The Ashimmy Blog

I have been reading a lot lately about companies that tout the benefits of agentless NAC and their unique (even patent pending) approach to it.  Lets be really clear here.  If you are using Nessus for NAC scanning, you are using the wrong tool, at the wrong time, for the wrong job.  On top of this, you may be subjecting yourself to significant liability for improper use of licensed software.  If you don't believe me about the potential legal liabilities, ask Ron Gula, the CEO of Tenable Network Security. 

What really gets me ranting though, are companies that know full well their use of Nessus is most likely illegal. So what do they do?  They hide the fact they are using Nessus under the covers and now make their customers potential co-conspirators in this improper use. They put out slick marketing and file, probably impossible to obtain final approval, patent filings. I am further amazed that supposedly legitimate journalists and test lab reviewers write about companies using this software with this improper use of Nessus and don't bother to do their homework and make sure they are not also encouraging their customers to potentially take on this liability.

I am really sick of the smoke and mirrors game being used to confuse customers about what they are getting and how it is getting done.  If you are looking at either NAC solutions or vulnerability management, you should point blank ask your potential vendors, do they use Nessus and if they do how are they doing it legally.  If you have any question on what to ask for, write me, I would be happy to help.  I have spent a lot of time researching the licensing issues here.  On another day, I will write about why Nessus is the wrong tool, at the wrong time, for the wrong job in NAC

Authors note: In the interest of fair disclosure, let mention that our VAM, vulnerability management product, does use Nessus. Not for NAC obviously though.  In another article I will explain how we use Nessus legally.