Nessus Turns 20!

Twenty years ago this week, I released the first public version of Nessus. Little did I know at the time the profound impact it would have both on the industry and on me personally.

Over this period of time, Nessus quite literally redefined the vulnerability management industry and profoundly influenced the security industry as a whole. Nessus is one of the most widely used security tools on the market today. I’m very proud to say that Nessus has helped 1.6 million enthusiasts become cybersecurity professionals – and I can’t even begin to tell you the number of people who have told me that Nessus launched their careers, and hearing that is always so personally gratifying.

There’s actually a little backstory to this adventure that I’m guessing only a handful know. On April 4, 1998, I sent an email to the bugtraq mailing list to let a little group of security geeks (and I use that term with respect) know about a project I had been working on during the previous 12 months – a Linux app with a graphical interface that would check networks for more than 50 vulnerabilities. Yes, you read that correctly – 50 vulns! I vividly remember thinking that I’d release the software, incorporate the little feedback I’d get and move on to something else.

Instead, the feedback I received was so encouraging that I ended up dropping out of college (my parents were NOT happy, but that’s a story for another day) and creating Tenable.

Why did Nessus become popular?

In hindsight, here’s why I believe Nessus became so popular:

1. It was a Linux application with a graphical user interface, which was very rare for security tools at the time. The webpage I set up had many screenshots, and the interface looked professional enough to generate curiosity. At the time, most security tools simply were a computer archive on a FTP server somewhere, with a README.txt file in it.
2. I announced it at the right place, at the right price, on the right platform, and at the right time. Nessus originally could not compete feature-to-feature with ISS (the 800-pound gorilla at the time). It was Linux-based and ISS had just dropped Linux support, which was what security professionals were using. The “industry” was very much anti-commercialism, and every security professional was reading bugtraq religiously.
3. I managed to create a direct relationship with the user community and worked days and nights to analyze bug reports and take feature requests into consideration.
4. Finally, I simply put lots and lots of work into it. For months, I’d work until 5 a.m., reverse-engineering some obscure undocumented protocols to make Nessus more powerful as a whole.

If you think about the four points above, you’ll recognize that they outline guiding principles for many successful products:

• First, identify an unmet need (in the early days of Nessus, that was the graphical interface) and then deliver against it.
• Second, understand the power of industry context – or put another way, no engineering in a vacuum.
• Third, know your user and the community you serve.
• Fourth, work harder than your competitors.

These principles are key. They ensure that our goal for Nessus today remains the same as it was at the beginning – offer a tool that gives its users an outsider’s view of the security of their network and guidance on how to improve it.

Nessus: What’s on the horizon?

In 2018, networks have never been so complex and security guidance has never been so sought-after. Nessus’ role within the security arsenal of any professional could not be more relevant in our era of BYOD, IoT, public cloud, etc. The team is hard at work to improve Nessus to reflect these changes and to tune Nessus to better adapt to modern IT environments:

• Before the end of the year, we’ll release a new engine that scales better, especially on the Windows platform.
• We’re also hard at work to dramatically reduce the installation time for Nessus. The “processing plugins” progress bar should soon be a thing of the past.
• The Tenable Research team is hard at work to refactor some of our critical libraries (such as the work that was done with SSH) to work in more environments and open up the way for more complex and reliable checks in the future.

These changes will make it easy to install Nessus in systems with fewer resources, such as low-end cloud instances. The reduced installation time will also make it easier to move the scanner from one system to another.

Thanks to the Nessus user community

Finally, the reason Nessus has been successful all these years is you, our user community. And we want to hear from you!

If you’re a Nessus user with a story to tell and you’re happy to share it on video, come visit me and the Tenable team at the RSA Conference in San Francisco from April 16 to 20 (booth #4301, Moscone North).

I’m looking forward to the future and to see how we all contribute to it.