Nessus ceases to be open source

The next version of the open source security product won't be open source, due to competitors 'exploiting a loophole in the GPL'

The source code of one of the world's most popular free security tools will no longer be available to all, with its creator stating its open source licence was fuelling competition against his company.

"Nessus 3 will be available free of charge... but will not be released under the GPL ," wrote Renaud Deraison yesterday to the software's email mailing list. Nessus — which Deraison claims is used by 75,000 organisations worldwide — scans networks for vulnerabilities.

The developer, who has been working on the product since at least 1998, said commercial pressures facing Tenable Network Security, the company he started in 2002 around Nessus, was forcing him to stop making the software's source code available.

"A number of companies are using the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL," he wrote in a later email justifying his decision.

"So in that regard, we have been fuelling our competition and we want to put an end to that. Nessus 3 contains an improved engine, and we don't want our competition to claim to have improved 'their' scanner."

The developer also expressed disappointment over the lack of community participation in developing the software, despite its open source licence.

"Virtually nobody has ever contributed anything to improve the scanning engine over the last six years," he wrote, noting there had been minor exceptions.

Deraison said the existing version two of Nessus would continue to be available under the GPL and receive bug fixes and regular updates. The large library of plug-ins to the software would also continue to distributed in a way that would allow parties to examine their source code.

Tenable will also cut down the number of system architectures that Version 3 of Nessus will support, and one core part of Nessus — its GUI — will be split off into a separate, open source project, Deraison added.

The developer's decision attracted immediate criticism, notably from the security expert known only as 'Fyodor'. The developer is the author of Nmap, a complementary network scanning tool to Nessus, and also widely used among security professionals.

"Tenable argues that this move is necessary to further improve Nessus and/or make more money. Perhaps so, but the Nmap project has no plans to follow suit," he wrote in an email alerting his software's user base of the licence change.

"Nmap has been GPL since its creation more than eight years ago and I am happy with that licence," he continued.

Another critic posted concerns to the Nessus mailing list that Tenable would eventually get tired of supporting the open source version 2 of the software and simply forget about it.

He raised the possibility the community could fork version 2 of the software and start developing a divergent version of Nessus from the one officially supported by Tenable.

New kid on the block
Deraison said version 3 of Nessus would contain several noteworthy improvements, but be broadly backwards-compatible with version 2. The two will be able to share most of the plugins that are crucial to the software's operation.

"Nessus 3 is much faster than Nessus 2 and less resource intensive," wrote the developer. "Your mileage may vary, but when scanning a local network, Nessus 3 is on average twice as fast as Nessus 2, with spikes going as high as five times faster when scanning desktop Windows systems."

"Nessus 3 also contains a lot of built-in features and checks to debug crashes and misbehaving plug-ins more easily, and to catch inconsistencies earlier."

Renai LeMay reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.