GNUCITIZEN

I find myself leaning towards nmap, w3af, and metasploit for all my developments.

Nmap has a great scanning engine, and with the the lua interpreter and nmap libraries it makes a devent development environment for general discovery scripts. It has replaced Nessus for me in my development.

W3af is growing into a decent web testing tool, though it definitely has its own problems and quirks and consumes too much memory. It’s written in python, and can be easily extended. Paros is more stable, uses less memory and works better for many tasks at the moment, but the architecture is an evolutionary dead end.

Metasploit is written in ruby and has the best general network packet manipulation libraries I’ve ever worked with, and is great for all manner of packet creation and discovery tasks.

Given the new BSD license, when I build any new security tools I will strongly consider either writing them for metasploit, or borrowing some of their libraries. They have done an excellent job of taking the best in class ruby libraries and extending them to be even more useful.

I’d love to know what you mean by “decided to contribute”, because unless it means, “decided to blog, saying I had decided to contribute, attaching myself to the project, without even one email to any of the lists”, then I haven’t seen any sign of you at all.

The whole topic of what language plugins should be written in has come up more times than I care to remember and it essentially boils down to. The moment you discount NASL, you have fans of every major language out there (and that includes me – Perl ;)) pushing their pet language. Over time we’ve learnt to accept the limitations of the language and focus on the code. As a counter point, because OpenVAS is Free Software, we’re not limited to what 3rd party tools we can call out to which means we can use the best tool for the job.

Yes, we *know* the project is raw, and yes we’d love to have more resources behind it (although did you know development is now split across 3 continents and includes half a dozen different commercial outfits) but honestly, the biggest hindrance has been a problem of tainted code licenses, something we’ve finally got to grips with I believe.

With respect to stability, if you’d care to file examples, I’m sure the team would be happy to resolve any particular issues you could report, certainly the code base has been cleaned up significantly since we started work on it.

With the greatest respect to you, whilst some tests can be replaced with “regular expressions” (and I’ll think you’ll find such tests already are), there are many that can not. I’m sure simple “version disclosure vulnerabilities” can be checked this way, but not all bugs are so shallow.

Come and talk to us on IRC some time. You might still disagree with us, but hopefully, you’ll at least get a better feel for the direction the project is taking.

Well pdp, I have the same problem. OpenVas is still too far back and even doesn’t recognize all vulnerabilities like Nessus for example, but I dislike the NASL language too….

I think it is just a matter of time till metasploit will have a vulnerability scanner included. I’m writing my own vuln scanner in ruby at the moment – standalone by now but since it’s written in ruby it should be easy to integrate it in metasploit.

Metasploit is great, indeed. The thing is: I still see lots (tons) of people talking of Ruby as “that web site programming language” – prejudice, yes. Good thing about prejudice in this case is: it keeps noise away. If you hear it and believe it without even googling it, you probably better not be around.

Put that aside, prejudice is bad when it comes to commercial adoption. Even if you’re good and you want to use it, there are cases when you don’t want it simply because you can’t sell it. Take financial market as example: if you can’t integrate it with Excel, you probably won’t sell it. Stupid as it looks, but that’s the way it works (things get a little easier when you talk about algotrading). Now, the point on this colocation: there’s an obvious concern about network security – example taken – in the financial market, but everyone uses Nessus results as benchmarks and “oh, we’re safe now”. I’ve seen security firms selling their we-check-your-network-and-make-it-safe services using “we run our software on Windows” as a kind of faster-results assurance, and what they do is topology check + nessus run + report – 8 weeks guaranteed results, US$25k.

Now, this is what I see happening to most of programmers – not the ideal, not honorable, but real life, so keep that in mind: average citizen, average world. Say you’re a great programmer, and you want to be a employee in one of these firms – you tell then about Ruby, they reply “ru-what?”, puf, bye-bye job. But you tell then you have great experience using Nessus, oh, you’re a great security professional, yes you are.

It’s as chocking as it looks, but we live a non-US reality here (Latin America). I used the financial market as an example because that’s where I am right now, and I see that most of the people in charge of IT (specially IT security) only “heard about it” – and it sells only if they heard about it. This scenery is changing, yes, but in the meantime you’ll still have lots of people away from great projects just because they can’t use it in real life. It’s really great doing things by the pleasure of doing it, but sometimes you have someone else to take care of, and money *is* motivation. Not so noble, but – again – it’s real life.

Why not keep mostly everyone happy and implement the Nessus NASL language as an internal DSL (domain specific language) from ruby. This would allow backwards compat, along with the flexibility of a real programing language that has a decent security community following..

the only reason your comment was approved is to show that you are very, very, wrong! please check Netsecurify (this post over here as well) and then make up your mind.