Apparently OpenVAS originated as a fork of Nessus. It is very easy to install and use OpenVAS because it's, well, open. However, am I kidding myself if I just use that instead of Nessus? Should I be using both, or if I use Nessus then is OpenVAS surplus to requirements?
To break it down into non-subjective sub-questions: * Is openvas a superset or subset of nessus? * Is one updated more often than the other? * Does one have a bigger vulnerability database than the other? * ...or are there other qualitative differences that I may be missing?
I personally much prefer Nessus..
It has a better feel and management, not to mention the updates offered..
Furthermore the control of nessus via updates and usage i believe is more professional because of the proprietary model. its just easier to use
Although OpenVAS was forked, since then 2008, OpenVAS has changed into something new with new features and functions not offered in Nessus..
For a simple desktop version assesment (1 user - small amounts of checking) - i would go with Nessus
However because OpenVAS is an open source product, people are saying its scanning abilities are a little further along than nessus.. ( i cant prove this, nor do i really believe it :P )
In a nutshell choose...
quicker updates -> good scanning = Nessus
slower updates -> better scanning = OpenVAS
Hope this helps :D
It is a good idea to have the ability to use both: you can tune either Nessus or OpenVAS to run 'fast scans', and given that OpenVAS is free, this allows you to run numerous on-demand scans of any kind.
Nessus may be preferred/required by some compliance auditors you interact with in the future. Some of this may be rooted in logic, but because of the open-source nature of OpenVAS combined with the common difficulty that the general security-admin public has in installing/using/maintaining it, some auditors may view it negatively without any application of logic to their conclusion.
The two-role nature becomes more relevant considering that Nessus has a cloud offering now: so you truly have the classic "expensive, easy-to-use/maintain, commercial offering" versus the "free, harder-to-use/maintain, open-source version". Both definitely can be used together, and in a production environment this could translate into