Urgent help required

nnbnbWell, now that we're past the ambiguous title, let me tell you guys what my situation is...

I'm in the middle of a very heated debate as to the advantages of open-source software for vulnerability assessment / penetration. This matter is rather serious, and I need to prove why you dont need to spend thousands of dollars on a tool to conduct a professional vulnerability assessment.

So I'm writing a whitepaper with all my research and findings....

My goal here is to prove the fact that all the most widely used (and most reliable) security tools for ethical hacking are open-source and usually better than their commercial counterparts.

I need really solid evidence to back this claim, which is where I turn to you guys...

I'm currently profiling Nessus versus ISS Internet scanner.. and there are a *lot* of points in favour of Nessus.. including extensibility through NASL, local security checks, scalability, client-server architecture, multiple logging formats etc..

What I need from you guys are more points on why its better than ISS, even if you just give me a scenario where you found it better, post it here..

Of course even if you want to talk about another security tool such as say nmap or snort being better than a commercial alternative, fire away, I need that ammunition as well...

If you want some tools to compare, pop around to www.insecure.org/tools.html
You will be able to see the best open-source and closed / commercial tools in the world... feel free to analyse any of them for merits / demerits.


Now let me finish with my rant...

<rant>

I'm absolutely sick of old-school know-it-alls that insist that quality is directly proportional to price.. take it from me, the security industry is for the most part a bunch of cash hungry conmen looking to make a quick buck out of peoples fears by selling 'solutions' that are overpriced and underperform... and the worst part is that everyone believes them because they use price as a metric for quality ! I can't even begin to express how strongly I feel about this....

I have had extensive experience throwing around just about every free and commercial tool in existence and I FIRMLY believe that the matured open-source tools are better for assessment than the vast majority of commercial thermacol floating around.. that is precisely why most hackers hack from a 'free' o/s such as Linux.

So here is my impassioned plea... Please give me your experiences, your analyses, your ideas... anything. I'm counting on the community helping me fight this one !!

</rant>

Thanking you all in advance,

We evaluated among others the ISS tool and Nessus, and now use Nessus on a Linux PC. Because
1) It's much, much cheaper
2) No licence restrictions (as many installations as we like for the same low, low price
3) In terms of speed of testing, range of vulnerabilites checked, provision of support and updates, reliability and usefulness of reports there's not enough between the products (for us) to justify spending big bucks extra
4) Open source gives a confidence edge, in that there are many, many people working on and scrutinising the product, and defects are openly acknowleged. A commercial product is, by it's very nature, somewhat closed and you have to take it on trust that you are where you think you are

Thanks Bishop, I had missed out on the licensing point, that is very crucial when you consider that ISS allows you to scan a range of IP's that you buy.. the second you buy some more IP's you have to pay more money as I understand it..

Another thing, does anyone know whether ISS has any plugin architecture.. as in, can a normal user write their own plugin like with Nessus and NASL ?

I have not been able to find this feature anywhere, and my calls to the local ISS guys here go unanswered ("Its the open-source fanatic again ").... I guess they will answer my questions if I purchase the product as a show of goodwill !

Cheers,

Personally I think commercial appeals to those people that need a comfort zone because they do not understand their way around open source. And being honest I am in that school at the moment but at least I acknowledge this and am working on it.

Sahirh it sounds to me as those you are dealing with people's emotions that means technical justifications will only go so far. I suggest stacking the case with the technical detail in your favour and then using the emotions angle to knock them out.

By this I mean demonstrate that logically the open source product performs better - via benchmark tests, industry reputation etc.

Then use the emotion, eg TheBishops point about the Open Source community constantly working on and scrutinising the product where as commercial software will be dictated by the market thus although you may like a certain feature or it proves useful if a million other people don't like that feature then the next version will not include it! That appeals to the emotion of fear (Commercial means you at the mercy of the vendor).

Also you can allay the concerns about lack of support by showing that they can spend money on support if that makes them feel better - Red Hat is an example of open source that can be commercially supported.

Finally what about Unix? As the foundation and backbone of the Internet, has this Open Source product not proved its worth???

Sorry this document is not technically orientated but hope it helps nonetheless... and good luck.

You're right on the ISS licenses Sahirh, you get what you pay for rather than buying the product then scanning anything you want. I'm not sure but presumably the more you pay the more defined hosts it lets you scan. Not sure if you can do custom plugins but you probably can. I know there are various ones you can download off their support website and install

Hi Sahirh

Just interested to know the outcome of your conversation. What was the verdict Open Source v Commercial