Nessus or OpenVas
Hi dear pentesters,
I just wanted to hear from you what kind of experience you have with Openvas. The last few times I used both tools, and nessus was detecting more vulnerabilities than openvas (both tools with updated plugins of course). Can you confirm this? Is anybody using OpenVas at all??
Thanks for your comments............
more detected vulnerabilities does not mean less false positives. I would suggest you using such products as less as possible, and verify everything manually (every vulnerability with the possible exploit, not with a version check).
openvas works quite good since the 2.0 release. It's stable and powerfull through the possibilities to include hydra, nikto, nmap and so on. I think they have to spend more attention to their plugins. Nessus has much more plugins and they are finding more vulnerabilities with less false pos.
In my opinion openvas is on the right direction but has to spend a lot more work on their plugins.
Thanks for you answers so far guys.
I too think that the idea of openvas is great but still in too early stage.....
For compliance I suggest the use of Nessus. It is well known in the industry and anyone considering your report as part of an integrated check will be justified in using it as a fairly reliable state-of-play.
For updating, many sectors write add-in plugins which you can adapt for use in Nessus without changing the integrity.
For parallel checking one might use OpenVas as a second opinion.
Nessus is noisy. You might advise upstream the date and time of your scan to avoid allegation of attack.