[SecurityRatty] tag: tenable

Links for 2008-11-03 [del.icio.us]

Mon, 03 Nov 2008 21:00:00 +0000

Matt Asay again shows that he doesn't know much about open source security

Thu, 15 May 2008 18:43:17 +0000

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

Milton Security Group takes over Vernier EdgeWall 7000 support - Who is Milton Security?

Fri, 11 Apr 2008 18:13:00 +0000

From this press release it looks like the newly named Autonomic Networks (formerly Vernier) has found ~~a sucker~~ an entity to take over ongoing support and perhaps development of the EdgeWall 7000 line of appliances (what about the other Edgewall models?). Before we go any further, one might say that unlike Lockdown, at least they are getting someone to support the customers. But before we go there, maybe we should ask, who or what is Milton Security Group? I am afraid when we peel the layers of this onion we find more of the same old, same old from the folks at Vernier.

I went to the Milton Security web site and it looks like the paint is still wet. They are in protection, compliance and reporting, but I am afraid the links are not yet working to dive in much beyond that. When you go to the company page you get this:

About Milton Security Group LLC

Success in the 21st century is defined by your agility in a changing time. This includes adapting to the needs of your employees, contractors, outsource providers on the workforce side and the changing landscape of how to provide the right access to each one of these groups. Your current infrastructure may be limited in its ability to change as well. Real time auditing and control is required in this age, The Age of Compliance(T).

Milton Security Group LLC is a security company with a consulting practice. The Principals and Staff at Milton Security are dedicated individuals with many years of experience with diverse organizations from small businesses to government agencies. Combined with this and our unique range of experience and knowledge, Milton Security serves only one purpose, helping our customer's succeed.

OK, not really too much there. They are a security company with a consulting practice. I did a little more digging. They have two job openings posted, one for a Sr Systems Engineer for the current and next generation of MSG NAC products. I guess this is the guy who will continue on the development of the Vernier line.

But you guys don't pay me what you do to stop there do you? I did some more digging. Seems that Milton Security is the brainchild of its founder and CEO, James McMurray. I did some more digging and it seems James is the former head of the SE group at Vernier, what a surprise! Looks like he was able to get them to let him take over the IP and run with it. I bet he and his friends paid little if anything for this.

People lets get real here. I applaud James for biting this off and wish he and his band of merry men the best of luck. But is this fair to the people who spent all that money on the Vernier boxes. At best Milton will be pressed to keep up with the snort and nessus signatures the Vernier boxes use. I guess being this small, without VC money behind them, they might be just better off using the Tenable and Sourcefire signatures and hope that those guys figure they are too small to sue.

If you are a Vernier customer you have to be checking your underwear. I mean do you want Milton-Bradley supporting your NAC system? This isn't board games we are talking about here. There are too many replacement and trade up offers from StillSecure and other NAC vendors for you to want to be a guinea pig in yet another experiment from the folks at Vernier. How many times do you have to get burned before you learn? You deserve better!

Links for 2008-04-03 [del.icio.us]

Thu, 03 Apr 2008 20:00:00 +0000

Information Security as Insurance
Security Thoughts: Information Security, Governance, Compliance and Safety Belts
I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws.
The Evolution of Compliance Technology - Sarbox Survival Guide
William Vambenepe’s blog » Blog Archive » Another IT event standard? I’ll believe it when I CEE it.
Worst practices: Recognizing the biggest compliance mistakes
Tenable Network Security: CyberCrime, CyberTerror, CyberEspionage, and CyberWar
The final point I'd like to make on cybercrime is that the current set of problems show us nothing about how bad it can possibly get. If you're part of an organzation that does business online, cybercrime is going to be part of your personal future, fo
practical risk management: Nice GRC write-up and how it relates to log management initiatives
Commentary: Inside the Twisted Mind of the Security Professional
Dana Gardner's BriefingsDirect: Splunk goes 'platform' to extend IT search benefits across more IT management functions
SANS Technology Institute: An Interview with David Hoelzer, author of DAD, a log aggregator
ParanoidMike: Which Security Event Log audit categories are most useful on a Windows client?
Do Your Vendors Have Information Security That's Aaa Good? - Web Exclusives - Online Column - CSO Magazine
Sarbanes-Oxley: Growing Dependence on Log Data for Compliance and Threat Response
Results of note from the SenSage survey respondents include: * Eighty-eight percent collect log data for compliance reasons, while 42 percent do so as part of best practices/industry standards initiatives such as ITIL. * Seventy-eight perce

Show 010 - A Panel Discussion with Fortify Softwares Technical Advisory Board

Mon, 22 Jan 2007 16:59:59 +0000

The tenth episode of The Silver Bullet Security Podcast features a panel discussion with the Fortify Software Technical Advisory Board, several of whom have been featured on previous episodes. The group discusses what commercial software tools can learn from academic research, the state of software security in China, real world lessons learned while using static analysis tools, and software security pedagogy.

Participating members of the Technical Advisory Board include:

Bill Pugh, Professor at University of Maryland, static analysis for finding bugs
Li Gong, GM at Microsoft, MSN in China
Marcus Ranum, CSO of Tenable Network Security, security products trainer
Avi Rubin, Professor at Johns Hopkins, electronic voting security
Fred Schneider, Professor at Cornell, trustworthy computing
Greg Morrisett, Professor at Harvard, dependant type theory
Matt Bishop, Professor at UC Davis, computer security
Dave Wagner, Professor at Berkeley, software security and electronic voting

A complete transcript of this podcast will be available soon from Fortify at http://www.fortify.com/silverbullet.