Nessus Professional (Pro) is undoubtably one of the cyber security consultants favourite tools. It has also been a widely adopted tool for organisations on a budget looking to start out in the never ending world of vulnerability management.
It’s humble beginning starting out as a fully open source tool, to the favourably priced commercial entity we see today.
As a tool it favourably allows organisations to scan an unlimited amount of IP addresses, but one thing it lacks is enterprise level manageability.
For those who have had any dealings with vulnerability management you will know that it’s the management part that is key to getting on top of the masses of software vulnerabilities and mis-configurations that most organisations are riddled with. Visibility and prioritisation is what it’s all about.
Enthusiasts and corporations alike seeing this gap brought about a whole industry of tools and services that leveraged Nessus Pro by tapping into the obliging API.
Using the API, in-house tools and other products could start to collect the huge volume of results to populate dashboards and databases. To start to make sense of the data and maintain it in a way that made it more manageable. Beyond that the API really helped organisations looking to reach one of the pinnacles of security achievement…. automation.
So from version 7 that API is going away. Nessus Pro is still great for consultants and also gives organisations a foot into vulnerability management but Tenable like the rest of the vulnerability management market want to focus on their cloud services.
So what next………
Their recommended replacement for anyone using the Nessus API is to move to the Tenable.io product. A robust cloud service with full management capabilities and an API should you still wish to continue with any other management solution you may have. But a couple of points for consideration…..
Is the API going to provide the information you need? I’ll leave that question open for someone with more time than me to answer.
Be prepared for a different price tag. The pricing is based on number of assets in scope and falls into the same price bracket as other solutions in this area. A far cry from the unlimited scans/IPs of a Nessus Pro licence.
If you are considering a new solution and want some alternatives to Tenable IO then solutions from Qualys or Rapid7 are most definitely worth a look. For an open source alternative try OpenVAS.
More to come on vulnerability management.