Network Security Blog

Rich and I got a chance to talk to Ron Gula, CEO of Tenable Network Security about the changes that were made today the the changes in the Nessus licensing model. This is a follow up to the post I wrote this morning and explains the reasoning behind the changes straight from the man in charge.

 

 Microcast: Ron Gula on the changes to the Nessus licensing model [15:43m]: Play Now | Play in Popup | Download

Last time Nessus changed their licensing model, there was a big uproar. Many people, including me, thought it was a huge error on their part and that it’d drive folks away from using Nessus. Luckily we were wrong; Nessus and Tenable are still around and still the most popular scanning solution available.

Tenable has come to the decision that it’s time to change their licensing model again. The Registered Feed will be going away; instead you’ll have the option of having a HomeFeed or a Professional Feed. Home Feed will only be for use on personal networks, but it will have the same vulnerability updates that Professional Feed will. If you were using a Registered Feed to scan your own network, that is no longer going to be acceptable under the new licensing and you’ll have to upgrade to a Professional Feed, which is pretty reasonable at $1200 a year. For that price you also get compliance checks, which includes my favorite, PCI.

It’s a major change for Tenable to require anyone using Nessus in a corporate setting to pay for the feeds; you used to be able to use the Registered Feed for your own business but had to pay for the Direct Feed if you used it for consulting. This is a continuation of Tenable’s desire to get paid for the incredible amount of work they put into Nessus, something I have a hard time faulting them for. There is a loophole in the licensing that will allow you to get a free license if you’re a charitable or educational organization. The exact requirements for this exemption haven’t been made public yet, but should be soon.

Nessus 2.0 is still open source. Nessus 3.0 was never open source, nor have the plugins been, though a lot of people have treated them as such through the Registered Feeds. This change in the licensing may open a gap that will allow a new open source vulnerability scanner to come to the forefront. Given the breadth of Nessus implementations, I think this is unlikely in the near future, but may happen slowly over the next few years. Most businesses are probably going to ignore Tenable’s new license until their Registered Feed expires on July 31st. The big question is will they continue using Nessus without updates, pay for the Professional Feed, switch to another product or quit scanning all together? Short term, I’m betting on scanning without updates, but long term is another question all together; is $1200/year really all that much to pay compared to what any other scanning tool is going to cost you?

Tenable made a business decision that they need to collect revenue on their plugin feeds in order to continue providing the level of support they have always given. Some people are going to complain that Tenable is getting greedy; I’d counter that they just want to get paid for the work they’ve been supplying to the community for years. I guess that’s one of the things actually meeting the people doing the work will do to you.