×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Free Open-Source vs. Commercial Security Tools?

Cliff posted more than 9 years ago | from the don't-buy-into-the-FUD dept.

Security 234

sahirh asks: "I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools. Through my own experiences, I've found that many free tools such as Nessus and Kismet are more reliable and have better features than expensive commercial alternatives like ISS Internet Scanner or Airopeek. I've also noticed that tools like Ettercap have no commercial alternative. Further, the flexibility offered by the open-source nature of such tools is a great benefit. I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment." Update: 02/07 11:15pm EDT by C : Thanks to all who wrote in to let us know the proper URL to the Kismet site.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

234 comments

I want his job (5, Funny)

YankeeInExile (577704) | more than 9 years ago | (#11599196)

I have no joke here, I just like saying, I work as a penetration tester ...

Re:I want his job (1, Funny)

Anonymous Coward | more than 9 years ago | (#11599335)

I have determined that there is a vulnerability in your sister.

Re:I want his job (1)

YankeeInExile (577704) | more than 9 years ago | (#11599407)

An anonymous coward said:

I have determined that there is a vulnerability in your sister.
Well, duhhhh. My sisters have six children and four grandchildren between them. I am sure in their day they were MILFs to someone ...

Yes, but use caution (0)

Anonymous Coward | more than 9 years ago | (#11599340)

Yes, it may sound like one of the best jobs, but one misstep and you may find yourself on the Worst Jobs in Science [slashdot.org] list:

flyingtoaster writes "For the second year in a row, Popular Science published their annual countdown of the worst jobs in science [popsci.com]. This year's list includes Anal-Wart Researcher...

I want his job-Inspector 12 (0)

Anonymous Coward | more than 9 years ago | (#11599399)

"I have no joke here, I just like saying, I work as a penetration tester ..."

Inspector 12 at the Trojan Factory.

Re:I want his job (0)

Anonymous Coward | more than 9 years ago | (#11599446)

In my job I engineer large decks made of steel beams. When a designer want to run a pipe or cable through my beam, they need to formally ask me if it's ok.

I never fail to be amused when I tell a PYT that she needs to give me a penetration request.

Re:I want his job (0)

Anonymous Coward | more than 9 years ago | (#11599622)

...and I thought for certain this one would end in an erection joke.

Snort (3, Interesting)

ikewillis (586793) | more than 9 years ago | (#11599202)

One of the best NIS tools available, the only thing you can get better are... commercial Snort derivatives. Not mentioned, WTF?

Re:Snort (2, Informative)

SquadBoy (167263) | more than 9 years ago | (#11599392)

Sourcefire. Martin Roesch's company. It gives you, the admin, the goodness of Snort and OSS tools and gives your bosses a contract to feel all warm and fuzzy about. Pretty much a win-win. I love my Sourcefire boxen and they cost less than the other commercial IDSes.

Re:Snort (2, Informative)

checkitout (546879) | more than 9 years ago | (#11599585)

It gives you, the admin, the goodness of Snort and OSS tools and gives your bosses a contract to feel all warm and fuzzy about.

Actually we found that Sentarus is a much better snort-based product. We kicked Sourcefire out after 2 weeks, they just don't get the concept of a GUI. Talk about butt ugly and unmanagable.

Re:Snort (3, Informative)

gclef (96311) | more than 9 years ago | (#11599611)

Snort's not really a pen-test tool, though.

For pen-testing, check out the Metasploit framework [metasploit.com]. It's truly cool.

Also, have a look for scanrand, part of paketto keiretsu (doxpara.com appears to be having trouble right now, so don't go looking right now).

There's always the old standbys, as well, like dsniff.

rip michael sims 1972-2005 (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11599203)

good riddance loser

Sad news ... Michael Sims, dead at 13 (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11599579)

I just heard some sad news on Communist talk radio - Slashdot "editor"/Domain hijacker Michael Sims was found dead in his cardboard box this morning. There weren't any more details. I'm sure nobody in the Slashdot community will miss him - even if you didn't enjoy his abuse of power, there's no denying his contributions to douchebaggery. Truly a filthy hippie.

Job title (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11599213)

Man, does your business card say that?

Penetration Tester? (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11599217)

I work as a penetration tester...

Hear that? That's the sound of a thousand Slashdotters madly typing away after misinterpreting your position.

Penetration Tester (0, Troll)

jmaxwell39648 (854203) | more than 9 years ago | (#11599221)

How can you tell someone what your job is without laughing. I need that gig. Penetration Tester. Bah.

Freeloader (0, Troll)

Anonymous Coward | more than 9 years ago | (#11599225)

So what you're saying is "I want Slashdot to write a Whitepaper for me so I can take the credit and get high paying consulting gigs."

Did I get that right?

Re:Freeloader (1)

GryphonTech (702482) | more than 9 years ago | (#11599594)

So what you're saying is you are a troll...... Stop trying to antagonize everyone. This is what Open source is all about. The free and Open sharing of information. Take freely available software and earn our money adapting it to our clients needs. We also make our money fixing bugs and patching windows systems. Hopefully landing a contract to help the company migrate from M$ to better alternatives. A very simple way to earn a living and I have no problems helping someone else do the same.

Valuable Open Source Security Assement Tools? (5, Informative)

kiwidefunkt (855968) | more than 9 years ago | (#11599226)

Ethereal [ethereal.com], nmap [insecure.org], and snort [snort.org] always get the job done for me.

Re:Valuable Open Source Security Assement Tools? (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11599241)

i snort your mothers pussy. smells like fish and rotten garbage.

Important Stuff
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments sent to you, consider logging in or creating an account.
Problems regarding accounts or comment posting should be sent to CowboyNeal.

Re:Valuable Open Source Security Assement Tools? (-1)

eno2001 (527078) | more than 9 years ago | (#11599305)

IMPORTANT QUESTION for the flamebaiting asshole:

If it smells like that, then why do you do it? Hmmm? The fact that you DO do this, speaks more to your lack of intelligence than the someone's scent.

Re:Valuable Open Source Security Assement Tools? (2, Informative)

Mr. Sketch (111112) | more than 9 years ago | (#11599284)

Agreed. I usually throw in tripwire [tripwire.org] too from the start, it makes things easier later on.

Re:Valuable Open Source Security Assement Tools? (3, Interesting)

Gyorg_Lavode (520114) | more than 9 years ago | (#11599333)

How do you use Snort and Tripwire (from the child's response) for penetration testing and risk assessment? I understand using them as part of an IDS, but not for the initial risk assessment.

Re:Valuable Open Source Security Assement Tools? (2, Informative)

niekko (780219) | more than 9 years ago | (#11599354)

Same here. And about the open vs. commercial, I've been using both Ethereal and Network General's Sniffer and in my opinion Ethereal is way much better starting from the simple GUI.

Agreed (2, Insightful)

paranode (671698) | more than 9 years ago | (#11599403)

Those are great tools to use and the fact that they are free is even better. The only thing I might recommend replacing for a commercial alternative is Nessus. If you can afford it, something like eEye's Retina scanner is a very nice product. It doesn't come cheap, but if you work in a big corporate environment you can probably justify the cost. Not to mention, Nessus is a bit flaky so if you start crashing machines during your testing you will have some angry people to answer to. Don't get me wrong, Nessus is great for a free tool, but it lacks professionalism and is a bit overintrusive at times, even with the safe settings activated.

Re:Valuable Open Source Security Assement Tools? (4, Informative)

Homology (639438) | more than 9 years ago | (#11599438)

Ethereal, nmap, and snort always get the job done for me.

Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security [openbsd.org]

Mark it as BROKEN:

Right during 3.5, it had more than
a dozen remote holes being fixed, that we shipped with. Weeks later
things have not improved, and there continue to be problems reported
to bugtraq, and respective band-aids - but it is clear the ethereal
team does not care about security, as new protocols get added, and
nothing gets done about the many more holes that exist.

Just because something is open source does not imply that it's secure.

Re:Valuable Open Source Security Assement Tools? (4, Informative)

Stephen Samuel (106962) | more than 9 years ago | (#11599630)

Heh, recommending a security tool that OpenBSD removed because the Ethereal team does not care about security

I was just thinking about structural ways to work around this in ethereal (like priv sep) -- in the meantime, I would point out that the biggest difference between ethereal and it's commercial equivalents is is that, with ethereal, you find out about the security problems quickly -- whereas with commercial equivalents, you might not find out for a while (if ever), and you'll probably end up paying for the upgrade to make it secure.

Another point is that it's most often the newer disectors that contain the holes. If you're worried about security and working in a 'hostile' environment, you're probably best to disable any disector that you're not intending to use. -- in fact, that might be a good idea to do in Ethereal, generally: Disable all but the most common dissectors and wait for the user to enable them explicitly.

Re:Valuable Open Source Security Assement Tools? (0)

Anonymous Coward | more than 9 years ago | (#11599548)

What is the value of snort, exactly? Or any IDS tool, for that matter?

Yes, you might detect a port scan, or someone trying a canned exploit on your webserver, etc. But if you're already doing the proper logging, you already have access to that information. IDS seems like a solution to a problem that should already have been solved, if one is concerned with security issues. And it doesn't really provide any defense, per se; yes, you know someone's attempting to break into your system, but you can't -do- anything about it without using additional measures.

Accountability (3, Insightful)

JaxWeb (715417) | more than 9 years ago | (#11599236)

If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

However, for protecting yourself, I think there are ethical reasons to use Free Software - Stallman argues that you should choose software for those reasons alone, and not technical reasons. If you listen to Linus, however, he tells us that technical reasons are valid reasons to choose to software. Your decision on this issue is the first step to your overall decision.

Re:Accountability (3, Interesting)

Nothinman (22765) | more than 9 years ago | (#11599309)

Right, because pointing a finger at someone you can't really hold accountable or make a lawsuit against is worthwhile. Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.

I'm on our network security team and when doing audits we do have a few commercial tools, but we also use OSS tools like Nessus because IME they're better overall.

Re:Accountability (3, Insightful)

fm6 (162816) | more than 9 years ago | (#11599431)

Telling your CEO "but the tool didn't see that problem" potentially makes you look just as dumb as the tool you paid for.
Why? It's not your job to see the problem. By hiding the implentation of the security software, its designers assumed responsibility for making it reliable.

Passing the buck is standard corporate politics. It's true that this leads to a lot of dysfunctional organizations and bad decisions. But if you choose to fight this trend, you better be very good at what you do. And at covering your ass.

Re:Accountability (0)

Anonymous Coward | more than 9 years ago | (#11599514)

It IS your job to see the security problem!!!

Don't you get it?

The tools are their to help you, but your best tool is your brain and if they didn't need you and just the tool, they would of just used the tool themselves.

Passing the buck is a thing that corporations do, true. But many corporations go out of business, your goal is provide a secure enviroment, not watch your ass.

If all your job is is to watch your own ass, then your a beuracrat.

Re:Accountability (0)

Anonymous Coward | more than 9 years ago | (#11599553)

You are partially right. Commercial software is good for covering your rear end, so long as you didn't recommend that software. However if I recommended that software I still look like a fool when they fail.

Re:Accountability (2, Interesting)

ifwm (687373) | more than 9 years ago | (#11599598)

"you can't really hold accountable or make a lawsuit against is worthwhile"

Why can't you? The law on this is untested in many areas. What makes you so sure you couldn't make a case against them?

What a pile of shit? (4, Funny)

Foofoobar (318279) | more than 9 years ago | (#11599326)

So if something goes wrong with your setup, a commercial company will quickly take credit? Riiiiight.

I know Microsoft readily accepts monetary responsibility for their products being crap and causing crashes, viruses and trojans in my system.

In fact, Bill and Steve cut me a check weekly.

Re:Accountability (1)

jvagner (104817) | more than 9 years ago | (#11599365)

If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

How does this work in the real world, exactly?

IME, it's always your fault, as it should be, mostly.

Accountability vs Responsibility (4, Insightful)

A nonymous Coward (7548) | more than 9 years ago | (#11599386)

How do you know you can get any resolution from the people who sold you the software, or developed it? Have you checked the contracts or EULAs? Most EULAs I've seen explicitly disclaim any responsibilty.

Your responsibility is to protect your company AND get it back on its feet after a breakin. You can't rely on a lawsuit to do that in any timely fashion, only after the company has gone out of business and everyone has long since gotten new jobs. Even then, you'd be lucky to get pennies on teh dollar in restitution. So what good does it to sue the developer or seller?

You have to get the company going again as quickly as possible. It just might be helpful to have sources to what failed to see how it failed and how the breakin occurred. Proprietary software is useless there.

Re:Accountability vs Responsibility (1)

ifwm (687373) | more than 9 years ago | (#11599631)

Other's have made the same point. EULA's may protect the company against libility if you get screwed, but they may not. The law is unclear, and generally untetested.

I'll wait until the law is clearer, but the idea that EULA's absolve a company of guilt simply is not correct (yet).

Re:Accountability -- Reminde me not to hire you (5, Insightful)

Stephen Samuel (106962) | more than 9 years ago | (#11599466)

I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours.

grunt: Admiral! There's a missile comming our way, and the defence systems have just blue screened!

admiral: Thank god I can blame Microsoft for this!
missile: BOOM!
So you'd use inferior software just because you can point the finger at someone else when the software fails??? Wouldn't you rather use the best software for the job (even if it's cheaper)??

I mean, it's not like most commercial vendors take any responsibility for their software, anyways -- have you read your EULA's recently?

At least with open source software, you have the option of fixing any bugs yourself if the vendor refuses to. With Proprietary code, your only choice is to grin, bend over and wait for your bill.

Re:Accountability -- Reminde me not to hire you (2, Insightful)

ifwm (687373) | more than 9 years ago | (#11599657)

"So you'd use inferior software"

Commercial is not the same as inferior. MANY MANY commercial products are better than the open source version. Your bias is showing.

Re:Accountability (1, Funny)

Anonymous Coward | more than 9 years ago | (#11599483)

Yeah tell that to my network admin that came to shut us down because ISS said that our linux servers where sending windows viruses. And when questioned about false-possitvies he let us know that it was impossible that a software so expensive was wrong.

Accountability ? What for ? (1)

dmn (855563) | more than 9 years ago | (#11599515)

If I were to choose software protecting my company, I would use commercial software. Why? Because if something does go wrong, it is the vendors fault and not yours. With free software, it is your fault.

So basicly what you're saying is that you care more about covering your ass when things go wrong, than _preventing_ them from going wrong. IMO that pretty much makes your opinion in the subject completely worthless (not to mention the quality of your work if you do this kind of job ;]).

Re:Accountability (0)

Anonymous Coward | more than 9 years ago | (#11599592)

One day software purchasers will be held accountable for the quality of the software they choose. The continuous improvement of the quality of OSS is pushing us towards that day.

Re:Accountability (0)

Anonymous Coward | more than 9 years ago | (#11599644)

and it can be the companies fault. and they have absolutely zero responsibility to you.

you can blame them all you like, but dont expect money or any form of acknowledgemnet from the company.

they can tell you directly to piss off, and there isnt shit you can do. sue them, AHHAHAHHA thats cute and funny.

I have a similar job. (4, Funny)

bigtallmofo (695287) | more than 9 years ago | (#11599246)

My job duties sound similar to the story poster... My job description is "Penetration Preventer". My business card title just says, "Cockblocker".

Re:I have a similar job. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11599561)

Should try working at Cockbuster..

Re:I have a similar job. (-1, Offtopic)

Doc Ruby (173196) | more than 9 years ago | (#11599566)

I keep meeting girls with friends who work as "honeypots" - their cards read "cunt bunter".

Huh? (1, Informative)

ajaf (672235) | more than 9 years ago | (#11599254)

I don't use commercial applications. I don't use programs for my security tests. I do the tests myself everyday.

Hmmm (3, Interesting)

spiffy_dude (762559) | more than 9 years ago | (#11599261)

It seems like there is an implicit bias in the question. I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better. I'm sure there are worthwhile products in both categories.

Re:Hmmm (1, Funny)

YrWrstNtmr (564987) | more than 9 years ago | (#11599448)

I would like to see a fair assesment of commercial vs open source tools over a biased statement about how open source tools are better.

You're new here, right?

Go to SANS training. (5, Informative)

Matey-O (518004) | more than 9 years ago | (#11599269)

$3200 spent in a snort bootcamp made the need to buy a $120,000 IDS box moot.

We were reviewing everal six-figure pieces of equipment and found the same thing - we knew they saw traffic they didn't like, but we didn't know WHY.

Now that everybody uses snort rules, the training is still helpful to show you WHAT you're seeing and IF it's truly bad or just another false positive.

FWIW, why get the snort stuff one vendor removed? Just go straight to the source.

Penetration Tester (3, Insightful)

RasendeRutje (829555) | more than 9 years ago | (#11599272)

Penetration Tester?? Not only looking for the obvious (security) holes, but also the tricky ones? Those you don't normally see? Damn where do you learn that

VIsa / MC Compliance (5, Informative)

jfroot (455025) | more than 9 years ago | (#11599306)

One reason that many companies need to use a commercial security tool is because of Visa and Mastercard CISP [visa.com] and SDP [mastercardintl.com]compliance.

In order to comply you must have various levels of security testing done and certified by an approved vendor [visa.com].

Don't Forget (2, Insightful)

iammrjvo (597745) | more than 9 years ago | (#11599310)


There is security implied simply by the fact that the product is open source. That is to say that its failings and potential security weaknesses have been evaluated by a community beyond the original developers and is always open to scrutiny.

besides the obvious (5, Informative)

JeanBaptiste (537955) | more than 9 years ago | (#11599328)

snort, ethereal, nmap, etc

one commercial one that I _really_ like is Languard Network Scanner from GFI.

While it is closed source, it has 30-day full functionality, and has limited functionality after that. Still even with the 'limited' functionality, it provides the full scanning capabilities, it just doesn't let you use some of the features that I never use anyways (scheduling, etc).

I'd really recommend giving it a try, its pretty slick.

Anything, as long as... (2, Insightful)

tod_miller (792541) | more than 9 years ago | (#11599339)

a) it does the job
b) see a.

I do not see the need to stick to ideals in a world of security, use the best tool for the job, and stay vigilant (if OS is the best tool, then only merit it on this, not the fact that it is OS)

Re:Anything, as long as... (0)

Anonymous Coward | more than 9 years ago | (#11599650)

Of course. But since you cannot know all the characteristics of a piece of software by simply running it, one must consider that one choice was developed essentially in public and reviewed by many, while the other was developed behind closed doors and reviewed by none outside the selling company.

Ideals are one thing. A fundamentally different development and QA process is another.

Wow OSS everywhere (1)

Fr05t (69968) | more than 9 years ago | (#11599343)

"I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools."

Excellent the porn industry is on our side, there is no way we can lose now!

It makes more sense to use open source ... (1, Informative)

Anonymous Coward | more than 9 years ago | (#11599344)

b/c this is what the majority of hackers/crackers are out there using...
use the tools they use...not that commercial products dont have any value to them. perhaps just use OSS first then supplement that with some commercial solutions.

www.packetstormsecurity.com is a good place to start also.

How free is nessus anymore? (0)

Anonymous Coward | more than 9 years ago | (#11599359)

Looks to me like they just pulled the plug on over half of their rules, now you need to pay them money or agree to a fairly strict license and 7 day delay.


It's understandable, they have a lot of leeches [nessus.org] on their back that aren't returning anything to the community. From the sound of things some are just outright trying to take credit for what nessus does.

Assumed a thief (5, Interesting)

rtkluttz (244325) | more than 9 years ago | (#11599373)

I work for a company that has an EtherpeekNX license. When they started with the NX line, they now have activation. One time per license. I had to call and threaten a move to open source alternatives with a forced refund due to their policy.

They provide a remote collection agent that can be monitored with the licensed full version. That was not good enough in our instance due to the layout of our network and needing to install our licensed copy, at the work site, fix the problem and then uninstall the software. After much desk pounding they finally gave in and let us have unlimited installs of the same number. But only after threatening a move to open source.

Our take on the issue is, we need to install the product how we see fit. We payed for it. It doesn't matter to us if we aren't using the software how they "envision" it should be used. We were due a refund if they refused to let us use a product we payed for.

Hardly unique (1)

Craig Ringer (302899) | more than 9 years ago | (#11599488)

That's pretty common, sadly.

Quark is a classic for that. The app *scans* *the* *network* for other instances with the same license key. I bought 6 licenses, why the heck can't I deploy with disk images?

In Quark's case, the answer is "you can if you buy a site license and run a license server". Of course, in exchange for the ability to use your software more practically, what do you get? The same prices, and a new requirement to upgrade all licenses to a new version at once. That's right - less flexibility! Arrggh!

Your pain is far from unique, I'm afraid.

Re:Hardly unique (-1)

Anonymous Coward | more than 9 years ago | (#11599599)

So, firewall it?

OSS equivalent of WebInspect (1)

KDN (3283) | more than 9 years ago | (#11599380)

I use several open source programs to do various tests, nmap and nessus mostly. But one commercial package that I use is WebInspect. Does anyone know of an open source equivalent?

The advantage of creating your own security (2, Insightful)

hellfire (86129) | more than 9 years ago | (#11599398)

IANASS (...Security Specialist) but to me, logic seems to state that having an open source system has an advantage in that the code is there for everyone to see, and that you can add your own code.

Take physical security as a metaphor. You want to secure your physical plant, so you hire a security specialist. You hire his services and he peruses your building. He suggests locks here, cameras there, and a whole plan on making your business less prone to break-ins and the like.

However, what's so great about this? Two things. One, everything is transparent. It's not like joe security officer is selling you a security package and not telling you where he's going to put that $50,000 you just paid for. He has to give you a full plan (the code!) that you approve of. Plus, the plan is customized for you. It's your plan, not someone elses. It's based on your requirements and your specifications. If a security company comes to you and says they'll put a camera in every room and be done with it, is that really enough for you?

Tie that back to open source. The code for open source security solutions are that plan you need. You can provide input on it and change it as much as you want to match your individual needs. And the code will be more unique than a commercial security program, which is the same from site to site.

I can't say that open source is necessarily for everyone. Maybe a camera in every room is all you need. Maybe you just need a security guard out front. The advantages I see here are businesses where security is an important part of business, and where companies don't want control of their own data in the hands of anyone but themselves.

Re:The advantage of creating your own security (0)

Anonymous Coward | more than 9 years ago | (#11599597)

I'm just a lowly AC, but I disagree.

He has to give you a full plan (the code!) that you approve of. Plus, the plan is customized for you.

When you find an open source developer willing to tailer to my EXACT specifications (like giving him a call and everything), please post it on /. The arguement that 'it's open source, you can just edit it' doesn't apply because in this scenerio I'm hiring outside help--It's not like I'm reading a book at the library and setting up my own camera security system, which is what I think editing an OSS is analigious to. On the other hand, calling in an outside company, telling them what you want, and they delivering it sound much closer to CSS than OSS. My english is bad but what i'm trying to say is, if a company is in a do it yourself mode, then they'll just use (and maybe customize) OSS and not hire someone from the outside, right? But if they're going to put the security of their company in another company's hands, and don't want to mess with the details (maybe they're not that great at computers, or in this case, security), then Company XYZ's CSS solution might be what they need (see the guy from the DoD's post).

Counter-point instead (3, Insightful)

RyoShin (610051) | more than 9 years ago | (#11599405)

I don't have a lot of experience with free software, but I can tell you why people prefer to pay for it: Security in spending.

Basically, most people (including CEOs and the like) think that the more something costs, the better it must be. After all, if Product A costs you $100 and Product B costs you $5, then there must be a lot more features and hard work put into Product A to make it cost more than Product B.

Plus, when people hear 'open source', they think of crackers/evil people getting their hands on the source code and exploiting all sorts of 'holes'. Since they can find out how it works, it must be really easy for them to exploit it.

I wouldn't be surprised if many people, on first look, would rather pay $10 for a Linux distro rather than get it for free because 'free' has all sorts of bad connotations locked in with it this day and age. They assume it's the difference between going to a 12-year old's lemonade stand and going to starbucks for a smoothie. "You get what you pay for."

Re:Counter-point instead (1)

dlZ (798734) | more than 9 years ago | (#11599533)

12 year old's lemonade stand is probably better than the starbucks smoothie. And I think the ant content is about the same.

dangerous thinking (1)

FateCreatr (145802) | more than 9 years ago | (#11599417)

I think that it is a bit dangerous and irresponsible to evaluate the effectiveness of a tool based on its licensing. The real debate about its effectiveness should not be linked to how much it costs. Doing that changes the debate from how good something is to pricing, and open-source community support. There are many closed source tools that are better than open, but you cannot then derive that all closed source is better. Software ease of use and effectiveness debates should remain licensing neutral, and not a forum for open or closed source advocacy.

Deploying Software (5, Interesting)

markmcb (855750) | more than 9 years ago | (#11599422)

I work for DoD. We tend to go with commercial software for several reasons:

1. Personnel changeover. DoD loves to move people around between departments and installations. It's hard to find people savvy enough to run open-source software and keep them in one spot. It's much easier to give whoever is holding the position a phone number and tell them to call tech support with problems.
2. Personnel skills. DoD is huge. Because of this, the chances of getting skilled and motivated people at all of your sites is slim. Again, the phone call seems to make everything better.
3. Contracts. Things are usually purchased in bundles and as part of a big plan. It's much easier to brief to a non-tech boss that you have the support of another company and not that "I'm sure we can figure it out."
4. Uncle Sam's pockets are deep.

I agree that open source software is often better. But it doesn't give the non-tech group that warm fuzzy it needs to. In the end, the boss doesn't want to up a creek without a paddle. Having that phone number to call adds a much wanted security blanket, even if it's only a facade.

Re:Deploying Software (4, Insightful)

Stinking Pig (45860) | more than 9 years ago | (#11599506)

Bingo -- same attitude exists in most of the American corporate market, in spades. Maybe rightly so, maybe not, but take note of Red Hat and IBM's successes... this is not about source code or product licensing, it's about that tech support phone number.

Linuxcare and the like flamed out for poor core business practices and poor market targeting (do not ever, I repeat do not EVER, try to make money directly supporting end users). MySQL AB, Best Practical, Trolltech, &c seem to be doing pretty well though....

Re:Deploying Software (1)

bushda (460996) | more than 9 years ago | (#11599651)

So you're saying you prefer tools that have been dumbed down to the point that any shmoe can run them instead of some trained individual that can intelligently interpret what he's seeing? ...and on top of this part of the justification is that it's "free money" because Uncle Sam is footing the bill??

Sorry, but this is *HUGE* example of why my taxes are so big!

how can you be sure of quality of closed source ? (3, Insightful)

Eternally optimistic (822953) | more than 9 years ago | (#11599435)

For security applications, how can you say with any confidence that a closed source product does an adequate job? You are not allowed to examine what it does, instead you have to rely on what the vendor says. Maybe some tool is certified by some "trusted" entity in your industry, but you don't have any control yourself. With open source, you can look, or hire someone to look who works for you.

Layered Security (0)

Anonymous Coward | more than 9 years ago | (#11599453)

Nessus is a great scanner, but it's far from perfect. I see far more false positives coming from Nessus plugins and I expect to. Why? Any dork with a text editor can write a Nessus plugin and have it posted on their site for download. Unless you trust the source, you shouldn't trust its validity or reliability of it's signature. I typically only select Tenable Security plugins for use Nessus and it's still far from 100%.

Still, you should never only rely on one source (Layered security and all that). So I leverge eEye Retina a long side Nessus for most assessments. I find eEye has nearly the same or better accuracy than Nessus and adds great reporting functionality.

You also menion Airopeak and Kismet. Kismet is great, no question. It gives you actionable information in a fairly user friendly ascii interface... Airopeak on the other hand is far from the standard commercial recommendation. Take a look at AirMagnet and then compare it to Kismet, you'll find it's light years beyond Kismet and once again, has great reporting functionaility.

Basically, if you're on a budget, open source will get you where you want to be, no question. But if you have some $ to throw down, for the most part, commercial solutions will get you there much faster.

Security Person's Tool Box (1)

KingBahamut (615285) | more than 9 years ago | (#11599490)

At least my tool box, Tcpdump, Tcpflow, ettercap, iptraf, arping. You should pretty much be able to determine most problems through those. A good friend once told me a true network security specialist can become a network Gunslinger through the use of just tcpdump, tcpflow, arping, and iptraf. (Rich at securiant dot com). IMHO Tcpdump is the jewel of all of those, and if your a real commandline Commando, dont need much else.

Right Question? (2, Interesting)

Comatose51 (687974) | more than 9 years ago | (#11599492)

Is that the right question to ask?

"I'd like to ask for Slashdot's experiences and opinions on why you don't need to spend thousands of dollars on an expensive tool to perform a professional security assessment."

It sounds like you're already set in your opinion and just asking for justifications. That doesn't usually develop any new insights or make good comparisons. If you really want to sell people on Open Source, do a fair and un-biased comparison. An obviously biased comparison is easily detectable and loses credibility. I really don't think Open Source needs biased comparisons to look good.

Docmentation (4, Funny)

CKnight (92200) | more than 9 years ago | (#11599516)

I'm thinking of writing a how-to for "penetration testers". It'll be titled "Locating Unprotected Backdoor Entrances" or more aptly, "Lube"

Why pay? Features and UI (1)

T5 (308759) | more than 9 years ago | (#11599522)

I work for a government client who's invested a sizeable chunk of change in Harris Stat Scanner [harris.com] They evaluated a number of products, including some leading open source tools like nessus. Their bottom line is that Stat makes the job relatively easy for a largely Windows shop (that is, if you have admin rights to all the boxes, turn on remote registry editing, kill all firewalls/IDSes, etc. - leaving you wide open for the duration of the testing!) to perform a multitude of tests and to install patches on the fly. Reporting is centralized, easy to read, and fairly comprehensive. It works on a fairly heterogeneous network as well, covering Macs, *x boxes, Cisco routers, HP printers, etc. Updates are frequent and easy to apply (basically a reinstall of the product). Most of the folks that will run this product for this client are computer professionals, but few are truly security professionals. This tool makes it almost point-and-shoot simple to understand what's going on and provides the Windows administrators an easy way to get "caught up" on patches they may have missed.

Depends on the business (1)

sjhwilkes (202568) | more than 9 years ago | (#11599526)

I agree - opensource tools are often at least equally good. However in some industries, specific tools are mandated, by either government or other overseeing institutions. In our case we are required to be compliant with VISA's Cardholder Information Security Program, and that is very precise as to what tools should be used and how often (and by whom)
Likewise on the other end of the same thing, while I think I could configure iptables/snort etc. to be equally if not more secure than commercial packages - they won't enable me to put the ticks in the right checkboxes that very expensive products from Checkpoint/Cisco/ISS will.
The issue is the lack of understanding by higher ups that a poorly configured/applied commercial package is just as useless as a poorly utilised opensource one. Even worse in fact, as they have wasted a ton of money that could have been better invested in training.

Don't forget SING.... (1)

Medievalist (16032) | more than 9 years ago | (#11599540)


Sure, obviously nmap, tcpdump, and snort, (plus ethereal and etherape if you like pretty pictures). Another I don't see mentioned here is SING [sourceforge.net] (which stands for "send ICMP nasty garbage").

It's a command line tool (sort of like netcat) for fabricating ICMP packets.

Talk to Dug Song or the phenoelit guys about m-i-t-m attacks, and ARP or ICMP level hacking, and you might find some uses for SING. ;^)

Different markets (2, Insightful)

ectoraige (123390) | more than 9 years ago | (#11599555)

The market for commercial security tools is quite different. To begin with, it's smaller than the market for OSS tools. While security professionals may use either, any crackers worth their (or somebody elses) salt are won't be caught using commercial products. Thus, there're probably more 'feature requests' and feedback for the OSS developers to respond to.

Also, a number of commercial products are not written with just the user in mind - the larger ones also involve things like generating pretty reports for use in the CTO's bonus negotiations and suchlike.

Finally, lots of the commercial products try to be competitive by doing everything at once, whereas the OSS tools tend to be more focused on specific functionality, following the traditional unix approach.

Of course, all these points are generalisations and there are exceptions to them all, but that's what you get for asking such a general question.

"I work as a penetration tester..." (2, Funny)

BigZaphod (12942) | more than 9 years ago | (#11599603)

If I would have been drinking something when I read that, my screen would be soaked right now...

There is commercial free/open source software (3, Informative)

latroM (652152) | more than 9 years ago | (#11599618)

I work as a penetration tester and recently started writing a whitepaper on the benefits of free, open-source security tools over commercial tools.

What if some of the developers of those F/OSS packages are paid money to code free software? MySQL comes to mind when I think commercial free software, although it isn't related to the software you search. There has been always money to be made in free software business. Your question should be about free vs. non-free.

Quoting RMS:``Free software'' does not mean ``non-commercial''. A free program must be available for commercial use, commercial development, and commercial distribution. Commercial development of free software is no longer unusual; such free commercial software is very important.

Speaking as a pen-tester (0)

Anonymous Coward | more than 9 years ago | (#11599636)

I say free, free, free every time (if it were an either/'or type choice.) My first employer gave me a budget of zero so it was Free by necessity. They were an ISS reseller but I must reveal that internally it was known as "It's Still Shit". Because it was.

For anyone wanting o get into the field, BTW (which really is absolutely fascinating but a monstrous time thief as you must know at least as much as the devs or sysadmins of the system you're attacking abuot it's weaknesses, so you need to keep up with web dev / daemon architecture / IE bug of the week Linx, Windows,Solaris,..) - my advice is: get a small LAN. Put a couple of Linux machines and a coulpe of windows machines on it. Fire up Nmap, Nessus, tcpdump and ethereal and have a ball for a couple of years. If you're still interested / excited after a two years' devotion of your own spare time (evenings, weekends -- if you can afford a break from work, take it) you'll make a good pentester.

Incidentally why do the UK's pentesters seem to congregate around the Medway? Odd, that.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...