Re: Alternatives to Nessus

["SD List" <list () security-database com>]

Hi there,

Since we've started running Security-Database Tools Watch, we've tested
tons of tools, software, utilities and even wrote some reviews for
products.

What's the best alternative for nessus ?? is a complex question !! Since,
you cannot rely on "one" software to perform a pentest or security
assessment. Architectures become more complex and need auditors to use a
wide set of toolkit to assess different "objects"  (Object could be
Operating System, Application, Database, Policy etc etc).


IMHO, OpenVAS is "on its way" to be an alternative for Nessus since that
the old community (frustrated in the past by the nessus closed-source
affair) is showing up and starting to give a helping hand to develop
plugins and tools .. just a matter of time to catch up the nessus learning
curve !!

The added value that seduces me in OpenVAS is the integration of the open
standard OVAL. Now, you can really perform advanced "Local auditing" using
definition developed by the Mitre.org community and others.

When nessus will fail (or return less accurate results) to scan for
advanced Web vulnerabilities, OpenVAS will just rely on integrated tools
to do such task ..  You can see it as a Mastermind Framework for "open
source tools". Just take a look at the integrated tools to have an idea
http://www.openvas.org/integrated-tools.html


Now, both nessus and openvas will not cover all the pentest / audit
phases. As for myself, i use them in the final stage to get a complete
overview of my assessment. I'd prefer playing with "perl / python"
utilities (http://www.darkc0de.com/) to get more information about a
target

Regards

Nabil OUCHN
Security-Database.com

> * jond [21. Mar 2009]:
> > Has anyone found any good alternatives to Nessus?
> > I've played around with OpenVAS with their backtrack build, but either
> > it's not pulling all the plugins, or it's just not as accurate as
> > Nessus.
>
> Being one of the OpenVAS developers I might be a little biased, but I
> would consider OpenVAS to be mature enough (especially in the latest
> versions) to be good and Free alternative to Nessus.
>
> I'm sorry to hear that your experience was not completely positive and
> would like to help you with any trouble you might have had.
>
> Right now, OpenVAS is still missing a few plugins which could be carried
> over from Nessus due to licensing issue. The OpenVAS plugin developers
> are working on replacements, we hope to have them ready in the near
> future.
>
> Furthermore, there have been reports of missing results when performing
> concurrent checks on certain targets; it might help to "Concurrent
> Checks" to 1 in the OpenVAS client.
>
> I seem to recall that there were some issues with Backtrack environment,
> that might be another starting point.
>
> It would be very helpful for us to know more about the issues you are
> experiencing; you are welcome to join us in #openvas on irc.oftc.net or
> on the mailing lists listed on the OpenVAS website at
> http://www.openvas.org/. If you have discovered issues you consider to
> be bugs, feel free to report them on http://bugs.openvas.org/.
>
> Feel free to contact me if you have any questions or suggestions.
>
> Regards,
>
> Michael
>
> --
> Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de
> Neuer Graben 17, 49074 Osnabrück, Germany   |    AG Osnabrück, HR B 18998
> Geschäftsführer: Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical 
Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your 
Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------