's e-mail list Wednesday. "Nessus 3 will be available free of charge...but will not be released under the GPL," or General Public License, Deraison wrote. Nessus, which Deraison says is used by 75,000 organizations worldwide, scans networks for vulnerabilities.

The developer, who has been working on the product since at least 1998, said commercial pressures facing Tenable Network Security, the company he started in 2002 around Nessus, was forcing him to stop making the software's source code available.

"A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL," he wrote in a later e-mail, justifying his decision. "So in that regard, we have been fueling our competition, and we want to put an end to that. Nessus 3 contains an improved engine, and we don't want our competition to claim to have improved 'their' scanner."

The developer also expressed disappointment over the lack of community participation in developing the software, despite its open-source license.

"Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting that there had been minor exceptions.

Deraison said the existing version 2 of Nessus would continue to be available under the GPL license and receive bug fixes and regular updates. The large library of plug-ins to the software would also continue to distributed in a way that would allow parties to examine their source code.

Tenable will also cut down the number of system architectures that version 3 of Nessus will support, and one core part of Nessus--its graphical user interface will be split off into a separate, open-source project, Deraison added.

The developer's decision attracted immediate criticism, notably from the security expert known only as Fyodor. The programmer is the author of Nmap, a complementary network-scanning tool to Nessus, which is widely used among security professionals.

"Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap project has no plans to follow suit," Fyodor wrote in an e-mail, alerting his software's user base of the license change. "Nmap has been GPL since its creation more than eight years ago, and I am happy with that license," he continued.

Another critic posted concerns to the Nessus mailing list that Tenable would eventually get tired of supporting the open-source version 2 of the software and simply forget about it.

He raised the possibility that the community could "fork" version 2 of the software--that is, start developing a divergent version of Nessus from the one officially supported by Tenable.

New kid on the block
Deraison said version 3 of Nessus would contain several noteworthy improvements but be broadly backwards-compatible with version 2. The two will be able to share most of the plug-ins that are crucial to the software's operation.

"Nessus 3 is much faster than Nessus 2 and less resource-intensive," the developer wrote. "Your mileage may vary, but when scanning a local network, Nessus 3 is, on average, twice as fast as Nessus 2, with spikes going as high as five times faster when scanning desktop Windows systems."

"Nessus 3 also contains a lot of built-in features and checks to debug crashes and misbehaving plug-ins more easily, and to catch inconsistencies earlier," he wrote.

Renai LeMay of ZDNet Australia reported from Sydney.