OPENVAS VS.

NESSUS

Open Source vs. Proprietary Vulnerability Scanners: OpenVAS vs. Nessus

Matthew May
University of South Carolina

OPENVAS VS. NESSUS

Abstract
This paper explores the basic concepts surrounding modern cyber threats, and explains
the benefits of using free and Open Source software, particularly vulnerability scanners, in the
field of network security. After introducing the reader to modern threats and naming a few of
the most well-known Open Source contributions in recent years, the paper will pivot and
discuss the benefits of incorporating several Open Source and proprietary vulnerability
scanners into their corporate environment rather than one proprietary solution.

OPENVAS VS. NESSUS

Throughout the course of my internship at SCANA I have been assisting with the
implementation of our new security operations center, and in doing so I have learned a great
deal about securing networks, how attackers map out their targets, and how many of them
actually bypass security features. While there are millions of pieces of malicious software online
today, it is no longer realistic to simply install antivirus software on every endpoint and assume
that your assets are secure. In this day and age if an attacker wants to break into your
companys corporate network they will some way or another. A common term being used in
the industry today is one that was coined by Lockheed Martin, the advanced persistent threat.
Advanced persistent threats, or APTs, are exactly what most people would be probably infer by
reading the name. They are threats planned by organizations that diligently gather intelligence
on their targets, meticulously plan which assets to attack, determine the most effective
methods to do so, and over an extended period of time work to crack into a system. Many
attackers realize that it is unnecessary and usually ineffective to try exploiting their way in from
the outside past the infinite layers of firewalls barricading them from the critical areas of a
network, so rather than wasting their time in doing so, attackers have begun targeting
corporate employees, and after compromising certain individuals, using them as stepping
stones to move throughout the network unnoticed. (Lockheed Martin)
For example, imagine that I have been given the task of breaking into a universitys
network and stealing confidential student information. I wouldnt just start firing exploits at the
external firewalls, generating hundreds of logs, and basically announcing loud and clear that
someone is attempting to break in. I would target high level school employees and try to gain
access to one of their accounts to bypass the uppermost firewall layers. I may monitor their

OPENVAS VS. NESSUS

LinkedIn or Facebook accounts to gather personal information about them and then
accidentally bump into them at a conference or a user group that they attend. I may then
strike up a conversation with them and gather as much intelligence as possible, while at the
same time gaining their trust. I may get them on the topic of their favorite movies or music and
then recommend a certain movie or album to them. I would say that I owned a cd that they
love and tell them that Ill burn them a copy and give it to them at a later date. When I burn the
cd it would have legitimate songs on it but I may engineer and include malicious software that
creates a backdoor into their computer when they save the songs. At this point they would be
thrilled that they just acquired their favorite singers new album for free and would have no
clue that they just fell victim to a socially engineered attack. Within the next few days that
employee would most likely use their personal computer for work and when they save their
files to their flash drive I would piggyback malware onto the storage device. When they
returned to work the next morning they would plug their USB into their work computer and
unknowingly expose an internal part of their network to malware. The reason that many
antivirus programs are barely of any help in this situation is that as an advanced attacker, I
probably would have written custom code that no antivirus company has seen before, so their
databases wouldnt contain my softwares MD5, the unique identifier for any piece of software.
While some companies are trying to produce AI endpoint protection software that learns on
the fly whether or not software is malicious, there are still flaws, so it is no longer a question as
to whether or not a system can be compromised, it is only realistic to try locating as many
vulnerabilities in your network as possible, and then being prepared to respond when the

OPENVAS VS. NESSUS

inevitable breach does happen via some vulnerability that was looked over or caused by an
employee who ignored security policy.
Some of the most common tools that attackers use to map networks and locate
vulnerabilities are port scanners and vulnerability scanners. There are several viable
vulnerability scanners available and while one may technically be better than the others, there
are still vulnerabilities that a higher rated product may overlook that another less popular
scanner may detect. This is where some people begin arguing about proprietary software vs.
Open Source software. (Lyons)
For years, in most corporate environments, it was highly discouraged and frowned upon
to use Open Source software in a production environment. Nowadays the security professionals
responsible for securing digital assets for many companies are realizing the immense power
that can stem from such tools. The Open Source community has grown so large that they now
host massive Open Source software conferences and in recent years the community has put out
many useful tools well suited for enterprise use. Some of the most notable Open Source
contributions to the world of security are Kali Linux, a Linux distribution prepackaged to include
virtually every security tool that a pentester may need to exploit a network vulnerability, and
Security Onion, a Linux distribution which basically does for blue team what Kali does for red
team. Security Onion comes with several Open Source network monitoring tools tools like
Snort, Sguil, Bro, Elsa, Squert, and more. Of all the tools that security professionals use, some of
the finest are vulnerability scanners.
Several years ago the proprietary vulnerability scanner called Nessus was entirely free
and Open Source. In 2005 Nessus removed their Open Source code from the internet and three

OPENVAS VS. NESSUS

years later in 2008 they began charging for their services. It now costs $2,190 per year, which
still beats many competing scanners. Nessus does offer a free version but it is extremely limited
and only licensed for use on home networks. (Lyon) Luckily, the Open Source community forked
the old Nessus repo and although development was slow for a few years, the community has
now invested a great deal of time writing plugins, tuning, and updating the old Nessus software.
The result of their hard work is OpenVAS, the worlds most advanced Open Source vulnerability
scanner. (Lyon)
Tenable, the company who owns Nessus, boasts an impressive features page on their
website. Nessus customers are provided multiple assessment types (vulnerability scanning,
configuration auditing, compliance checks, malware detection, web application scanning,
sensitive data searches, and control system auditing), rich assessment capabilities (high speed
asset discovery and scanning, multiple network scanning, scan scheduling, selective host rescanning, automatic scan analysis, agent-based scanning, and multi-scanner support), ongoing
management (product updates, content updates, user management, resource management,
and customer support), core systems connection (password vault integration, patch
management auditing, mobile device security, and Nessus RESTful API), and reporting
(customized reports, multiple formats, targeted email notifications, report sharing, dashboards,
and scan validation.) (Tenable)
OpenVAS has much more of an Open Source feel to it because with OpenVAS you get no
official support. If one is faced with an OpenVAS issue they must refer to forums and ask the
community questions to correct the issue(s). They have no features page on their website,
but from personal experience in using both products, and through knowledge gained by reading

OPENVAS VS. NESSUS

through many forums, I can determine that support aside, both scanners are very similar and
capable of detecting the vast majority of vulnerabilities currently known to man. Some claim
that OpenVAS yields more false-positives than Nessus does, but false-positives are far better
than false-negatives.
Our organization currently uses Nessus to perform its vulnerability scans, and although
it is so highly rated and works wonderfully for detecting most vulnerabilities, nothing is perfect.
The fact of the matter is that although Nessus is a high end piece of proprietary software, in
recent years there have been countless Open Source programs that actually perform better
than their proprietary counterparts. I believe that most companies, including my own, would
benefit greatly by incorporating several vulnerability scanners into their security checks, rather
than relying on a single scanner for full coverage. Vulnerability scanners are constantly being
updated every day by entirely different teams of developers and if a brand new zero day
vulnerability goes unnoticed by one organization for a few days, weeks, or even months,
another organization may have incorporated it into their scanner. For the same reason that
having someone proofread an essay is smart, it is never unwise to seek a second opinion when
it comes to network security.

OPENVAS VS. NESSUS

References
Gordon Lyon (2015). Top 125 Network Security Tools. Retrieved from sectools.org
Lockheed Martin (2015) Cyber Kill Chain. Retrieved from
http://www.lockheedmartin.com/us/what-we-do/information-technology/cybersecurity/cyber-kill-chain.html
Tenable (2015) Nessus Features. Retrieved from
http://www.tenable.com/products/nessus/features
OpenVas (2015) About OpenVAS. Retrieved from
http://www.openvas.org/about.html