New Nessus 7 Professional and the end of cost-effective Vulnerability Management (as we knew it)

It’s an epic and really sad news. 🙁

Nessus 7 release

When people asked me about the cost-effective solution for Vulnerability Management I usually answered: “Nessus Professional with some additional automation through Nessus API”.

With just a couple of Nessus Professional scanning nodes it was possible to scan all the infrastructure and network perimeter (see “Vulnerability Management for Network Perimeter“). Price for each node was fixed and reasonable. And you could make your any reports from the raw scan data, as you like it.

Nessus Pro was still were best choice even when Tenable:

  • Cut off master/slave functionality in Nessus and created “Nessus Manager”.
  • Changed API completely during the update from 5 to 6 version.
  • Gradually increased the price from $1,5k to $2,7k per scanning node per year.

But unfortunately it’s not anymore. End of an era.

And what is even more sad is that Tenable does not mention disabling the API and multi-user function in the main Nessus 7 marketing, as it never was, as if it’s not very important. Just look at “Announcing Nessus Professional v7” – not a word  about “API” or users. Only in additional link:

get more information Nessus7

Only there, in the text (not a video) there is an information about removed features.

The nice little things like “Easily transferable license” and “Emailed scan reports and custom report name / logo” do not make it any better.

So, what next?

I don’t know. We have some time to think until the December 31, 2018 or until the end of the license. Just do not update to the 7th version. Ignore this:

New version available

I don’t see much sense in updating to the 7th version. Obviously, solution with one shared admin user can’t be used in a big organization. And the lack of API kills all the work spent on VM process automation with Nessus.

What options I see:

  1. Switch to the enterprise scanning solution licensed by IP-addresses. And to save existing automation efforts this might be Nessus Manager or, if you are able to use cloud solutions, Tenable.io. I think Tenable expect this step from the current Nessus Professional users. For a big infrastructure total price will be 10 and even more times higher. For example,
    Nessus Manager:
    Nessus Manager VM Price
    Tenable.io VM:
    Tenable.io VM Price
  2. Switch to Tenable SecurityCenter with the minimal amount of IP addresses in order to use Nessus for SecurityCenter, which can save API capabilities. Now Tenable says that only API in Nessus Professional will be deprecated, but they can change their mind any time. So, it’s more like a hack.
  3. Keep Nessus Professional and start using the API for WebGui. It is not documented, it can be changed at any time, but technically it is possible and it’s relatively easy (See “Burp Suite Free Edition and NTLM authentication in ASP.net applications“). Will this violate the license? It’s not clear. But anyone who wants to automate will do it anyway with Selenium or even SikuliX. 🙂
  4. Find a comparable solution without licensing by IP addresses, with powerful API, with good scanning quality and reasonable fixed per year price. At the moment I do not know of any solution comparable to Nessus in functionality. But I believe it is possible to do something similar based on OpenVAS. Interested in this kind of solution? Please let me know.
  5. Make your own Vulnerability Scanner. For example, I decided to start working on Vulchain. Of course, creating a complete analogue of Nessus is an impossible task for one person and even for a small team. But creating a Vulnerability Management solution that will assess some concrete host types in some concrete scan modes seems pretty doable.

I’m very interested to know your opinion, especially if you are an active user of Nessus. What do you think about this situation?

14 thoughts on “New Nessus 7 Professional and the end of cost-effective Vulnerability Management (as we knew it)

  1. Julian N

    I think Nessus have shot themselves in the foot.
    We are a Qualys house at the moment and I persuaded the management to order three NP scanners to fill a niche. From there, Tenable stood a chance of getting a bigger slice – and maybe all of the work from Qualys. There is zero chance of that happening now – I have just cancelled the three NP orders as they had not been delivered by the API cut-off point.
    Tenable seem to think NP and the API is taking money away from their bigger products. My experience here (until cancelled) and at previous employer where using NP lead to a contract upgrade to NM is they are wrong. As often as not it is a stepping stone, a starting point to the sale of their bigger products.
    Well, they seem to have removed the first stepping stone, the first rung on the ladder – and now they will get nothing from this company.
    Personally, I have 12 months to sort out replacement – I feel very upset at having put my personal reputation on the line with clients recommending Nessus to them.
    It all reminds me of Solaris x86 – where Sun tried to pull it to help their Linux sales. It ended up helping other Linux sales, particularly RedHat, and not their own. By the time Sun realised their mistake and reintroduced the product it was too late. Linux had the market. Now Sun is but a small cog in the big Oracle.

    Reply
  2. Roman

    Alexander, what can I say?
    Julian is right, shot in the selves foot. Or as we speak Russian, it is difficult to translate, but you will understand :). about the saw and the tree branch :).

    It’s sad, it’s sad that in April I will have a big headache. I do not believe that Tenablay will change his mind.

    Reply
  3. Matt Jones

    Sad day indeed for Nessus API users. Hopefully Tenable will rethink this decision. I have tested OpenVAS several times as an alternative to Nessus, most recently about a month ago and have found it to be unstable and extremely slow as compared to Nessus. A scan of a single subnet in my infrastructure takes 5 hours with OpenVAS compared to 1 with Nessus with less complete results. It doesn’t seem like a viable alternative in a consulting situation where you are onsite at a customer office and billing them by the hour.

    Reply
    1. temp

      Can’t say much about the unstable of OpenVAS of as it runs quite stable here. Just a note about the scan speed:

      If you would like to compare the scan speed between Nessus and OpenVAS you need to enable “Thorough tests” and set the “Report paranoia” to Paranoid.

      Concerning the less complete results Alex is always mentioning that each scanner has its strengths and weakness. Additionally the OpenVAS Community Feed doesn’t contain enterprise grade NVTs since a few months so this might play another role here as well as the infrastructure itself.

      Reply
      1. Julian N

        It is interesting that you mention feed costs – I have not obtained a quote yet for our OpenVAS, but in general terms I think most people have paid for a Nessus Professional licence and get the feed for free – so paying for a feed to add to a free product is likely to be cost neutral.
        Thanks for the hints on scan speed and information on stability.
        Meanwhile Tenable Community still appears to be down – perhaps they are scared that the platform will be hijacked to discuss the downgrades in Nessus 7.
        Tenable do have a narrow window to redeem themselves – assuming they have not completely trashed to code – to release a version of Nessus Professional with the removed features reinstated – maybe called Nessus Professional Plus.
        But as I say above with Solaris x86 – it is a narrow window. Once users have moved to another product I c annot see many being prepared to move back.

        Reply
        1. temp

          Hey,

          > Thanks for the hints on scan speed

          no problem. Just to have some numbers of my own infrastructure:

          Network: local /24
          Hosts: 21 up hosts (mixed services like HTTP, SSH, Database etc.)

          Nessus 7 with default scan config + CGI scanning enabled: 27 minutes
          Nessus 7 with “Thorough tests” and “Report paranoia” like explained above: 2 hours, 3 minutes

          OpenVAS 9 with “full and fast” scan config: 1 hour, 1 minutes

          with nearly the same results (there are always differences between both).

          The OpenVAS “full and fast” is basically a Nessus scan config which has enabled CGI scanning as well as “Thorough tests” and “Report paranoia” set like explained above.

          Reply
  4. Karl Weidel

    Personally I have been managing VM for about 10 years now and during that time always found QUALYS to be the best solution. They always offer free trials of anything I want to test and as many IPs as I would like to scan.

    And the biggest cost is typically in man hours to fix the vulnerabilities you find, and so this is where the accuracy of Qualys really shines, saving you time and effort chasing down false positives.

    I hear they have automated patching available now too! Which should save even more time/effort!

    You really have to think about the whole cost of purchasing, maintaining, updating and using/remediation.

    Reply
    1. Julian N

      Qualys is undoubtedly a good product – we use it here – but it is cloud based and IP count licensed – like the Tenable.io product – see pricing above.
      The Nessus professional with its API and unlimited capabilities was an entirely different beast – and Qualys have nothing similar. Sadly neither do Tenable now.

      Reply
  5. winnie

    We used to automate things with cmdline client _many_ years ago. They deprecated it. Binary was there for years. They broke the functionallity occasionally, nevertheless, and every time we contacted support the answer was: “yeah it’s broken… but no support, use api”. Functionallity was broken for months until something was done.

    But with the API you didn’t have template export. Which by accident was available in another product of Tenable. Well, we reprogrammed the whole thing using the API… And now… this. Randomly taking important feature to force you to buy other expensive products you don’t need. A shame. Srsly, time to look for other products.

    Reply
  6. Fabian

    We’re also affected by Tenable’s announcement as we just finished our API connection to offer automated vulnerability scans. Now we have to think about another solution which not only offers an API, but also can be licensed without any IP limit, because we got too much assets. I found the Retina Vulnerability Scanner from BeyondTrust. Licensing seems to be ok, does anyone know if it has an API?

    Reply
  7. CLover

    It is a truly epic and sad news. We had a few Nessus licenses to renew for 12/20/2017 and several more to buy and after we saw these news we didn’t renew the old licenses and we will go after other solution. Unfortunately, it looks that OpenVAS is Open Source partially. You can see that they have a GSA on GitHub with code, functionalities and libraries (https://github.com/greenbone/gsa/blob/master/gsad/src/gsad.c) that the Open Source version doesn’t have (GSA 7.0.2). Maybe they intended to make that repository private and they leave it public by mistake but it tells, and I hope to be wrong, that the spirit of Greenbone is to close the source to OpenVAS step-by-step, just like Tenable did with Nessus. Even tho Greenbone dropped the delay in the plugin feed, that reveals that their are thinking about reducing the support for the Open Source Version. On top of that, both Nessus and OpenVAS support less than 97k CVE’s falling short both, Nessus and Greenbone Commercial Feed, to find all the CVE’s.

    Reply
    1. John Doe

      In this case the github part is a complete misinterpretation on your side. Currently modules are step by step migrated to github and i see no intention to make OpenVAS closed source. Rather it looks like quite the opposite. And if you check the github tags correctly you will also find the apparently disappeared GSA 7.0.2.

      Furthermore a short note on the CVE topic:

      CVE is not the only measurement for vulnerabilities. And if you e.g. check Android CVEs you will see for example 1.5k CVEs which are just outside of the coverage of a security scanner like Nessus or OpenVAS. Not talking about tons of exotic software where a CVE was assigned but which will never arrive in the database of a security scanner.

      Reply
    2. Björn Ricks

      Don’t know where do you get these news from but nevertheless this is completely wrong. OpenVAS is still and will be free software. Why should we switch from an insufficient and unknown development platform at wald.intevation.de to make it private at the biggest, well-known and contributor friendly platform github? I really don’t get that. Please subscribe to our mailing lists to get informed about ongoing processes in OpenVAS and don’t make such statements in public. Greenbone isn’t going to make OpenVAS private in any way. Greenbone has been founded as a free software company and will stay as a free software company. And if you are unsure about the differences between OpenVAS and the Greenbone products please take a look at https://www.greenbone.net/en/community-edition/

      As already stated you are also comparing different branches of GSA. GSA master will become the next version and completely differs from the latest release 7.0.2. We have rewritten the GSA web interface in master to be a single page application. Comparing master with an old branch doesn’t make sense anymore.

      Reply
  8. Falkowich

    > Find a comparable solution without licensing by IP addresses, with powerful API, with good scanning
    > quality and reasonable fixed per year price. At the moment I do not know of any solution comparable to
    > Nessus in functionality. But I believe it is possible to do something similar based on OpenVAS. Interested
    > in this kind of solution? Please let me know.

    This should be interesting indeed, and how this could be taken forward.
    I am messing with gvm-tools and the python api for some fun.
    But this could really be interesting with a flask frontend perhaps…

    Well, I dunno, first day @work after new years. So I still have some happiness left in me 😀

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *