OpenVAS now beyond 10000 Network Vulnerability Tests

2009-04-09 Thread Michael Wiegand 
Hello,

Passing the 1th Network Vulnerability Test (NVT) is a perfect
occasion to report about the progress of the OpenVAS project[1].

In October 2008 the systematic development of new NVTs started with a
base of around 5800 Tests. With the release of OpenVAS 2.0 in December
2008, the development was boosted and has now reached an average of 10
code updates per day.  The public OpenVAS NVT Feed Service delivers 3-10
new vulnerability tests every day.

The significantly grown and globally distributed developer team will
gather at the second OpenVAS developers conference[2] July 9-12 2009 in
Germany. During the conference features and a roadmap for OpenVAS 3.0
will be scheduled.

The OpenVAS project is backed by a number of companies, which also
supplement the project with professional services[3]. These companies
include Greenbone Networks, SecPod, Intevation and SecuritySpace.
Reaching the professional enterprise market is a good indicator that
OpenVAS gained maturity very fast says Tim Brown, founder of the
OpenVAS project.

While OpenVAS 3.0 will likely appear in 2009, users of OpenVAS 1.0
should prepare to migrate as support for 1.0 will end during 2009.

Regards,

Michael Wiegand

[1] http://www.openvas.org
[2] http://www.openvas.org/openvas-devcon2.html
[3] http://www.openvas.org/professional-services.html
-- 
Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de
Neuer Graben 17, 49074 Osnabrück, Germany   |AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner


pgplZl96ZqfU8.pgp
Description: PGP signature

Network Security Scanner OpenVAS 2.0.0 Released

2008-12-17 Thread Michael Wiegand 
Hello,

On December 17th, 2008, the OpenVAS[1] developer team released OpenVAS 2.0.0
which marks the start of the next generation of the Open Vulnerability
Assessment System for network security scanning.

OpenVAS is a fork of the Nessus security scanner which has continued development
under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0
in October 2007, the OpenVAS developers continued the auditing of the code
inherited from Nessus and have added a variety of useful features for OpenVAS
users, for server adminstrators and for developers of Network Vulnerability
Tests (NVTs).

The main changes compared to the 1.0 series cover:

* OVAL Support:
  OpenVAS 2.0.0 introduces preliminary support for OVAL, the Open Vulnerability
  and Assessment Language[2]. OVAL is an international, information security,
  community standard to promote open, standardized and publicly available
  security content.  The OpenVAS server can now execute OVAL files just like its
  own Network Vulnerability Tests (NVTs) using the OVAL definitions interpreter
  ovaldi.  While the plain ovaldi tool can only check local systems where it
  is installed, the combination with OpenVAS enables ovaldi to test any target
  system for which OpenVAS has collected information. OpenVAS 2.0.0 includes
  readily available support for Red Hat Enterprise Linux security announcements
  as published in OVAL format. OVAL support will expand to further platforms.

* OpenVAS Transfer Protocol (OTP):
  A comprehensive audit of the Nessus Transfer Protocol (NTP) resulted in
  numerous improvements and fixes and lead to the OpenVAS Transfer Protocol
  (OTP).  Since NTP support was dropped entirely, the 1.0 and 2.0 series of
  OpenVAS Server and Client can not operate in mixed mode.

* Object Identifiers (OIDs):
  In order to make identifying individual NVTs easier, OpenVAS adopted an
  OID-based numbering scheme for NVTs. OIDs in OpenVAS will start with the
  prefix 1.3.6.1.4.1.25623, backward compatibility in server and client has been
  ensured.

* 64-bit Support:
  Intensive work on 64-bit cleanliness has been undertaken. OpenVAS 2.0.0
  is expected be fully 64-bit compatible.

* Improved GUI Client:
  The OpenVAS-Client has seen a number of improvements and is now able to
  display NVT signature information in the GUI and in the various reports.
  Reporting has been improved as well as localization for various languages
  (best support in this order: German, Spanish/French, Swedish, Hebrew,
  Croatian).

* Bugfixes:
  Any spotted bugs have been fixed. Please refer to
  the CHANGES files supplied with the individual modules for details.

* Code Audit:
  A large amount of outdated or unused code has been idenfied and removed or
  replaced.

Compatibility of NASL NVTs and the OpenVAS Feed Service:
The available NVT package (openvas-plugins) and OpenVAS Feed which provides more
than 6000 NVTs are compatible for both the 1.0 and the 2.0 series of OpenVAS.

Migration from OpenVAS 1.0:
If you want to migrate your existing reports created with an 1.0 series client
to OpenVAS 2.0.0, please use the script provided in the openvas-client/tools
directory.
If you are currently using OpenVAS 1.0.x, we recommend that you install the
OpenVAS 2.0.0 source code relase seperately from your existing installation.

Documentation:
An extensive documentation for OpenVAS has been created as well and was recently
released. Users, adminstrators and developers can now access more than 100 pages
of the OpenVAS Compendium, available in English and German.

Downloads:
All download links for OpenVAS 2.0.0 and additional information can be found on
the OpenVAS website[1]. OpenVAS 2.0.0 is initially relased as a source code
release; packages for various distributions are expected to follow.

The OpenVAS team would like to thank everybody who has contributed to this
release. We have worked hard to bring you the best OpenVAS version. If you have
any questions or suggestions, please feel free to use the public mailing list
and our online chat. Please use the OpenVAS bug tracker[3] to report bugs.

The OpenVAS developers would like to wish all users a recreative holiday season
and a a happy new year.

[1] http://www.openvas.org
[2] http://oval.mitre.org
[3] http://bugs.openvas.org

-- 
Michael Wiegand |  OpenPGP key: D7D049EC  |  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Contest: Best Advances for OpenVAS Network Vulnerability Tests

2008-08-22 Thread Michael Wiegand 
Hello,

The OpenVAS Team (Open Vulnerability Assessment System, [1]) has started a
contest and calls for submission of patches, scripts, converters or anything
else that significantly improves the OpenVAS framework and extends Open Source
Network Vulnerability Testing.

You are free to choose the area of improvements, examples are:

 * New .nasl scripts for recent security alerts
 * NASL libraries for simplifying development of new test scripts
 * Converter routines that (semi-)automatically create NASL
scripts from formal security alerts.
 * Performance improvements for the current tests.

There are many other ways to extend and improve the OpenVAS framework.
The only hard requirement is that your solution is published as Free Software
under GNU GPLv2+.

The following rewards have already been offered by the contest sponsors:

1st place: 500 Euro
2nd place: 300 Euro
3rd place: 200 Euro

The rewards might increase because additional sponsors are welcome to add to 
the rewards as along as the contest is open. The contest page [2] on the 
OpenVAS website will be kept up-to-date with the latest rewards. If you want 
to sponsor the contest, please get in touch with the project contacts [3].

The sponsors and OpenVAS steering committee will jointly choose the winners
based on these criteria:

 * number of CVEs/BIDs covered
 * relevance of the covered alerts
 * sustainable future benefit (e.g. in the case of supporting APIs)
 * how well the development was coordinated via the public OpenVAS
mailing lists (teams may win as well)
 * code quality (documentation, design, style)

Contest sponsors are (sorted by amount sponsored):

 * Intevation GmbH, www.intevation.net
 * DN-Systems GmbH, www.dn-systems.de
 * Tim Brown

Time table:

2008-08-23: Contest starts
2008-10-15: Contest closes
2008-10-30: Winners nominated

How to participate:

 * express you wish to participate on the OpenVAS developer mailing list
and present your idea
 * summarize you contribution before contests closes and submit
it to the OpenVAS developer mailing list

[1] http://www.openvas.org/
[2] http://www.openvas.org/openvas-contest.html
[3] http://www.openvas.org/constitution.html

-- 
Michael Wiegand   OpenPGP key: D7D049EC
Intevation GmbH, Osnabrückhttp://www.intevation.de/
Amtsgericht Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner