Tenable vs Nessus, what is the difference?

Tenable v Nessus S4 Applications

2 Sentence Answer to the difference between Nessus and Tenable

Nessus is a product that scans for security vulnerabilities in your infrastructure.  

Tenable is the company that sells the Nessus product range, plus a number of other products that are built upon Nessus and help aggregate the Nessus output in ways more useful to businesses.

But life is more complex and interesting than that, so read on, or jump to “Where best to Start” to get the S4 Applications recommendations.

Tenable and Nessus – the Background

If you have got this far I am guessing that you are relatively new to the information security (InfoSec) market and looking to take some important first steps.  If so I would recommend out maturity assessment model for when you have finished.

As they say, security it all about layers, if a bad guy gets through one layer, you want another one right behind it, a deep defence approach.  

One of the most critical layers, is that of offensive security, i.e. looking and behaving as an attacker would; seeing what they see – spotting the potential weaknesses.

If the you want to assess your network, you’ll need to ensure that there are no known issues, referred to as vulnerabilities. 

Read more about the difference between Vulnerability Scanning v. Pen Testing in our blog.

Vulnerability management is an integral part of maintaining your organisation’s computer and network security. It entails scanning your IT infrastructure or software applications to locate and address known software vulnerabilities.

If you find vulnerabilities then you’ll want to get them fixed. Unfortunately this is a dynamic, ever changing situation. This is not a one time thing like installing a fire wall, it is an on-going process that you have to do all the time; Cyber Criminals don’t take Christmas, Eid, Diwali, Hanukkah or any other holiday off; in fact they often use them because they know you will be out of the office and slow to respond.

Nothing stands still

The problems facing you when fixing a vulnerability are compounded – because for any given piece of software, you may not make a change, but the situation changes around you.

Consider a piece of software:

  • Monday, your system is considered secure
  • Tuesday, a hacker finds a theoretical vulnerability in software used by your system
  • Wednesday, the hacker builds some code to exploit that vulnerability
  • Thursday, the vendor releases a fix
  • Friday, you apply the fix and you are back where you started, i.e. a system that is considered secure

The above events pan out many of times a day, across any given corporate network, in any particular order. This is why we get about 100 fixes from Microsoft every month. It is not just Microsoft Windows that you have to look out for; how about versions of Adobe Photoshop, WinZip, Notepad++ and so on.

s4 Applications Tenable v Nessus

We suggest a simplified 3 step process

  1. Proactively look for problems
  2. Prioritise them – work out which ones you really need to focus on
  3. Fix the bad ones

In this blog, we will be focusing on point 1 which is where Nessus and Tenable sit.  If you want more information on points 2 and 3 will be giving you more information in subsequent blogs on how to deal with them.

We also have a more detailed recommendation on best practice steps for Vulnerability management which you can read on our blog: 8 best practice steps for effective Vulnerability Lifecycle Management.

What is Nessus?

Nessus Pro is a Tenable scanning product, that scans your network and looks for around 120,000 known vulnerabilities.

The product is fantastic value at under $3,000, which allows you to scan as many items on your network as you wish.  Once the scan is complete you can run a report and see all of the different issues along with a simple to understand priority score (called the CVSS).

Note that you get a list of the issues as a report, but as I referred to previously, this is very much “process” orientated. The approach to reporting is very much “one off” – that means it does not show progress since the last scan and won’t help you manage machines being decommissioned for example. 

If you are looking to add more processes around the tool, then you’ll need to buy a Nessus upgraded product.

Other vendors will argue about this, but most people think that Nessus does the best detection job of all the tools available.  Because of this great detection, it is loved by pen-testers the world over.  Also because of this ability for detection, it is also loved by the bad guys the world over.

Request a demo with Tenable.

What is Tenable?

Tenable is a US based security company with revenues of around $500M per year. They focus on helping customers find vulnerabilities in their IT environments.

Their first and most famous product is Nessus, now called Nessus Professional or Nessus Pro for short (discussed above).  

They have a number of other technologies that build upon the great scanner to offer the sort of features that enterprises need. So all of the things listed above as missing from Nessus are in the enterprise tools, plus an awful lot more.

Tenable’s first and probably most famous enterprise tool was Security Center. This has recently been renamed to Tenable.SC.

More recently Tenable have released another product called Tenable.IO which has similar product features as the Tenable.SC, but is offered as a SaaS platform, whereas Tenable.SC is on-premise.

If you want more detail on these then have a read of our blog: Keeping up-to-date with the Tenable Product Portfolio.

A little history on Tenable and Nessus

The Nessus tool was originally an open source project and got as far as version 2. The company Tenable was then formed, the project was then made proprietary and Nessus version 3 was released by Tenable.

At this time the code was forked and OpenVAS was created as the open-source successor to Nessus.

OpenVAS is still being on-developed. It has recently become Greenbone Vulnerability Manager, but is still available in an Open source version if required.

Tenable took the Nessus tool and on-developed it adding the extra layers that the Enterprise customers are interested in. 

Whilst Tenable still sell the Nessus Pro software their main focus is the Enterprise market which is where there is a bigger sales opportunity, actively encouraging Nessus users to move to the enterprise tools. 

Every now and again they make modifications to the Nessus scanner to remove some feature or another to encourage adoption of the enterprise offering. The most recent changes were at the end of 2019 when they took away some of the APIs from Nessus and also made it single user.  If customers want these features then they will need to move to Tenable.SC or Tenable.IO.

Request a Tenable price quote. 

Where best to start?

So the Nessus scanner is probably the best scanning tool on the market when it comes to finding issues. So that’s it right? May as well go for Nessus???

Well possibly; it depends on what is right for your business needs.

Firstly, consider a server on your network, Nessus will probably find about 100 things wrong with it.  Nessus will also give you a severity rating from 0 to 10 to indicate where you should prioritise your patching resource.  

Remember it is the patching that makes you more secure, not getting a list of issues to deal with. Within that 100 issues will also be some items that you cannot patch for a variety of reasons, not least that the vendor has not released a patch, others will be hard work o fix and insignificant security risk.

So if another scanner didn’t find the 100 issues, only 90 of them, because it didn’t check for the lowest priority issues, would that be ok? 

Now let’s say that the other scanner also gave you a software inventory of the machine, prioritised the vulnerabilities for you based more on business risk, and provided a way to apply the patches all from one place.

The answer for some people is that they must have the best scanner, for others, having an integrated tool that allows them to patch faster is more important.

If you’re an SME looking for an all-in-one vulnerability management platform then Vicarius might be your best option for regulatory compliance and cyber protection. It has a full-stack of vulnerability assessment tools that actively identify risks, eliminate threats and provide actionable insights.

Vicarius continuously maps all the vulnerabilities found during analysis and identifies the biggest risks, prioritising threats, protecting vulnerable assets.

Request a Vicarius demo

Next steps on Tenable and Nessus or Vicarius

If you want the best scanner then have a look at our Tenable pages, if you want an integrated solution have a look at our Vicarius pages. Check out our Case Study page with examples on Tenable and Vicarius.

S4 Applications wants to help your business invest wisely to reduce risk exposure and protect business value. Contact us to guide you through our 6 step Maturation Model to get to grips with what your current maturity level is and prepare with you an effective plan to enhance your security maturity.

Book a free consultation.