Is it worth running nessus as well as OpenVAS?
Apparently OpenVAS originated as a fork of Nessus. It is very easy to install and use OpenVAS because it's, well, open. However, am I kidding myself if I just use that instead of Nessus? Should I be using both, or if I use Nessus then is OpenVAS surplus to requirements?
To break it down into non-subjective sub-questions: * Is openvas a superset or subset of nessus? * Is one updated more often than the other? * Does one have a bigger vulnerability database than the other? * ...or are there other qualitative differences that I may be missing?
I personally much prefer Nessus..
It has a better feel and management, not to mention the updates offered..
Furthermore the control of nessus via updates and usage i believe is more professional because of the proprietary model. its just easier to use
OpenVAS server is a forked development of Nessus 2.2.
The fork happened because the major development (Nessus 3) changed to a
proprietary license model and the development of Nessus 2.2.x is practically
closed for third party contributors. OpenVAS continues as Free Software under
the GNU General Public License with a transparent and open development style.
Although OpenVAS was forked, since then 2008, OpenVAS has changed into something new with new features and functions not offered in Nessus..
For a simple desktop version assesment (1 user - small amounts of checking) - i would go with Nessus
However because OpenVAS is an open source product, people are saying its scanning abilities are a little further along than nessus.. ( i cant prove this, nor do i really believe it :P )
In a nutshell choose...
quicker updates -> good scanning = Nessus
slower updates -> better scanning = OpenVAS
Hope this helps :D
It is a good idea to have the ability to use both: you can tune either Nessus or OpenVAS to run 'fast scans', and given that OpenVAS is free, this allows you to run numerous on-demand scans of any kind.
Nessus may be preferred/required by some compliance auditors you interact with in the future. Some of this may be rooted in logic, but because of the open-source nature of OpenVAS combined with the common difficulty that the general security-admin public has in installing/using/maintaining it, some auditors may view it negatively without any application of logic to their conclusion.
The two-role nature becomes more relevant considering that Nessus has a cloud offering now: so you truly have the classic "expensive, easy-to-use/maintain, commercial offering" versus the "free, harder-to-use/maintain, open-source version". Both definitely can be used together, and in a production environment this could translate into
- running various multiple, recurring free OpenVAS scans for free to tighten your system.
- selected and fewer Nessus paid scans that show to the world that your system has been properly tightened.
- between Nessus "proof-to-the-world" scans you can run OpenVAS scans on a recurring, scheduled basis to maintain confidence in the target system's current vulnerability landscape.