Is it worth running nessus as well as OpenVAS?

security audit openvas

Apparently OpenVAS originated as a fork of Nessus. It is very easy to install and use OpenVAS because it's, well, open. However, am I kidding myself if I just use that instead of Nessus? Should I be using both, or if I use Nessus then is OpenVAS surplus to requirements?

To break it down into non-subjective sub-questions: * Is openvas a superset or subset of nessus? * Is one updated more often than the other? * Does one have a bigger vulnerability database than the other? * ...or are there other qualitative differences that I may be missing?


I personally much prefer Nessus..

It has a better feel and management, not to mention the updates offered..
Furthermore the control of nessus via updates and usage i believe is more professional because of the proprietary model. its just easier to use

OpenVAS server is a forked development of Nessus 2.2. 
The fork happened because the major development (Nessus 3) changed to a 
proprietary license model and the development of Nessus 2.2.x is practically 
closed for third party contributors. OpenVAS continues as Free Software under 
the GNU General Public License with a transparent and open development style.

Although OpenVAS was forked, since then 2008, OpenVAS has changed into something new with new features and functions not offered in Nessus..

For a simple desktop version assesment (1 user - small amounts of checking) - i would go with Nessus

However because OpenVAS is an open source product, people are saying its scanning abilities are a little further along than nessus.. ( i cant prove this, nor do i really believe it :P )

In a nutshell choose...
quicker updates -> good scanning = Nessus
slower updates -> better scanning = OpenVAS

Hope this helps :D


It is a good idea to have the ability to use both: you can tune either Nessus or OpenVAS to run 'fast scans', and given that OpenVAS is free, this allows you to run numerous on-demand scans of any kind.

Nessus may be preferred/required by some compliance auditors you interact with in the future. Some of this may be rooted in logic, but because of the open-source nature of OpenVAS combined with the common difficulty that the general security-admin public has in installing/using/maintaining it, some auditors may view it negatively without any application of logic to their conclusion.

The two-role nature becomes more relevant considering that Nessus has a cloud offering now: so you truly have the classic "expensive, easy-to-use/maintain, commercial offering" versus the "free, harder-to-use/maintain, open-source version". Both definitely can be used together, and in a production environment this could translate into

  1. running various multiple, recurring free OpenVAS scans for free to tighten your system.
  2. selected and fewer Nessus paid scans that show to the world that your system has been properly tightened.
  3. between Nessus "proof-to-the-world" scans you can run OpenVAS scans on a recurring, scheduled basis to maintain confidence in the target system's current vulnerability landscape.

Related

Host is missing hostname and/or domain
Multicast over SSH
Where can I find logs for SFTP?
When does the TLD having glue records for the nameservers save DNS lookups?
Is there a default web user group on CentOS Linux?
MCollective alternative?
How a router decides destination of packet?
nginx referer log
Strace poll, trying to diagnose bottleneck
BIND authoritative name server: SERVFAIL?
Haproxy Falling over under high volume
Mysql disaster recovery