With the recent news of more than 500,000 web sites becoming compromised, Tenable's research team added support into Nessus and the Passive Vulnerabiltiy Scanner to look for evidence of recently installed Javascript that may be indicative of a mass compromise.

With Nessus, the webmirror.nasl and webserver_infected.nasl plugins enumerate the web pages of a scanned web server and look for evidence of a compromise. With the PVS, plugin #4487 watches for unencrypted web traffic which contains evidence of these compromises.

Previously, Tenable has blogged about this type of active and passive detection for a different mass compromise event. Also, last week we blogged about auditing Internet facing web servers. The techniques outlined there should be utilized when auditing web servers that may have been infected with malicious content.

News References

• http://blogs.iis.net
• http://blog.washingtonpost.com

Very often, Nessus is used by MSPs, consultants and IT security staff to test the security of an Internet facing server. Occasionally, we see the default settings of Nessus, which are optimized for a credentialed internal LAN audit, used to audit an external server. Although this usually results in a majority of the vulnerabilties being identified, Nessus can be configured to work a bit harder for these types of scans. This blog entry details some different strategies and scan settings that can be used to perform a more complete audit of an Internet facing server.

Nessus Scanner Settings

When scanning a few external hosts, we do not envision the scanning process to impact your system's performance. However, if you do encounter issues, consider the following. The scan settings we will be enabling will cause Nessus to work much harder than it does during a typical LAN or default scan. If the system running Nessus is not a dedicated system (such as a consultant's laptop), you should consider configuring it to have less impact on the underlying operating system. Otherwise, the system may become unresponsive during the audit. On UNIX, the "be_nice" setting should be set to "yes" in the nessusd.conf file and then the nessusd process restarted. On Windows, the nessusd.exe process can have its priority lowered. For this blog entry, I had several heavier scans running at the same time from my local Nessus scanner and had no noticeable impact to my operating system.

If the audit is taking place over a slow Internet connection or a connection which is being served by a device that may be impacted by many simultaneous connections, considering reducing the "max_hosts" setting from the default of 40 to 10. This will generate less overall traffic during any given moment of an audit and also reduce the number of simultaneous checks (and connections). On the Nessus Client, this setting is available under the "Options" tab and is named "Number of Checks in Parallel".

Scan Policy Settings

Global Variable Settings

Many plugins implement more thorough audits when the "Thorough Tests (slow)" setting is enabled. These tests often implement the same logic, but try more combinations of potential security issues. This causes security audits to run longer than they normally do. For example, when looking for FTP, SMB or HTTP servers hosting potentially copy written content, this setting increases the level of  recursion used to look for files. There is a slight chance of impacting a server's performance during this audit, as the server will also have to respond to more probes than during a normal scan.

Also in this section, the "Network Type" should be set to "Public WAN (Internet)". This effects some plugins which are required to choose relevant IP addresses.

Below is a screen shot of the Nessus Client implementing these settings:

Service Detection

By default, SSL detection is normally performed on services that are expected to support encryption such as port 443. However, for any discovered port facing the Internet, SSL service detection should be enabled. This is accomplished by changing the "Service Detection" set of options under the "Advanced" tab from the default setting of "Known SSL Ports" to "All".

If the audit is being performed remotely, this section also has a separate setting for the number of service fingerprints to be performed in parallel. This setting effects the few plugins which perform service fingerprinting and can generate many sessions at the same time. The default value for this is 10 and for the policy used in our example policy, I reduced this by half to 5.

Below is a screen shot of the Nessus Client implementing these settings:

Auditing CGIs

Nessus includes a plugin that can "torture" any discovered CGI or other type of interactive web document. This can uncover a wide variety of security, stability and other issues with poorly written login pages, feedback forms and other types of dynamic pages that process user content.

To enable this, under the "Advanced" tab, select the "Unknown CGIs arguments torture" and enable the "Send POSTs requests" check box.

During the audit, if a complex web site is being tested, you should discuss this type of test with the site owners ahead of time. Nessus will try a wide variety of common form exploits which can result in unexpected behavior or unanticipated system loads. Even if a web site is secure, these tests may show issues with logging failure messages (or lack thereof) and could also highlight issues with custom logging in general.

I've spoken with one customer that tried this sort of auditing and they did not have any security issues, but the error logging process involved writing to a SQL database. This surge in errors resulted in an unacceptable denial of service for the web site.

Port Scanning

Since this is an Internet facing system, no port should be left untested. A full port scan from 1 through 65535 is suggested. If you are omitting port scans for some reason, it should be noted in the final audit.

Web Mirroring

The default Nessus settings to look for web pages that may have vulnerabilities can be made more aggressive. These settings take longer to execute than a default scan, but are more likely to find a vulnerable server. The "Web Mirroring" set of scan options is available under the "Advanced" tab of the Nessus Client. The following settings are recommended:

• The default number of web pages to mirror is 200. This should be raised to something that matches the destination site being audited.
• If Nessus learns of a dynamic web page, it normally won't add this to the mirror list, unless the "Follow Dynamic Pages" option is set. Web sites that link to login screens, include feedback forms and have other types of dynamic content are often dynamically generated.

If an audited CGI or other type of dynamically generated web page is poorly written, the Nessus audit may cause a spike in the performance level of the audited server. For example, a web site may have a slow method to read content from a SQL database before rendering a login page or some type of default screen. A rapid set of web queries performed by Nessus could impact the system.

Below is a screen shot implementing  these settings with the Nessus Client:

Performing the Scan

Nessus 3.2 does include the ability to pause a scan. If your audit causes some unanticipated effect on the target servers, you should stop it or pause it immediately.

Tenable receives many reports from customers scanning their remote systems and having ports that were available during the start of a scan, not be available at the end of a scan. This shows up in a Nessus report like this:

System: 192.168.20.200 unknown (0/tcp)
Vulnerability: [10919] Check open ports
Severity: Informational

The following ports were open at the beginning of the scan but are now closed:

Port 80 was detected as being open but is now closed

This might be an availability problem related which might be due to the following reasons :

- The remote host is now down, either because a user turned it off during the scan
- A network outage has been experienced during the scan, and the remote 
network cannot be reached from the Vulnerability Scanner any more
- This Vulnerability Scanner has been blacklisted by the system administrator
or by automatic intrusion detection/prevention systems which have detected the 
vulnerability assessment.

In any case, the audit of the remote host might be incomplete and may need to
be done again

If an Intrusion Prevention System (IPS) or Unified Threat Manager (UTM) devices is configured between you and the target host, it may detect some of your activity after the scan has started and then block further testing. This can cause an incomplete audit. In these situations, it's important not to speculate. Finding out how the IPS is detecting the scan is important because it is also part of the system being audited. For example, if it is only configured to block hosts that perform a port scan, it may not stop a host or worm trying one SQL injection attack. The point is to provide an accurate assessment so the customer or management does not put their faith in something that might not be reflective of other threats.

For More Information

We have blogged several times in the past about configuring Nessus for optimum scanning:

• Auditing Anti-Virus Products with Nessus
• Improper network Segment Testing with Nessus
• Limiting the ports Probed by Nessus scans
• Understanding the Nessus "Safe Checks" Options
• Using Nessus to scan a Host Behind a firewall

Tenable Network Security recently began sponsoring the Risky Business podcast with Patrick Gray. Episode 59 is now online. This latest installment includes:

• A review and commentary of the week’s security news.
• Jeremiah Grossman of Whitehat Security talks about some of the very latest web vulnerabilities including Cross Site Request Forgery attacks.
• Patrick Gray interviews me about Tenable, our work in the logging and correlation space and the Nessus vulnerability scanner.

 If interested in the podcast, it is at the following link:

• http://www.itradio.com.au/security/?p=68

For those readers that are located in Europe, Marcus Ranum, Tenable’s CSO, will be speaking at two events in Q2 of 2008:

On April 23rd and 24th, Marcus Ranum will be speaking at the Mnemonic Risk Management and Information Security Conference 2008 in Norway. The conference will be held at the Ulleval Business Class. He kicks off the conference with his talk titled: “Lateral Thinking in Security”.

Computer security, as a field, appears to be trapped in a hamster-wheel of repeating the same ideas over and over again. And the results are clear: 15 years into the field, more systems are getting compromised than ever, in spite of billions of dollars and thousands of man-years invested. Why is this happening? It's possible that we're going about doing things backwards and trying harder isn't going to result in any improvement. In this presentation, he'll look at a few things that don't work as well as they should, and he'll try to come up with "plan B" options.

On June 4, 5 and 6, Marcus Ranum will be keynoting the SÉCURITÉ DES TECHNOLOGIES DE L'INFORMATION ET DE LA COMMUNICATION in Rennes, France. Marcus will begin the conference with his keynote titled: “Anatomy of The Security Disaster”

Computer security has historically been a disaster and continues to be a disaster. Many practitioners have attempted to explain it in terms of risk management, failure to communicate, or lack of education. In reality, it is a simpler social problem, and is not solvable by any means short of a redesign of human behavior. The view he will present has implications for the real meaning behind why economic models represent "market failures" and risk management approaches are merely "hand-waving."

For more information on other Tenable upcoming speaking events, please visit:

• http://www.tenablesecurity.com/news/index.php?view=speaking

Recently, Tenable's Security Center product was awarded certification to perform Federal Desktop Core Configuration (FDCC) audits, along with several other types of NIST SCAP audit capabilities, for the Windows XP and Vista platforms. FDCC makes use of the NIST SCAP XCCDF standard to describe security profiles, configuration settings and specific techniques to test for configuration settings. This blog entry describes how this process works and some of the benefits of the NIST SCAP program.

Performing FDCC Audits with the Security Center

Security Center users can download XCCDF content, such as the FDCC policies, and load them into a tool named the "xTool". This tool processes the OVAL, CPE and XCCDF content and logic to produce an audit file that can be used by the Security Center to control one or more Nessus scanners. Tenable's FDCC auditing technology requires credentials for the target systems and does not use an agent.

One of the features of the xTool is to dynamically create audit policies with as little or verbose content available from the XCCDF content. For example, in the screen shots below, the xTool has been configured to display the Nessus audit logic used to test the minimum password age policy.

In the image on the left, none of the meta data was included. In the image on the right, all information related to the Common Configuration Enumeration (CCE) ID, the specific XCCDF audit policy and a handful of related DOD, NIST, ISO and other standards is included. The xTool gives security and compliance managers the ability to customize how much information in the audit is included for analysis by the end user.

The audit policies generated by the xTool are loaded into the Security Center and can then be used to perform configuration audits. These can occur alongside vulnerability scans, patch audits or sensitive data auditing. In the below screen shots, a summary of CCE issues and an example view of detailed results for one CCE is shown:

Once scans are completed, the Security Center can be used to sort the results and identify which types of compliant and non-compliant FDCC issues have been found. These can be sorted by IP addresses, asset group, by type of CCE entry and many other filtering and reporting options.

When submitting results to NIST for FDCC compliance, the results of all systems are not required -- just the results of systems that are representative. For example, based on operational requirements, an organization may need a waiver for the length of their minimum passwords.

With more than 700 configuration checks performed by FDCC, the Security Center can be used to sort and identify unique combinations of non-compliant configurations for hundreds, thousands or even tens of thousands of unique hosts. This makes the process of finding your unique non-compliant samples much easier.

Lastly, the xTool can also import the results of the configuration audit and produce an FDCC report which includes non-compliant tracking of exceptions.

FDCC and SCAP Benefits

Independent Vendor-Neutral Content

As new XCCDF content is developed and hosted by NIST, Security Center users can download it and produce audit polices for new platforms. Tenable currently has customers who have produced audit polices for the beta XCCDF content available for Windows Server 2003, other Windows platforms, Symantec Anti-Virus and the Microsoft Office 2007 suite. As new XCCDF compliant content is developed, the xTool can consume it and produce audit policies.

Logging and Anomaly Detection

Knowing how a system or set of systems are configured is just as important as knowing their vulnerabilities. For example, consider an incident response process that was invoked due to a network wide brute force password attempt. Knowing the password policy (complexity, minimum length, expiration, .etc) of a system can help you prioritize which systems to respond to first.

Similarly, if a user population of systems is configured for a policy that has locked down likely exploit vectors, enabled access-control logging, enabled logging of access to object such as folders and shares and enabled a firewall, the ability to gather logs and look for anomalies is greatly enhanced. Performing anomaly and compromise detection is much easier when the composition of the network you are monitoring is known. 

Quicker Identification of Unmanaged Systems

When complimented with traditional active and passive vulnerability scanning, the Security Center can be used to quickly identify when a system is configured in a non-sanctioned or unauthorized manner.

Perhaps a new system has been installed prior to being locked down. Perhaps some sort of software upgrade resulted in a down-grade of secure system settings. Perhaps a hacker, insider or malware has indeed infected a system and turned off these settings as well. Whatever the reason, in an environment where most hosts are configured the same, finding a host that is different is much easier.

Commercial Auditing

Although the SCAP program has a federal government mandate, the content is also being used in a variety of commercial applications.  For example, Tenable has many financial and health care organizations that are private or commercial entities, yet choose to configure their networks according to NSA best practices, the DISA STIGS and now the SCAP content feeds.

The NIST SCAP program also offers some platforms and recommendations for configuration settings not provided by the Center for Internet Security best practice guides, or directly from vendors such as Microsoft.

For More Information

Tenable has an online video demo of how the xTool and Security Center can be used to perform FDCC and SCAP audits. We've also previously posted about how to configure Windows XP and Vista systems for auditing as well as comments from a NIST FDCC implementor's workshop. To learn more about SCAP and the XCCDF specification, please visit http://nvd.nist.gov.

Apple recently gave Windows iTunes users the option to download the Safari web browser. This move was criticized by many bloggers and security experts. What we will be discussing in this blog today is detection of the Windows Safari application and also examine how organizations could react to this situation.

Detection

Nessus plugin #31788 named "Safari Detection (Windows)" looks for Safari installed on a Windows platform. This plugin requires credentials to analyze the Windows system to see if the browser has been installed. If credentials are not available, this plugin won't report an issue.

The Passive Vulnerabiltiy Scanner can also be used to generically report the active web browser being used on any host it sees web traffic originating from. In the Security Center screen shots below, all user agents detected by the PVS have been listed:

In the screen shot on the left, only Safari browsers on Mac OS X computers are shown. On the right screen shot, a host that has a single Windows Safari client is shown among several different other browser types. The PVS also has a unique plugin (#3705) which detects the Safari browser.

Analysis

I've had a few conversations with our customers about this issue and there are a few themes:

• In organizations that banned the use of iTunes, this event gives them much more evidence to support this decision. The organization should be in charge of what software gets run on a network, not the application vendor. This also gives them reason to ban other applications that might include a software delivery method.
  
• In organizations where iTunes use is allowed, but there is still a requirement for a standard browser such as Internet Explorer, some leniency was given to users who have been educated to accept security updates from their vendors. It could be argued that the Safari push looked like a security update.
• Some organizations are modifying their acceptable use policies to more explicitly state that unauthorized software should not be installed, even if it is from the vendor of an approved application. I've heard several comments from customers basically expecting other major software and operating system vendors to use this sort of technique.

For More Information

We've bloged in the past about enumerating various applications and finding software that should not be there on a corporate network:

• Enterprise Software Discovery with Nessus
• Detecting the Apple iPhone
• Exceeding NIST and CIS Benchmarks
• Security Metrics - Differentiating New Vulnerabilities from Change
• Active and Passive Tor detection

Ten years ago today, I announced the initial public release of Nessus on the bugtraq mailing list. The initial version would run only on Linux and was bundled with 50 plugins (vulnerability checks) written in C. At that time I was 18 and I had no idea I would still work on it years later (or that anyone would actually use it). A lot of great things happened during these years, and  I would like to comment on the ten things which really shaped Nessus into what it is today.

1999 : The existing plugins were all switched from C to NASL.

In early 1999, I had done some work on a small engine called pkt_forge, which was meant to be a packet forgery tool (Net::RawIP did not exist at that time, so forging packets meant a lot of C/compiling/debugging/recompiling cycles). It quickly turned into a small language engine which was working well enough to do packet forgery, sockets operations and string matching, so I decided to use that to write new plugins, instead of sticking to C.

Even though in hindsight the initial NASL engine was fairly buggy, leaked memory and sometimes had issues parsing very valid constructs, this helped the plugin writing effort a lot. At that time, the code of each plugin was at most 10 lines long, so performance did not matter (or so I thought), and plugin development advanced at a really good pace -- with that generation of the engine, we wrote up to one thousand plugins. One of the cool thing with using a scripting language is that you know that a lot of common bugs (overflows, format strings, etc...) can not occur, thus leading to a more secure and more reliable environment.

I was very often asked why I did not choose perl, tcl or any other existing engine as a language. My answer is that, as a developer, I believe that it's very important to keep control of the underlying environment. If the core of your product is relying on a third party engine, then that part is going to get in your way sooner or later -- you will inevitably treat it as a black box. I wanted to have the language and its behavior evolve with my needs, and the NASL code base was very simple initially, so it was easy to port, easy to compile and low on memory requirements. 

1999: Service recognition was added in the engine

Service recognition was added so that if you had a FTP server running on port 2121, or two web servers, they would be recognized properly and tested accordingly. As far as I recall, no other scanner was doing this at the time. I wrote a plugin called find_service.nes, which would send a HTTP GET request to every open port and based on the banner or the error message would differentiate the different services. Due to architectural reasons, this plugin was the last one to get written in C and was very recently deprecated with the release of Nessus 3.2.

This plugin quickly grew complex, and was very later completed by many others, either doing generic probes (find_service2.nasl sends 'HELP' on every open port), or doing very specific services recognition (all the plugins finishing with *_detect.nasl, mostly).

A few years later, a user contacted us telling us that one of his network printer printed several pages with only the word "HELP" on each, thus causing some concerns in his office. In order to save trees and the sanity of everyone, we now recognize printers and do not scan them by default ;

2000: Windows Auditing was added.

However, instead of fully implementing the SMB protocol (and DCERPC), I coded things very gradually, as needed -- initially, I just wanted a plugin to determine if the administrator account had a password set, and that's it. Once it was done, I wanted another plugin to see if we could access C$. Then another one which would connect to IPC$. Then see if we can access the registry as guest (pre-SP3 Windows NT). Etc, etc....

While Samba and Wireshark (Ethereal at the time) had done a lot of good work on the SMB side, very little DCERPC calls had been implemented, so my reverse engineering process was to have three windows systems talk to each other (one client talking two servers with different hostnames), and see what has changed in the packets sent. That helped me to produce Windows plugins very quickly, but it involved sending a lot of blobs with a few variables in them, and ended up creating smb_nt.inc which served its purpose well for a time, but became impossible to maintain. More on that later when I talk about smb_func.inc ;

2001: Support for SSL and Network Computing Award

Once OpenSSL stabilized its API, we added support for SSL in Nessus, which once again not every scanner was able to do at the time. That was Michel Arboi's first contribution to Nessus engine.

The beauty of the implementation is that it required nearly zero change on the plugin side -- basically, Nessus "knows" when a port is speaking SSL, and a plugin opening a connection to that port will automatically use SSL. That's one of the benefits of controlling the underlying language -- you can redefine how function calls work.

That year, we were also blessed to "win" a vulnerability scanners shoot out done by Network Computing (and later on won the Well Connected Award for that category). That was the first time a major publication would compare Nessus to other commercial offerings, and this article gave us great exposure whose effects were immediately noticeable.

2002 - 2003: NASL2

When we hit the mark of one thousand plugins, the plugins started to become complex, and the NASL1 engine was showing a lot of its limits and the code had gone so complex that fixing one bug meant adding another one, so the NASL2 project was started and Michel took the lead on it.

The goal there was not to get it to be faster, but to be more reliable, easier to maintain, and to have a "real" parser which would process the plugins. One of the biggest challenges there was to make it behave the same as NASL1, so we would not have to rewrite all these plugins. We were pretty successful at doing that, but due to fundamental differences between the NASL1 and NASL2 parsers, we had to maintain two plugin sets for a while -- one for Nessus 1.x and one for the upcoming Nessus 2.x. The fear was not so much that a 2.x plugin would not work with Nessus 1.x (what's a plugin out of a thousand?), but rather than a 2.x plugin would break 1.x entirely (which, unfortunately, was easy to do). Since the 2.x dev cycle was fairly long, we maintained the two trees for several months, and quickly dropped support for 1.x when we released 2.0.x. After that, we decided that we would never maintain two plugin trees again, and would find ways to mark a plugin to be incompatible with older versions of Nessus ;

2003 : Tenable Network Security, Inc.

In 2003, Tenable Network Security Inc, was founded and I moved from Paris, France to Columbia, MD. Ron Gula, Jack Huffard and myself created Tenable Network Security, Inc. This allowed me to work on Nessus full time without having to worry about mundane problems such as the ability to pay for my rent. Having a full commercial structure not only let us hire good people, but also allowed us to get better feedback from corporate customers and better understand their needs.

2004 : SSH Support

SSH support was added thanks to a contribution from Nicolas Pouvesle, who then joined Tenable as a research engineer. This let us log into remote hosts and perform local patches checks. This quickly increased the number of plugins since one flaw can now have up to ten plugins written for it (one local check for each distribution and a remote check). We never really bragged about the number of plugins in Nessus, but if we did this would have been a nice artificial way to make sure nobody came close :)

Every now and then, some users complain about these plugins because if you take, say, a Red Hat 4 system with a hand-compiled version of bind, then Nessus will not check it and won't warn you if it's not up-to-date. Leaving the technical details aside, what I would eventually want to do is to have a plugin which makes sure that every daemon listening on a given port is actually provided by the OS vendor. The reason is that if you start to manually compile each critical service, then you are putting yourself in a position where upgrading your operating system is going to be very difficult, you're dropping the support provided by the OS vendor, and in the long run, your system will be impossible to maintain (especially by a third party). Our approach is that you should always use the packages provided by your OS vendor, who is making sure that each new version is still working as it should (in theory at least :) and which will be automatically upgraded to their newest version once you upgrade the OS. The less custom modification you do on a system, the easier to is to maintain over time ;

2004 : Commercial Plugin Feed.

In late 2004 we decided to sell subscriptions which would give faster access to the plugins updates, as well as access to additional plugins and commercial support.  The response has been great, and it also helped us to improve the overall quality of our work -- on the backend, this meant a much stricter QA cycle for each new plugin.

2005 : New SMB API.

As I said earlier, we used to rely on smb_nt.inc to communicate with Windows. While it worked great, it was hard to maintain and it was lacking some functionality, such as support for SMB signing. So we re-did the entire SMB API, this time with the intent to have a full, clean SMB and DCE/RPC stack which would be easier to maintain and to modify in the future. This was a complete rewrite, which was a long process involving a lot of testing, and we worked very hard on this. This new API is really clean, and really easy to maintain. Case in point: we could very easily modify it to add SMBv2 support to it (this is still in QA, but we'll make it public soon). However, the best thing about this API is that when we published it in the plugin feed, and modified every plugin using smb_nt.inc, nobody noticed the change, which meant that it did not break anything.

In engineering, sometimes the most rewarding feedback from your users is a total lack of it :)

2006 : Nessus 3.0 (and close-sourcing Nessus).

In January 2006, we released Nessus 3, which I'm really thrilled with. We redid the NASL engine again -- we kept the NASL2 parser, but implemented a "real" VM with its own bytecode, which really improved things. We also changed the way process management is done. In Nessus 2, each plugin was running in its own process (so if you tested 10 hosts in parallel, with 4 plugins per host, you would have 10 x 4 + 10 = 50 processes running). In Nessus 3, we implement plugin-threading ourselves, while just keeping one process per host (so if you scan 10 hosts, you now have 10 processes running). The benefits of Nessus 3 vs Nessus 2 have already been covered many times, so I won't reiterate them here. My only regret is that we advertised Nessus 3 as "twice as fast" as Nessus 2, whereas in a lot of cases it's more like 5 or even 10 times as fast, especially now with the number of plugins we have. Nessus 3 also gave us the opportunity to not only support Linux, but also Microsoft Windows and later on Mac OS X. I actually did the Mac OS X GUI myself, which gave me the opportunity to learn a new language (Objective-C) and reconciled me with object oriented programming.

From a purely technical perspective, one of the surprising benefits of close-sourcing has been the increase of the code quality. My initial fear was that we would not be able to get useful bug reports from end-users due to their inability to use gdb or to load core dumps. So we spent a lot of cycles to write better diagnostic tools which would make our life much easier when users report a problem. This, combined with the fact that there is a limited set of Nessus binaries really helped to improve the code quality. Case in point : we quickly found a bug present since Nessus 2.2.0 that we had been chasing for a long time (an off by one memory overwrite which odds of occurring were 1 in 65535). I believe it was fix during the Nessus 3.0.0 or 3.0.1 cycle (and the fix was backported to the 2.x branch, obviously).

This kind of diagnostic/debugging is obviously not specific to being closed-source, but the point is that by considering that as developers we won't be able to rely on the users to provide us with meaningful information about a crash, we had to write code which makes it easier to understand the worst cases.

Today

We recently released Nessus 3.2.0, which is by far one of the most stable .0 release we've ever done.  I am still very involved with the development but I code fewer plugins than I used to -- every now  and then I will write a new plugin, as I believe that it's very important that the persons involved with the engine keep in touch with what the engine is for, but my great research team now does most of the work and is brilliant at doing that.

Over these ten years, I have been blessed to work and interact with many brilliant people -- ranging from great contributors such as Michel Arboi, Nicolas Pouvesle or George Theall, to nice, patient, and constructive end-users and product testing editors who gave us various awards over the years. Working on Nessus has been fun every day for the last 10 years and I would like to thank everyone who contributed directly or indirectly to its success. As always, I enjoy interacting with every user, so never hesitate to contact me at deraison@nessus.org.

Renaud Deraison.

If you are at RSA next week, please feel free to come by the Tenable booth which is #2737. We're on the far right side of the exhibit floor. A map and picture of our booth is below:

I'm going to be in our booth a good deal of time, so please come by if you are interested in speaking about Nessus, logging, PCI, intrusion detection, compliance auditing, NBAD and so on. If you want to learn more about Tenable's products and solutions, I can help with that too.