Closed source Nessus 3.0 launched
This week the latest version of "the open source vulnerability scanner" Nessus was released. What is very different about it is that it is no longer an open source, GPL licensed application. Citing various reasons, the keepers of Nessus feel that it is best for Nessus and its users, if the product is no longer released under an open source license. While I will not be drawn into the debate around the circular reasoning they have demonstrated in putting forth these various arguments for what they did, I do recognize that they are entitled to try and cash in based upon their copyright of the product. I think the bigger question is what does this mean to the community of Nessus users and what does it mean to the community of open source users in general. I think with the passage of time, this release is going to mark the end of the age of innocence for open source software. Up to this point, various companies have successfully capitalized by being innovative with open source applications. Some that come to mind are Soucefire, Trip Wire, Red Hat, Novell, IBM, Sun, etc. None have ever taken the step of closing the source of an application. Many have released supplemental or deluxe versions of open source products, but that is a very different action. Now, the folks behind this move with Nessus will tell you that individual users are still free to use Nessus, and if they don't mind a 7 day delay in getting the latest scans are free to use them as well. They will also say that they are still supporting the older GPL version of Nessus. But, I notice that the new 3.0 version also has a new NASL engine in it. My guess is it won't be long until we start seeing NASL scripts that are not backward compatible with the GPL version of Nessus. Of course we will be told that this is being done for the good of everyone so that we are getting better NASL scripts. Funny thing about all of the "what is best for everyone" messages we get from the nessus folks, each and every time it results in more money in their pockets. At least, lets be upfront about it.
By closing the source they have stymied innovation. This in my opinion will be to the detriment of the entire Nessus community. Even individual users who want to use the product and don't mind the 7 day delay will not be able to customize and enhance the program. We all lose. One of the biggest advantages to open source software is under the GPL license when someone makes a change to the code it is released and available to all. This form of programming Darwinism leads to better products for all of us to use. At StillSecure, I am proud to say we have been working with others and writing our own GPL'ed NASL scripts for some time. Also, the fork of Nessus to keep it open source at http://www.openvas.org seems to be progressing nicely. There are still places where those interested in contributing can still do so.
What will happen if other open source projects adopt similar measures? Is open source going to evolve as a minor league for software developers to gather free help and develop an audience? Put a project out in the open source community, enjoy the free help in coding and testing that the community provides and then once it develops enough of a following, pull the rug out and change the license making it a closed source product. How long will people keep falling for that, until finally the whole institution of open source software is recognized for the thinly veiled exploitation of the community it has become with Nessus? Lets hope that this lesson is not lost on those who participate in open source communities. Lets also hope that other companies adopt policies like we have at StillSecure to get involved in the communities and use our commercial status to help insure that open source tools remain as best-of-breed products and open to all.