Tuesday, December 12, 2017

Tenable is killing Nessus Professional - When a security company sabotages a good product

Sad day today for any user of 
Tenable Nessus Professional.

As is the case with many security companies who are working towards making their products cool, Tenable is pushing their customers to the Cloud.   A security tool in the cloud just doesn't fly with me.

Tenable just released Nessus version 7.0 and along with it has killed two basic features that are critical to many smaller businesses and especially consultants.

A security company, that produces a security product, is now releasing software that imposes a less secure state, and cripples the product used by thousands without communicating these changes ahead of the release.  SURPRISE !  

In fact, the features they are crippling, they are listing as FEATURES and IMPROVEMENTS!

So naturally I thought the wording simply was wrong and had to call Tenable to have them provide me with the amazement that no... the wording is right.  

These crippled items are FEATURES.

The first item sabotaged is the ability to create users.   You read that correctly.  USERS.

This applies to anyone paying the $2,190 a year for single scan engine (Nessus Professional).  You now have to share a password.  You can scan as many assets as you want, but the security person needs to share his/her password with the technical folks so they can work through the findings within the tool.

Normally within a business, you would create accounts for scanning, and perhaps accounts for simply reviewing the scan results (like when an auditor comes in to review results).  Or you would separate your assets by groups such as Linux servers, and Windows servers.  You would have different accounts set up for each asset group.

For a consultant, you would have a user account for each client.  

This makes sense since scan policies usually include authentication credentials for the operating systems being scanned.

In version 7.0, you can no longer create users.  Single user mode is the only way to go.

The product should therefor no longer be used by consultants since clients generally do not want their information mixed with others.

Within a business, a single scanner will now have a single user account, this means that if two technical people need to review the findings, they need to share the password !!!!   

We are in 2017, preaching to our user base to NEVER share passwords and this security product, a long time leader is now imposing insecure practices.

What else did they sabotage.  Well, it seems that they have crippled the API (restricted API).  So if you wrote yourself some tools using the API, you are screwed.

They made the API available, it contributed greatly to the popularity of the product, now go screw yourself, no more API.

As far as loyalty to customers, this is once again, a CLEAR demonstration of capitalism.  The exact attitude that hurts the over all security of our entire ecosystem.

I have been a long time defender and promoter of Tenable and their solutions.

I use their tools in conferences and training seminars.

I include their tools in the classes I teach in two Universities.

Today is the end of an era.  The era of reasonable priced commercial tools produced by companies who first wanted to offer a great security tool not just make a buck.

I predict that projects like OpenVAS are going to see a large increase in popularity and support.

I for one have to now integrate OpenVAS in my conferences and university classes and drop Tenable from my curriculum.

I also now have to ask myself what tool best offers the features I need as a consultant and what to recommend for smaller businesses.

Imposing cloud based solutions simply is not something I can get behind for a security tool.

And crippling products and calling it a feature isn't either.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



  1. Hello i have read your this blog Tenable is killing Nessus Professional - When a security company sabotages a good product post which is really nice to read and interesting, keep doing well and keep updating with new post....Security Guards Companies

  2. Thanks for this article very helpful. thanks. Company formation

  3. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. security companies


Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...