On 12 December 2005, Tenable Network Security announced the latest release of Nessus, a vulnerability scanner that has been available free, with source code, through a GNU General Public License (GPL). Tenable will offer Nessus 3 under a commercial license, still without charge, but without source code. Source code will still be available for previous versions and “forked” GPL versions, and Tenable currently plans to continue providing bug fixes in open-source Nessus.

This announcement continues the trend toward commercialization that began when Tenable started offering registered plug-in feeds and commercial licenses for the Nessus engine. Tenable says it has no plans to charge for Nessus 3, but Gartner believes the company will begin charging for Nessus Excellent — likely applying only nominal fees at first — by 2009 (0.8 probability).

The new licensing changes will have little immediate impact on most enterprises that are not using the Nessus source code. However, all enterprises using Nessus need to begin planning for the longer-term consequences of Nessus' commercialization, which will depend largely on how the enterprise obtains the software: through a service provider, bundled with a commercial product, or through any channel that delivers GPL software. Nessus is embedded in many vulnerability management products, so IT decision-makers must determine whether Nessus is required for any products they use and analyze their providers' relationships with Tenable.

Recommendations

If you obtain Nessus:

• Directly from Tenable: Sign the new commercial license. (Registered users paying for a direct feed will now receive e-mail support at no additional cost.)
• Through a service provider with a formal relationship with Tenable: Make no immediate changes.
• Through a service provider without a formal relationship with Tenable: Begin evaluating alternatives, because of the possibility of increased delays in vulnerability checks and legal action by Tenable against service providers that violate its license.
• Embedded in a third-party product of any type: Enter into a direct relationship with Tenable or evaluate alternatives. Tenable has no formal original-equipment- manufacturer relationships today, so any products with embedded Nessus violate its license agreements. Gartner believes Tenable will eventually take action against the providers of such products.
• Through a third-party channel using the GPL: If you are using Nessus source code in any way, evaluate open-source vulnerability assessment alternatives (such as the six currently available GPL "forks" of previous Nessus versions, including the Open VAS project).

Analytical Source: Paul Proctor, Gartner Research

Recommended Reading and Related Research

• "Hype Cycle for Vulnerability Management, 2005" — Different segments of the vulnerability management market are at very different stages of market maturity. By Amrit Williams and others
• "Establish Vulnerability Management Processes to Protect Networking Devices" — Networking equipment and protocols contain vulnerabilities that, if exploited by attackers, could shut down an enterprise's networks. By Amrit Williams, Mark Nicolett and Lawrence Orans

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)