Aiming to address support concerns, Tenable Network Security is introducing Nessus, its widely used open source vulnerability-scanning tool, as a commercial product in a major upgrade slated for November.
The main technical change in the forthcoming Nessus 3.0 code is that it will run vulnerability scans at five times the speed of Nessus 2.0, the company says. Like Nessus 2.0, which runs on a variety of platforms, Nessus 3.0 will be free. Users will have to obtain a commercial licence for it rather than the less formal open source general public licence (GPL). Tenable estimates about 80,000 organisations use Nessus.
The company, which also anticipates offering a line of Nessus appliances, says the reason for the shift is that many organisations will not use open source tools because they are concerned about support.
“If it’s not open source, a lot of [US] government agencies and enterprises can use it, where before they wouldn’t,” says Tenable’s CEO Ron Gula.
Tenable, which sells the Lighting management console, earns service fees from Nessus open source users willing to pay for updated threat signatures when they’re available, rather than waiting a week until the signatures are made available for free.
In addition, open source Nessus is used as a scanning component in network security products, such as the ArcSight security-event management product. Tenable says it’s not tracking this kind of use and hasn’t decided on an OEM strategy for Nessus 3.0.
Gula says the company intends to continue making Nessus 2.0 available as open source and maintain it, but others, fearing the end of Nessus as an open source tool, have announced their intention to take Nessus 2.0 source code and keep developing it on their own.
A UK group called GnessUS has vowed to “add fresh functionality and plugins” to Nessus, asking interested developers to join in, says Tim Brown, security analyst at Portcullis Computer Security in London, which supports the group.
McAfee, which has developed a new version of its Foundstone vulnerability scanner, says it doesn’t fret too much about Nessus as either open source or as a commercial competitor.
“Our scanning is more sophisticated. We run multiple scans at the same time,” says Patrick Bedwell, McAfee senior product marketing manager. “And they don’t have a database for holding gathered information, or remediation and trouble-ticketing modules.”
The new McAfee Foundstone FS850 appliance, due in November, costs US$6,400 (NZ$9,190) plus US$75 per IP address for 100 devices scanned. FS850 includes regulatory-compliance templates geared to assure devices conform to regulations such as the Sarbanes-Oxley Act.
Burton Group analyst Eric Maiwald says commercial vulnerability scanners typically include more features than Nessus, which is effective but doesn’t have management components such as workflow and remediation.
Maiwald agrees with Gula’s perception that “there’s a bit of reluctance among organisations to use open source, mainly from management, which wants to be sure they get support.”
But it also appears that Nessus is being widely used in organisations “whether it’s sanctioned or not,” Maiwald says.