Ron Gula: I am a Tenable co-founder, CEO and CTO. Renaud Deraison, the Nessus creator, and I have been at Tenable for over three years now. Prior to Tenable, I was the original author of the Dragon intrusion detection system and founded Network Security Wizards.

Ron Gula: Customer demand. Organizations want a free product that they can use, and a place they can get commercial support and training from if needed. I'd also like to point out that although Nessus 3 is not released under the GPL, Tenable is still actively maintaining Nessus 2. We just released an update for Nessus 2.2 with lots of improvements.

Ron Gula: There [was a] very small benefit to working with one set of code, but the overwhelming reason was to have a better relationship with our user base - a majority of which can't really use GPL code. Of course everyone does, but in this day an age of SOX, FISMA and 'process' a lot of folks are having to replace open source solutions with technology that is supportable and has licenses inline with whatever corporate policy is out there.

If we were trying to make money with Nessus, we would not give it away. A majority of the folks that use Nessus don't give us any money.

Ron Gula: "Free" or "freedom" means many things to people in different countries, courts and businesses. Nessus 2 was released under a GPL and that certainly is not "free" like a FreeBSD license. There are many companies who use GPL software in their commercial products and hide it from their customers.

Nessus 3 will be free of charge for end users or service providers or consultants to do whatever they want with it, except put it into a product or re-brand it as their own software. We're also simplifying the license agreements for our vulnerability updates such that the 7-day delayed feed (also free) can be used in commercial venues. Our direct feed could always be used that way as well, but we're also including support with it. At $1200/year per scanner, this is huge news to the enterprise, consultants and anyone else that wants to have a great supported vulnerability scanner.

Ron Gula: Nessus 3 is a rewritten scan engine that is compatible with the existing library of vulnerability checks.

The basic features are:

• Increased speed (a rough worse case of 1.5x to 2x, and best case of 17x. For scanned Windows servers, it's about 5x)
• 'Packaged' distributions. This is actually a large feature set as we have very large percentages of the user population hand-compiling Nessus each time.
• Lots of tiny features like network capture of potential false positives to make diagnostics easier, some new APIs in the NASL language, and much faster 'boot' time to launch Nessus.

• The direct feed for Nessus 3 will also include support from Tenable. In the past, users could search mailing lists, but many of these posts came from the "community" and were not always timely or useful.
• Tenable is also announcing training and certification programs around Nessus 3 as well.
• We're also in talks with a major publisher to produce a line of Nessus 3 books about scanning, using Nessus, getting certified, etc. There were lots of books that mentioned Nessus already, but these were not consistent or updated in a way that a direct relationship with Tenable could provide.

Ron Gula: This is a "secret sauce" question. The modifications were mainly in the interpreter of the NASL engine, but the community should be aware that Tenable audited the entire NASL set of plugins for speed. Nessus 2 is much faster than Nessus 2 was this time last year. Once we got Nessus 2 as fast as we could, we set out to write a more optimized engine for Nessus 3. In the end, it boils down to simplifying and improving the Nessus code so that most of the CPU time is spent doing network operations and very little else.

Ron Gula: We added some capabilities to the language, like improved support of arrays. We also added some functions (like compression) which may come in handy some day. Finally, we have extended some of the existing functions to provide users with improved reporting in the future.

Ron Gula: The majority of the plugins will, but a very restricted set which extend the audit spectrum of Nessus will probably work on Nessus 3 only. For instance, we do plan to use some of the newer features in Nessus 3 to offer "compliance" checks for Windows and UNIX servers. These checks can allow you to look at a known good windows server, grab its policy and then use that as a template to scan all of your other servers for deviations. That check won't work on Nessus 2, and it will only be available to our 'direct feed' customers using Nessus 3.

Ron Gula: We do not have any official program like that. You should also realize we have many people offer us zero-day NASL checks for money, but we don't engage in those sorts of business models. However we will soon announce a "contest" to reward Nessus users who work with us to improve the accuracy of the scans.

Ron Gula: We're simplifying the licenses:

• The direct feed will include support from Tenable for Nessus 3. For $1200/year, that is a very good deal.
• The registered feed can be used for commercial services whereas today there are two separate registered feed licenses.
• We're not making any changes to the content or delay or whatever. The registered feed is basically all vulnerability checks available after 7 days.

Ron Gula: Nessus 3 or Nessus 2 are not the places to fight false positives. Tenable pays very close attention to the NASL checks we produce, feedback from the user community, Tenable's customers, MSPs using Nessus, etc. With close to 10,000 checks, it's simply not possible to test every combination of a potential server patch level, configuration and network/OS environment. We do extensive QA on the NASLs we produce, and even more on the NASLs submitted by the community.

Nessus 3 will have the ability to perform packet capture on the packets involved for a specific check. This makes it easier to diagnose a false positive reported by anyone.

We also have completed a major audit of the plugins. The truth is that out of all the plugins, a very restricted subset would produce false positives, and we believe we have fixed most of those.

Ron Gula: Actually, it's quite the opposite. If there is a flaw in Apache tomorrow, then many distributions won't upgrade to the newest version of Apache, but will backport the patch instead. This means that we now have to deal with dozens of different flavors of Apache, all claiming to be of one version when they really are custom.

At the opposite, if tomorrow there is a flaw in IIS, we'll only have to deal with the version(s) distributed by Microsoft, which is a much more restricted set. That's much easier for us.

Ron Gula: The main ones, but you have to realize, we get requests to port Nessus to platforms like Red Hat 6 which are now part of 'embedded' solutions. Those are mostly commercially funded projects, yet they don't want to pay for support in an open source project as their "IP" is now out in the wild.

Nessus 3 will initially be available for Red Hat, Fedora, SuSE, Debian and FreeBSD. We will have Nessus 3 for Windows and Mac OS X very shortly. You should realize that we've been making NeWT (basically Nessus for Windows) available for free to most people but with a limit of only scanning the local network. There are about 20k people using it like this today. Nessus 3 for Windows is basically NeWT, with our modification for Nessus 3 -- and we are removing the feature of only scanning your local network. We had previously been selling a version of NeWT Pro that costs $6000 and now we'll be giving away the same sort of thing at no cost.

Ron Gula: We're planning on supporting Solaris, but have not announced specific architectures or which versions we will support. Most likely is it will be Solaris 10 and Solaris 9 on x86/sparc architectures.

Our development process allows us to switch architectures very easily, so if there was a huge demand of a x86_64 or Linux/PPC version of Nessus tomorrow, we'd have the ability to make and QA binaries for this architecture in a short amount of time.

Ron Gula: Source code of the Nessus daemon is not important to the majority of the Nessus user community. Source code of the vulnerability checks is very important and we're not changing that. Nessus has it's own language for vulnerability checks named NASL and this is something easily picked up by the average use, even non-coders.

We have not provided source code to anyone at this point.

Ron Gula: C

Ron Gula: First, it is not possible to run nessusd as an unprivileged user, because it needs the ability to launch local commands as root (for instance, one user could use Nessus to launch a Nmap port scan, and nmap needs to run as root). In the same vein, you can't chroot it as otherwise it would be unable to use any application on the local system.

Finally, you want nessusd to perform a complete audit and this involves forging and sniffing packets or opening sockets with a source port lower than 1024. These operations require root privileges. So we could try to come up with complex systems to try to avoid being "root" (by using the Linux 'capabilities' for instance), but one would inevitably end up either with a scanner which does not do its job at all, or with a process which can do everything 'root' can do but does not run as root.

Moreover, whether nessusd runs as root or not is irrelevant. If an attacker can execute arbitrary code in nessusd, he'd be better off sending the results of the network audit to his @gmail account rather than try to compromise the Nessus system itself.

That being said, most of the Nessus checks are written in NASL, which is a sandboxed language and which is resistant to common program mistakes such as buffer overflows, format string attacks or even null pointer de-referencement. Every protocol parser is implemented in NASL which greatly reduce the risk of seeing a programming mistake have adverse results.

Our research team has done an extensive job to determine what kind of attack could be done against the scanner and how to prevent them entirely, and not all of these attacks revolve around nessusd. For instance, one could very well install a fake SMB server on the network which claims to NOT support any encryption whatsoever and wait for a scanner to try to log in. Some scanners will send the administrative password in clear text, other won't. When you think about it, that's a clever attack because - as an attacker - you've not done anything illegal and obtained the domain administrative password. That's the kind of attack our research team thinks about and prevents.

In the end, we consider Nessus as being very robust and secure. Very few scanner vendors like to talk about the security measures they implement in their scanner but we do. Renaud even did a public talk about every possible attack which can be done and how they've been fixed a few months ago at JSSI, in France.

Ron Gula: It's the same approach in Nessus 3. Nessus 2 and Nessus 3 are more or less the same in this area, i.e. Nessus 3 isn't more secure than Nessus 2. We were already happy with the level of security in Nessus 2.

Ron Gula: It doesn't work that way. The 'attacker' would need to be in the network already to break into the Nessus scanner, and he'd have to wait for the scanner to scan them. It's something we considered when we designed Nessus 2 and Nessus 3.

I'm more concerned with the state of the system that Nessus is installed on top off than the security of Nessus. We have a lot of folks send us test output of running Nessus on 'localhost' and we always see older versions of SSH and running web servers. Even on Windows, when our NeWT users send in these sorts of reports we always see shares and missing patches.

If the forks of Nessus made a 'more secure' version of Nessus, then this could cause folks to try and use it. However, Nessus 2 is already out there and we have released patches for it already. These patches have not been picked up by some of the forked projects yet and I'm not sure if they are focused on security. If a security issues came up in the Nessus 2 code tree, we'd fix it.

Ron Gula: It depends what you mean by an active project. Tenable has already released point releases for Nessus 2 and when people find bugs in it we fix it. We have not seen any of the forks for Nessus even incorporate these fixes yet, but I am sure they will. I'm hoping that folks will innovate and add value to the tools that are out there. Unfortunately, aside from a few public Nessus 2 forks, most of the forks we are tracking or are aware of are by commercial groups who want to start with Nessus 2 to develop commercial scanner, a network monitoring tool or some other function.

Ron Gula: In lines of code to the Nessus daemon, very little. A lot of people asked for features and found bugs, but we had very little [very few] code submissions. On the vulnerability check side, we still accept checks written by folks outside of Tenable, but we also usually end up having to QA these checks and maintain them as time goes by. About 90% of the NASL checks come from Tenable.

Ron Gula: I am not sure. The adoption rate for Nessus is so far and wide. I just think the average user of Nessus isn't a coder. I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.