RealTime IT News

OpenVAS Charts Its Own Forked Course

One of the notable features of open source software is forking. If an open source project takes a direction that users or developers don't like, well, they can fork off in a new direction.

In these cases, developers of open source licensed code can fork a project and create a new application that takes a different path than the original code. That's what happened with the Nessus vulnerability scanner in 2005 which led to the OpenVAS (Open Vulnerability Assessment System) project.

OpenVAS is now out with its 2.0 release, which still shows some of its Nessus roots but isn't focused on keeping up with what's happening on the main Nessus effort. The Nessus fork is now carving out its own niche and moving out of the shadow of its creation.

"You will still be able to see the origins of OpenVAS," OpenVAS developer Jan-Oliver Wagner told InternetNews.com. "However, many parts are not compatible anymore and only few patches to OpenVAS might still apply to Nessus 2.x. The OpenVAS developers have not started to rewrite major parts of the code. It was rather about removing redundant code paths and other cleanups as well as new features."

OpenVAS was forked in 2005 as the Nessus project moved from an open source project to a closed source project. Tenable Network Security, the firm that sponsors and provides commercial support for Nessus, decided that version 3 of Nessus would not be open source, though the older Nessus 2.x branch would remain licensed under the GPL open source license.

The OpenVAS project is still rooted in Nessus 2.x and isn't looking at Nessus 3 for inspiration.

"I am not aware that OpenVAS developers are analyzing Nessus 3," Wagner said. "OpenVAS will follow its own way, driven by the needs of the users."

Wagner added that the OpenVAS effort itself has never had any direct relationship with Nessus or Tenable Network Security. According to Wagner, no one of the Tenable Nessus developer team ever actively contributed to OpenVAS.

"The OpenVAS development team has grown on its own from the very beginning," Wagner commented.

One of the key items in OpenVAS to is the emerge of support for the OVAL (Open Vulnerability and Assessment Language) which aims to standardize security content such that security information can be shared across applications.

OpenVAS 2.0 also introduces something called the OpenVAS Transfer Protocol (OTP) which is a new take on the Nessus Transfer Protocol (NTP). OTP is the method by which the client and sever instances of OpenVAS are able to communicate with each other to relay vulnerability information.

Developers have also added 64 bit support to OpenVAS 2.0 and have worked on improving the graphical user interface for the OpenVAS client.

Et tu Nessus?

So what does Nessus think about the OpenVAS fork? Back in 2005, Ron Gula, CTO of Tenable Network Security wasn't too concerned since at the time he had yet to see any of the forked code. Now with the OpenVAS 2.0 release, Gula declined to comment specifically on what OpenVAS is doing noting that he didn't really want to comment on any other company, good or bad.

"I would much rather speak about the work we've done on Nessus 3 this past year," Gula told InternetNews.com. "Such as PCI DSS auditing, being able to port scan Windows and UNIX hosts without putting millions of packets on the wire, auditing anti-virus deployments, how we did both network and patch audit checks for MS08-067 and so on."

In March of 2008, Nessus 3.2 was released which included the ability to audit IPv6-based network traffic. At the time of the Nessus 3.2 release, Gula claimed that Tenable was seeing more user adoption than ever before.

What's next for OpenVAS?

Now that OpenVAS is out charting its own course, the future roadmap for development will bring further innovations and a possible commercial challenger to Tenable's commercial offering.

"Planned features in 2009 are a web-based client, a entirely new communication protocol and a further minimized scanner core with a redesigned internal storage technology," Wagner said. "Also planned is to set up professional services for OpenVAS as many enterprises will need this to adopt a Free Software solution."