Nessus is freely available as an open-source tool. This has its advantages because being open source means that any programmer with some extra time on their hands can create tools or plug-ins to enhance Nessus. However, in this case "free" also means no support- or at least no vendor support per se and it means that some bells & whistles and glitz & glamour are missing.
A recent Computerworld.com article, Cheap Scanning Comes At A Price, highlighted some of the shortcomings of Nessus. The author, "Mathias Thurman", is a real-life security manager writing about real-life experience with the tool. His name and company are disguised to protect them.
In the article "Thurman" points out that Nessus is lacking in some areas when compared with its commercial counterparts:
- "The first is centralized management. It would be nice to be able to manage all of our scanning engines from one location"
- "Another problem is the inability to provide role-based access to the scanning infrastructure so that nonsecurity personnel can use the application to scan certain networks for specific vulnerabilities"
- "Finally, there is the whole issue around reporting. No matter how robust, easily manageable, intuitive and inexpensive the tool is, if we can't produce meaningful reports, it's hard to get management support"
I think these are valid points to a large degree. However, "Thurman" goes on to say in relation to generating reports "We've done some manipulation of the raw data produced by Nessus, but we can't afford to dedicate a person full time to creating reports." This is where I start to ask some questions.
I don't know how many clients are in the environment "Thurman" is trying to scan- but the article mentions having scan engines implemented throughout the world so it seems safe to assume we're talking about a large number of devices.
Implementing a product such as ISS Internet Scanner or eEye Retina can cost hundreds of thousands of dollars to deploy and maintain. Eventually, the vendor will stop supporting that version or it will become outdated in some way and require another massive expenditure to deploy the latest and greatest version or deploy a whole new product. Why not take those tens or hundreds of thousands of dollars and use them to pay for that dedicated full-time person who can master Nessus?
When it comes to open source software it seems that many of the packages are light on the glamour and focus more on power and functionality. That is a good thing. Generally, the bells and whistles exist- they just don't come with or install by default with the open source package. You might have to get the package from one place, the bell from another and the whistle from a third. But, with a little bit of time devoted to research and the learning curve associated with the various tools the result can be a package with more bang for the buck than its commercial brethren.
There are tools available in the Nessus Plugins section of the Nessus web site which can fill some of the bell and whistle gaps. For example, Lightning from Tenable, may provide a viable solution for "Thurman's" centralized management, role-based access and reporting flash issues all in one package.
Of course, this particular bell costs money which negates some of that "free" that draws people to Nessus in the first place. But, that is just one example. By searching Google and doing a little digging you can find any number of tools, plug-ins and add-ons to use with Nessus.
In the end, I am not saying one is right or wrong. I am a sucker for flash and bells and whistles myself. The point is that money will be spent one way or the other and that corporate managers and security administrators alike would benefit from doing an honest assessment of whether that money would be better poured into a commercial product and its associated maintenance and upgrades, or invested in dedicating the time to learn how to implement the open source tool and get the functionality you need from it.