[gnessus-discuss] Contributions (fwd)

Robert Rich rrich at gstisecurity.com
Wed Nov 2 19:19:55 CET 2005


Robert Berkowitz wrote:

>I dont think we should publish anything that we deem to be of poor
>quality.
>
I don't think there's anything wrong with it as long as people know what 
they are getting.  If a plugin is poor quality, it actually needs to be 
published so people can test and fix it.  I think the 'bleeding' snort 
issue actually raises a slightly different question: should the project 
publish anything that is of unknown quality?  Again, i say yes, but i 
again think people have to know what they are getting.  Nessus has 
always been our tool of choice because of how rapidly it adapts to new 
vulnerabilities.  However, i must admit that we aren't always positive 
of the amount of testing that the plugins have had before they are 
released into the feed, and have certainly been burned in the past.  If 
i knew that 128 of the 9.5k plugins were 'UNTESTED' or something like 
that, i could apply more scruitiny to how they operate, test them, and 
be more selective about what types of assets i direct them towards.

This may be out there a bit, but it's something i've been mulling over 
for a while: pluginforge.  Why not raise each plugin to the status of a 
mini development project?  They all certainly have their own lifecycle, 
reliability, bugs, etc..   Look at the list of 'metadata' tracked by 
source forge on some random project:

    * Development Status: 5 - Production/Stable
    * Intended Audience: End Users/Desktop
    * License: GNU General Public License (GPL)
    * Operating System: All 32-bit MS Windows (95/98/NT/2000/XP)
    * Programming Language: C++
    * Topic: File Sharing
    * Translations: Afrikaans, Brazilian Portuguese, Chinese
      (Simplified), Croatian, Dutch, English, Finnish, French, German,
      Greek, Hebrew, Hungarian, Italian, Lithuanian, Norwegian, Polish,
      Russian, Spanish
    * User Interface: Win32 (MS Windows)

Two or three may not apply, but most do, and more could be added.

The nice thing about a pluginforge concept is that it would allow folks 
to publish their own plugins, with their selected license and whatnot, 
without all of the infrastructure overhead that the openvas 
administrators are dealing with now.  You could even leverage some of 
the lessons learned through the social networking crowd and let folks 
publish their own 'feeds' that they can then reference from the 
nessus-update-plugins equivalent.

Just a thought...






More information about the Openvas-discuss mailing list