Open source Nessus tool to go commercial

Aiming to address support concerns, Tenable Network Security will introduce Nessus, its widely used open source vulnerability-scanning tool, as a commercial product in a major upgrade slated for next month.

The main technical change in the upcoming Nessus 3.0 code is that it will run vulnerability scans at five times the speed of Nessus 2.0, the company says. Like Nessus 2.0, which runs on a variety of platforms, Nessus 3.0 will be free. Users will have to obtain a commercial license for it rather than the less-formal open source general public license. Tenable estimates about 80,000 organizations use Nessus.

The company, which also anticipates offering a line of Nessus appliances, says the reason for the shift is that many organizations will not use open source tools, because they are concerned about support.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Aiming to address support concerns, Tenable Network Security will introduce Nessus, its widely used open source vulnerability-scanning tool, as a commercial product in a major upgrade slated for next month.

The main technical change in the upcoming Nessus 3.0 code is that it will run vulnerability scans at five times the speed of Nessus 2.0, the company says. Like Nessus 2.0, which runs on a variety of platforms, Nessus 3.0 will be free. Users will have to obtain a commercial license for it rather than the less-formal open source general public license. Tenable estimates about 80,000 organizations use Nessus.

The company, which also anticipates offering a line of Nessus appliances, says the reason for the shift is that many organizations will not use open source tools, because they are concerned about support.

"If it's not open source, a lot of government agencies and enterprises can use it, where before they wouldn't," says Tenable's CEO Ron Gula.

Tenable, which sells the Lighting management console, earns service fees from Nessus open source users willing to pay for updated threat signatures when they're available rather than waiting a week, until the signatures are made available for free.

In addition, open source Nessus is used as a scanning component in network security products, such as the ArcSight security-event management product. Tenable says it's not tracking this kind of use and hasn't decided on an OEM strategy for Nessus 3.0.

Gula says the company intends to continue making Nessus 2.0 available as open source and maintain it, but others, fearing the end of Nessus as an open source tool, announced the intention to take Nessus 2.0 source code and keep developing it on their own.

An English-based group called GnessUS vowed to "add fresh functionality and plug-ins" to Nessus, asking interested developers to join, says Tim Brown, security analyst at Portcullis Computer Security in London, which supports the group.

McAfee, which this week announced a new model of its Foundstone vulnerability scanner, says it doesn't fret too much about Nessus as either open source or a commercial competitor.

"Our scanning is more sophisticated. We run multiple scans at the same time," says Patrick Bedwell, McAfee senior product marketing manager. "And they don't have a database for holding gathered information, or remediation and trouble-ticketing modules."

The new McAfee Foundstone FS850 appliance, expected to ship early next month, costs $6,400 plus $75 per IP address for 100 devices scanned. FS850 includes regulatory-compliance templates geared to assuring that devices conform to regulations that include the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.

Burton Group analyst Eric Maiwald says commercial vulnerability scanners typically include more features than Nessus, which is effective but doesn't have management components, such as workflow and remediation.

Maiwald agrees with Gula's perception that "there's a bit of reluctance among organizations to use open source, mainly from management, which wants to be sure they get support." But it also appears that Nessus is being widely used in organizations "whether it's sanctioned or not," Maiwald says.