Nessus has been a mainstay of vulnerability scanning since the Nessus Project was started by Renaud Deraison in 1998. The Nessus website claims that over 75,000 organizations worldwide use the program.
Nessus is an open source product. In 2002, Deraison and Ron Gula, developer of the Dragon intrusion detection system, set up Tenable Network Security for the purpose of commercializing Nessus and building a suite of comparable products around it.
The result is that Nessus is now closed source, but still available at no cost. Additionally, a Windows version called NeWT (Nessus Windows Technology) is now available. We tested the current version of Nessus.
In its original configuration, nessus is client server-based. The scan engine sits as a server on a Linux computer and you can communicate with it using Linux or Windows clients. The client can be on the server machine or not. NeWT makes a good portable scanner for consultants and engineers that need to manage vulnerabilities on multiple sites.
Because parts of Nessus are still open source, there is a huge community of developers creating scripts (called “plugins”) for new vulnerabilities as soon as they are discovered. The result is a library of nearly 10,000 plugins. You can get the plugins automatically seven days after they are introduced, or can pay some $1,200 a year to get them immediately.
Nessus is simply a vulnerability scanner, but because of the huge number of plugins, is arguably the most capable scanner available.
And clearly, the price is right, even if you opt for the instant gratification that $1,200 per year buys you. There are no limitations on the number of addresses you can scan and the reporting, although very simple, is excellent for what it is.
One strength of the Nessus/Tenable marriage is that the firm has developed other products that work with Nessus to increase its power and reach. These include a centralized security management console and a log aggregator.
The Nessus documentation is first rate.