Open source Nessus security tool to be commercialized

Tenable Network Security, the sponsor for the widely used open source vulnerability scanning tool Nessus for discovering weaknesses in software, plans to commercialize Nessus in a major upgrade to be unveiled next month.

Tenable CEO Ron Gula said the main technical change in the upcoming Nessus 3.0 is that it will run vulnerability scans at five times the speed of Nessus 2.0. Like Nessus 2.0, which runs on a variety of computer platforms, Nessus 3.0 will be free. But end users will have to obtain a commercial license for it rather than the less formal open source general public license. Tenable also anticipates offering a line of Nessus appliances in the future, and said the reason for the shift is because many organizations outright reject using open source tools due to concerns about support.

“We want to bring Nessus to a larger audience, so Nessus 3.0 is going to be closed source,” Gula said. “If it’s not open source, a lot of government agencies and enterprises can use it, where before they wouldn’t.”

Tenable estimates about 80,000 organizations use Nessus. Tenable, which sells the Lighting management console, earns service fees from Nessus open source users willing to pay for updated threat signatures when they’re available rather than waiting a week when the signatures are made available for free.

In addition, open source Nessus is also known to be used as a scanning component in many network security products, such as the ArcSight security-event management product. Tenable said it’s not tracking this kind of OEM use at present, and it hasn’t yet decided on an OEM strategy for Nessus 3.0.

Gula said Tenable intends to continue to make Nessus 2.0 available as open source and to maintain it, but others, fearing the end of Nessus as a open source tool, announced the intention to take Nessus 2.0 source code and keep developing it on their own. A U.K.-based group, dubbing itself GnessUS, vowed to “add fresh functionality and plug-ins” to Nessus, asking interested developers to join.

Burton Group analyst Eric Maiwald said commercial vulnerability scanners typically include more functionality than Nessus, which is an effective scanner but doesn’t have management components such as workflow, prioritization and remediation.

Maiwald agreed with Tenable’s perception that “there’s a bit of reluctance among organizations to use open source, mainly from management, which wants to be sure they get support.”  But it also appears that Nessus is being widely used in organizations “whether it’s sanctioned or not.”