Nessus vs. OpenVAS

This topic contains 12 replies, has 8 voices, and was last updated by  Seen 7 years, 1 month ago.

  • Author
    Posts
  • #7967
     Seen 
    Participant

    So, I’ve been getting some paid pentesting jobs, and I need to decide between buying a Nessus license or using OpenVAS.  I’d prefer not to spend the extra money, but I don’t have any experience with OpenVAS.  Is it just as good as Nessus or should I suck it up and just buy the license?  I primarily do web pentesting, and use Nessus to find configuration issues and software vulnerabilities on a web server before I begin testing the actual site.

    Also there are a lot of OpenVAS tutorials out there.  If anyone has some favorites please post the links. 

    Thanks.

  • #50495
     m0wgli 
    Participant

    Although not offered directly on their website, if you contact Tenable it may be possible to obtain a trial of the professional feed.

    http://www.tenable.com/products/nessus-professionalfeed/nessus-evaluation

    You could then perform your own comparison with OpenVAS and decide if the cost is justified for you.

    I saw an article recently comparing Home/Community versions of the following scanners: Nessus, OpenVAS and Nexpose VS Metasploitable:

    http://hackertarget.com/nessus-openvas-nexpose-vs-metasploitable/

    Whilst not a particulary in depth study, it is interesting in highlighting how detection and categegorization differs between the products.

    The Nmap site also has a list of the Top 125 Network Security Tools, which can be drilled down further into just the Vuln Scanners and Web scanners:

    http://sectools.org/

  • #50496
     SephStorm 
    Participant

    You know that article is so useful. I’ve spent the past 30 mins or so looking at the vulnerabilities and researching ones I am not familiar with. I know this is really the point of metasploitable, but its still a great experience. I havent gotten to the nexpose and openVAS reports yet, but im looking forward to seeing the differences.

  • #50497
     Seen 
    Participant

    Yes, really excellent article m0wgli.  Just what I was looking for.  Thanks!

  • #50498
     BillV 
    Participant

    Why don’t you just pass the cost of the license on to your client(s)?

  • #50499
     Seen 
    Participant

    @BillV wrote:

    Why don’t you just pass the cost of the license on to your client(s)?

    I obviously would if I need to, but if OpenVAS is just as good, then I’d rather pass the cost of something else on to them.

  • #50500
     m0wgli 
    Participant

    Just in case you’re not aware. According to the Nessus license:

    “Q. Can I use Nessus at work?

    A. You must subscribe to the ProfessionalFeed to use Nessus outside of the home or personal use.”

    http://www.tenable.com/products/nessus/nessus-faq#anchor11.2

    Based on my own personal observations, I’ve not come across anyone recommending OpenVAS over Nessus (Professional). Everyone seems to use Nessus.

    I’d be interested to see which Vulnerabilty scanners are currently used by members here who are testing professionally.

  • #50501
     SephStorm 
    Participant

    True, but I would guess that many people use nessus because of its name recognition. How many people are taught about OpenVAS when they study for their CEH (I assume it would be mentioned in the GPEN). They work at one company that uses a product, and only use another when they have to. I recommended Nexpose to my company (well I informed them of its existence, and gave my opinion of it.), but they didnt change anything.

  • #50502
     dynamik 
    Participant

    My personal experience is that the paid vulnerability scanners typically provide more timely and accurate signatures. Unless OpenVAS has changed dramatically since I last used it, I think it would be negligent to use it professionally.

    Nessus seems to provide a good cost/benefit ratio. I’d probably use something else or add-on the security center if I was using it in-house, but for one-off assessments, I can do without a lot of extra features.

  • #50503
     tturner 
    Participant

    OpenVAS NVT 29,029
    Nessus plugins 51,236

    It’s not a complete apples and to apples comparison as its not a 1:1 mapping of plugins to vulnerabilities but you get the idea.

    If you are serious about doing VA work you really need Nessus Pro feed (or another commercial scanner) at a minimum. I’m of the mindset however that a really good pentester could make do with Nmap and if it’s a webapp test all you really need is Zap/Burp and a browser. Vuln scanners are a crutch. I still use them, but sometimes I find myself spending more time weeding out false positives and second guessing what I knew already.

  • #50504
     RoleReversal 
    Participant

    I can’t comment on OpenVAS too much, got it running in a lab environment but haven’t really used in anger.

    Placing technical issues to one side, if you’re providing a chargeable service some (rightly or wrongly, a debate for another day) will be more comfortable with a service backed up by a commercial organisation; and I have come across a handful of organisations that specifically disallow open source in their environment.

    Given the relative low cost of a single Nessus license (compared to other commercial offerings) I’d suggest this may be the way to go in a commercial setting. The cost of a license can quickly be offset by picking up business from clients that otherwise wouldn’t consider you.

  • #50505
     impelse 
    Participant

    I used both, and let me tell you that maintenance, use and update OpenVAS is time comsuming comparing with Nessus.

    Sometimes despend of you time.

  • #50506
     Seen 
    Participant

    @tturner wrote:

    Vuln scanners are a crutch. I still use them, but sometimes I find myself spending more time weeding out false positives and second guessing what I knew already.

    I don’t rely on vuln scanners too much, but I do like to use them to get a sense of the overall focus of security of a client.  If I run it and come up with 10 major issues, I know I might have to focus first on fixing simple things since it’s most likely the case that the admin hasn’t really viewed security as a priority.  Kind of like running an antivirus scan, if it comes up with 40 viruses, i know it’s going to be a pain to clean, but if it comes up with none that doesn’t necessarily mean things are ok.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?