May 14 2008

Changes to the Nessus license

Published by at 7:27 am under Security Advisories

Last time Nessus changed their licensing model, there was a big uproar. Many people, including me, thought it was a huge error on their part and that it’d drive folks away from using Nessus. Luckily we were wrong; Nessus and Tenable are still around and still the most popular scanning solution available.

Tenable has come to the decision that it’s time to change their licensing model again. The Registered Feed will be going away; instead you’ll have the option of having a HomeFeed or a Professional Feed. Home Feed will only be for use on personal networks, but it will have the same vulnerability updates that Professional Feed will. If you were using a Registered Feed to scan your own network, that is no longer going to be acceptable under the new licensing and you’ll have to upgrade to a Professional Feed, which is pretty reasonable at $1200 a year. For that price you also get compliance checks, which includes my favorite, PCI.

It’s a major change for Tenable to require anyone using Nessus in a corporate setting to pay for the feeds; you used to be able to use the Registered Feed for your own business but had to pay for the Direct Feed if you used it for consulting. This is a continuation of Tenable’s desire to get paid for the incredible amount of work they put into Nessus, something I have a hard time faulting them for. There is a loophole in the licensing that will allow you to get a free license if you’re a charitable or educational organization. The exact requirements for this exemption haven’t been made public yet, but should be soon.

Nessus 2.0 is still open source. Nessus 3.0 was never open source, nor have the plugins been, though a lot of people have treated them as such through the Registered Feeds. This change in the licensing may open a gap that will allow a new open source vulnerability scanner to come to the forefront. Given the breadth of Nessus implementations, I think this is unlikely in the near future, but may happen slowly over the next few years. Most businesses are probably going to ignore Tenable’s new license until their Registered Feed expires on July 31st. The big question is will they continue using Nessus without updates, pay for the Professional Feed, switch to another product or quit scanning all together? Short term, I’m betting on scanning without updates, but long term is another question all together; is $1200/year really all that much to pay compared to what any other scanning tool is going to cost you?

Tenable made a business decision that they need to collect revenue on their plugin feeds in order to continue providing the level of support they have always given. Some people are going to complain that Tenable is getting greedy; I’d counter that they just want to get paid for the work they’ve been supplying to the community for years. I guess that’s one of the things actually meeting the people doing the work will do to you.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

10 responses so far

10 Responses to “Changes to the Nessus license”

  1. MikePon 15 May 2008 at 1:50 pm

    I’ve asked, and for reference, universities count as companies in the context of licensing (except when Nessus is used in a *classroom* setting for *educational* purposes). That is now in the FAQ, but I thought I’d mention it anyway, since a lot of EDU types run Nessus too.

    I don’t blame Tenable; $1200 a year is totally reasonable for most companies, and if it’s too much for independent pentesters, they should probably really consider charging more for their services.

  2. PatrickHon 15 May 2008 at 8:55 pm

    “I don’t blame Tenable; $1200 a year is totally reasonable for most companies, and if it’s too much for independent pentesters, they should probably really consider charging more for their services.”

    For most companies… In the US or EU. Here is Southeast asia (Thailand), that is a huge amount of money. That is roughly the equivilent of 3 months salary for a full time engineer. Just to further put that into perspective, the $1200 USD sum equates to 1360 average meals here in Thialand vs only 240 in the US (using a very conservative figure of $5 USD per meal). Could the company consider charging more for the services, absolutely. Considering is about all they could do however, as the market would never support it.

  3. MikePon 16 May 2008 at 3:02 pm

    I’m Canadian, not US/EU, but I take your point.

    Tenable’s an American company, so I can’t blame them for gearing themselves to the US market, although I sympathize with those left out in the cold. On the other hand, the economy in SE Asia isn’t really their problem; making money for their stakeholders is, and if they’re being undercut by others, then they need to move to plug the holes.

  4. Martinon 17 May 2008 at 6:19 am

    PatrickH, I understand you’re pain, but if $1200 is unattainable, what other tools can you use in Thailand? Are there open source alternatives to Nessus? I still think Tenable is making the right decision for their business, since the majority of their customer base is going to be here in the US and Canada, with a slightly smaller portion in the EU. They’re goal isn’t to drive anyone out of business with the cost of software and in comparison to just about anything else out there, Nessus is dirt cheap.

    Martin

  5. Shawnon 11 Jun 2008 at 7:10 am

    You are all missing the point. I have been using Nessus for a long time. They have made a company on the backs of open source, and now they want to start charging money?

    You know what they can do with that. I for one, am going to stop using them, and find other methods. Open source, ways.

    This is ridiculous. Had you told anyone this day would come, they would not have gotten a foot in the door. This is a break of trust, and I doubt the open source community will stand for it.

    It flies in the face of everything we believe in.

  6. shadowbqon 11 Jun 2008 at 8:28 am

    OpenVAS is an alternative to Nessus Commercial Feeds

    OpenVAS is a Nessus 2 opensource fork. It has it’s own NVT feed system to get updates.

    Please contribute.

    http://www.openvas.org/index.html

  7. AlexTon 11 Jun 2008 at 9:37 am

    “You are all missing the point. I have been using Nessus for a long time. They have made a company on the backs of open source, and now they want to start charging money?”

    “It flies in the face of everything we believe in.”

    Nessus 2.0 is still open source. Download it, run it, develop your own NVTs, etc. However, the belief that Tenable somehow owes you free access to the NVTs they pay to develop is ridiculous.

  8. bloomer543on 04 Sep 2008 at 2:41 am

    As shadowbq told, there are some alternatives. You have Openvas for example to get a Nessus GPL. And you can download free feeds from some webpages, for example http://www.alienvault.com/free_feed_for_nessus.php with automatic updates. You have other possibilities to download although they are not automatic, such as http://www.secpod.org

  9. GFI LANGuard – Review : security blogon 07 Aug 2009 at 7:47 pm

    [...] Nessus is considered one of the best network scan tools but its more expensive then both. [...]

  10. A Security Experton 28 Sep 2013 at 10:45 pm

    Is there things such as apprenticeships within the security field>?

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: