Advantages and Disadvantages of Nessus

Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are significant advantages to Nessus over many other products but there are also some disadvantages.

ITEM	ADVANTAGE	DISADVANTAGE
Single server performs scans and captures results to a database	High-performance capture of data with minimum results reporting impact on the network.	Forces centralized server architecture where all scans take place from a single server.
Open-source product	Low cost of ownership. Can be customized by the end user with technical knowledge.	No support without extra fee. Requires greater knowledge to install and operate the product.
The user can compile binary	Operates on multiple platforms: OSs/CPUs.	Requires strong knowledge about the target systems and open-source software.
Optimized version of Nessus is recommended for scanning Windows XP SP2 platforms to avoid false negatives	Scalability problem: If your organization has a mix of architectures (e.g., Linux and Windows), then it is possible that two versions may come into use, or you are better off using a Windows version.
Professional feeds provide immediate updates	Receiving immediate updates for latest vulnerabilities is obviously good.	You must pay for this but the cost is likely the same or cheaper than other products.
Home feeds provide free vulnerability updates	This is a good way to get started evaluating the tool.	This is not for commercial use.
Plug-ins	These elements of Nessus allow for extensibility and customization commonly beyond what other products offer.	The increased complexity requires considerable knowledge and experience to deploy.
NASL[*]	This tool allows the user to script and run specific vulnerability checks. These checks provide a lot of control where most products do not.	Knowledge of NASL and how to use it at the command line is necessary.
[*] Nessus Attack Scripting Language

Security Content Automation Protocol (SCAP)

SCAP

Security Content Automation Protocol (SCAP, pronounced “ess-cap”) is an overarching suite of the aforementioned standards that include CVE, CVSS, CPE, XCCDF, and OVAL. The NIST maintains the SCAP content, which defines how all of these protocols work together in an automated fashion. It also contains the content of all of these standards in the NVD.

SCAP also has a product validation program to assist in evaluating products for compatibility with the various open standards. NIST provides detailed descriptions of the validation areas, abbreviated here to give you a sense of the possible areas of validation:

• Federal Desktop Core Configuration (FDCC) scanner: A product with the ability to audit and assess a target system in order to determine its compliance with the FDCC requirements, which were the result of the U.S. government OMB Memo M-07-18. That memo states that the provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the FDCC.
• Authenticated configuration scanner: A product with the ability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system log-on privileges.
• Authenticated vulnerability and patch scanner: A product with the ability to scan a target system to locate and identify the presence of known software flaws and evaluate the software patch status to determine compliance with a defined patch policy using target system log-on privileges.
• Unauthenticated vulnerability scanner: A product with the ability to determine the presence of known software flaws by evaluating the target system over the network.
• Intrusion detection and prevention systems: Products that monitor systems or networks for unauthorized or malicious activities. An IPS actively protects the target system or network against these activities.
• Patch remediation: The ability to install patches on a target system in compliance with a defined patching policy.
• Misconfiguration remediation: The ability to alter the configuration of a target system in order to bring it into compliance with a defined set of configuration recommendations.
• Asset management: The ability to actively discover, audit, and assess asset characteristics, including installed and licensed products; location within the world, a network, or an enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Asset database: The ability to passively store and report on asset characteristics, including installed and licensed products; location within the world, a network, or an enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Vulnerability database: A product that contains a catalog of security-related software flaw issues labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores.
• Misconfiguration database: A product that contains a catalog of security-related configuration issues labeled with CVEs where applicable.
• Malware tool: The ability to identify and report on the presence of viruses, Trojan horses, spyware, or other malware on a target system.

When a product is assessed and validated, it is for one or more of these areas. The status of validation of products is posted on the NIST’s public Web site. Being validated does not assure quality or reliability of the product; only that it meets the criteria set forth by the SCAP program.