Nessus Changes Their Licensing

I have been a strong supporter of Nessus for quite some time.  Tenable has built what is, in my opinion, one of the best scanning engines that I have had the chance to play with.  I have evangelized both Nessus and Security Center on multiple occasions and I still affirm that Security Center is one of the best vulnerability management tools I have had the pleasure to work with.  However recently Tenable has me questioning my continued loyalty.  Tenable is changing the way that the Nessus feeds fundamentally work in terms of licensing.  

Currently there are two feeds, the “Registered Feed” and the “Direct Feed”.  The “Registered Feed” is free to everyone, and no restrictions on what plugins you can use and how you can use them (commercial, residential, etc.).  However the Registered Feed is delayed 7 days.  This means that if Tenable releases a new plugin today to detect the new “scriptkiddie” vulnerability, the Registered Feed users will see it a week from today.

The Direct Feed isn’t delayed at all, and also has what Tenable calls Audits.  What happens is that you give Nessus the credentials to login to the systems that it’s scanning, and then specify the audit you want to run.  Nessus will login to the computer and then check for things that you wouldn’t be able to see on the network level, such as old versions of Acrobat or if Windows Update is set to run automatically, etc.

As of July 31st, however, this is all going to change.  Tenable is dropping the Registered Feed and replacing it with a “Home Feed”.  The Home Feed will have no delay in plugins, however the licensing restricts it to non-commercial use ONLY.  The Direct Feed is simply being renamed to “Professional Feed”.

I understand that Tenable is out to make money and that they want to secure themselves in the market.  I also understand that a lot of people are happy enough with the Registered Feed that they never really saw a need in the Direct Feed.  However I can see this as only hurting Tenable in the long run in an attempt for a short run gain.  I can see a lot of people either simply not updating the sensor anymore after July 31st, Registering for the Home Feed just to get the updates, or even start looking into other products like Qualys.

Even more disturbing is the whole Bait-n-Switch mentality that Tenable has been taking.  They closed the source of Nessus 3.x after being GPLed in all prior versions.  A lot of people cried out and said that by closing the source code behind Nessus, Tenable was locking themselves out of some markets, and upsetting their user-base as a whole.  For the most part the end result of the change was minimal, since the feeds were still there so people could still run the application.  

This time however they are locking the entire professional community out of the ability to freely test their product from a legal standpoint.  Suddenly, for a company that is simply looking for a one-off scan to see the viability of Nessus or to run a quick-n-dirty scan against themselves to make sure everything is ok, it’ll cost you $1200 for a one-year subscription to the Professional Feed.  Again, there is nothing stopping someone from simply lying and registering for the Home Feed, however this is basically telling a potential customer that in order to Nessus, they first need to break the license.  Is anyone else seeing the problems with this?