Monday, April 9, 2007

Is it illegal to pass off Nessus reports as your own?

Ron Gula weighed in on this question as posed to he nessus mailing list today. I'm trying to read between the lines here, but I think Ron's answer boils down to, "It pisses me off when people pretend they don't use Nessus and just re-style our reports to customers as original content. But since we don't own the IP in a good number of the NASL files including the report output that they generate, no, it's not illegal." I'm liberally paraphrasing, of course.

Food for thought, because it's almost standard operating procedure for pen-test companies big and small alike to not broadcast their use of Nessus. But next time you hire someone to do a pen-test of your network, grep your web server logs for Nessus - I'll bet it hits. As to how many copy & paste Nessus results directly, only the laziest do it straight up, since there are typos and layout mistakes galore.

3 comments:

Ron Gula said...

Hi Paul,

The majority of the 14,000 plugins available in the Direct or Registered Nessus feeds were written by Tenable.

The plugins that were contributed by 3rd parties also have the copyright of the original author, but are also maintained by Tenable with bug fixes, new types of checks, false positive/negative tweaks and so on.

I think a lot of organizations, consultants, service providers and so on use Nessus "legally" (or maybe "honestly" is a better word), but there are more than a few that cross the line in over-claiming what they deliver or developed.

PaulM said...

Ron,

Thank you for your reply. I definitely agree that there are those consultants that aren't upfront about or even outright deny their use of Nessus. To me this is foolish behavior, since those that know, know that Nessus is one of the best vuln scanners available.

I used to do pen-testing at a company where we used Nessus and a commercial product for the initial scans. The commercial product changed over the years - typically dictated by partner relationships - but Nessus remained.

There's no question in my mind that Nessus has always been better than 90% the work of Renaud. That said, is Tenable legally able to mainain the copyright of the NASL scripts that were created/contributed in Nessus' GPL days?

Ron Gula said...

Tenable has added very much to Nessus during the past 4 years and Renaud is still very involved as a Tenable co-founder. There are partnerships with OS vendors, much more resources to add new checks and so on.

As for the question wrt copyright, we can absolutely put a copyright on the plugins that were written by Tenable, just like any author can put in their work.

Typically debate about this sort of stuff comes up when a vendor wants to include Nessus 2 and some of the older plugins that were available before Tenable clarified the subscription licenses. What this amounts to is having a scanner with vulnerability checks that are very out of date.

It also leaves the customer hanging because their vendor can't use the more advanced features of Nessus 3, nor the latest plugin checks. It also gives a false sense of security as the customers never get alerts for things like this week's MS Tuesday checks.