As a vulnerability analyst by trade, I spend a lot of time using vulnerability scanners. Qualys and Tenable are the two market leaders in this space. I’ve used both in the field. Let’s take a look at Qualys vs Nessus so you can decide which of the two is right for you.
A vulnerability scanner is an essential part of an enterprise vulnerability management program. Having the right scanner is essential because a vulnerability management program lives or dies by having data that is accurate and actionable.
Qualys vs Nessus from a user’s perspective
I first used Nessus sometime around 2007 or 2008, to scan a DoD network I administered in advance of a DISA audit. If DISA found a missing patch, my job was in jeopardy. DISA didn’t find any missing patches. Nessus did a good job of helping me do mine.
Later in my career I moved into vulnerability management from patch management, a transition I recommend. I managed Qualys, Tenable SecurityCenter, and Nexpose from Rapid7 in the field prior to going to work for Qualys in 2016. Yes, I worked for Qualys for almost two years.
Today I manage Qualys and Tenable solutions for other companies, working for a managed service provider. I found I like managing these solutions better than I like selling them. As an aside, if you don’t use an MSP, I recommend you look into one. It can help you reach a higher level of success.
I hold certifications in Qualys Vulnerability Management, Tenable Nessus, and two other Tenable vulnerability management products.
In the right situation, any of these products are capable. I got used to hearing the names of competing products followed by the words, “great product.” Calling them “great” is posturing. All of them have some room for improvement. And not everyone uses them in the right situation.
Nessus isn’t an enterprise solution
Nessus Professional is much cheaper than Qualys, but that’s because it’s not an enterprise vulnerability management solution. It’s intended for small teams to do small-scale vulnerability scanning. Tenable recently removed some enterprise functionality from Nessus Pro because too many people were using it instead of Security Center or Tenable.io.
Tenable makes comprehensive vulnerability management solutions based on Nessus technology, but it’s the costlier Tenable.io or Security Center you need for enterprise-grade scanning. If Nessus meets your needs, then Qualys is overkill. If Qualys looks about right, then Tenable.io or Security Center are the Tenable solutions you should compare it with.
Anything I can say about Nessus’ scanning capability applies to Tenable.io and Security Center.
Ease of use
Both Qualys and Tenable make vulnerability management more complicated than they need to, but of the two, Qualys is easier to learn. Tenable’s user interface just isn’t as intuitive. That said, if you’re going to run a vulnerability management program, you need to take the training from whoever you buy it from. Neither Qualys nor Tenable charge for training and certification, and you can take the training online at your own pace. Take a day to go through the training, take a few hours to review, then take the test. Both are 40 questions and passing score is 70 percent. I’m certified in both solutions and I only encountered one or two trick questions on either test. That’s OK; you can miss 12.
When I encounter vulnerability management programs at large companies, the teams who invest 2-3 days in training have few problems. If you absolutely can’t afford two days, take the training and skip the test. The teams who try to wing it have no end to their problems, and they waste two days each week trying to keep things working. There’s stuff in the training that you just can’t put anywhere in the user interface.
I’ve heard people use the excuse that the training isn’t tailored to their particular environment, but trust me. After seeing nearly 50 corporate environments, they are more alike than they are different. You’ll come out of training knowing what questions you need to ask in order to tailor it to your environment. Nobody at Qualys or Tenable knows your DHCP ranges or where your firewalls are.
Whichever solution you choose, write down the things you don’t know. Look in the documentation to see what the documentation has to say about those things. If they’re general questions not about vulnerability management, find out who in your company can help you find those answers.
I find both Qualys and Tenable.io easy to deploy. I can have either solution up and running and scanning a few thousand hosts in a few hours. Security Center is a bit harder.
On-premise versus cloud
Tenable Security Center and Nessus both reside on your network, running on hardware in your datacenter. Qualys and Tenable.io reside in the cloud, with only their scanners residing on your network.
The idea of vulnerability management as a cloud based service sometimes makes people nervous, but both solutions encrypt the data in transit and at rest. Qualys stores your data in a virtual private database and the key is based on your user account. All Qualys knows about your data is how much storage space you’re using and how many IP addresses you scanned.
I know less about what Tenable does behind the scenes, but since Tenable hired a number of former Qualys developers, Tenable.io’s architecture and security measures undoubtedly are very similar.
My biggest gripe with Nessus was always consistency. With Qualys, it took me a few minutes to figure out how to do the fundamental task of scanning a server or group of servers. I constantly see people make the same mistakes I made, but we all learn pretty fast. And with Qualys, I only had to learn it once.
With Nessus, I had to take notes because without them, I kept making the same mistake every single time. And then when they changed the user interface from Flash to HTML 5, they moved enough stuff around that I had to re-learn it again. But the user interface at least has remained pretty consistent for the last couple of years since that switch.
Both tools bury some valuable functionality, but Qualys at least buries stuff to keep from moving something that’s been in one place for years. When I came back to using Qualys after not using it for a couple of years, it wasn’t a hard adjustment. Coming back to Nessus after a couple of years is a bit harder.
Qualys is revamping its user interface to make it more modern, and Tenable has a similar project going on with Tenable.io. The resulting products will look more modern and make the data easier to search.
With Nessus, everything is a plugin. Every report, every security policy, every vulnerability signature. You can enable or disable virtually anything in one place. That’s both the best and worst thing about Nessus.
Qualys makes distinctions about those things. Vulnerability signatures are called QIDs, or Qualys IDentifiers. Reports are reports. Dashboards are dashboards. Policies are policies. You can import new ones from Qualys’ library if you wish. In some cases you can import and export them to XML or JSON files too.
If you want to disable a particular vulnerability check for whatever reason, you create a custom option profile to do it. There you can select or deselect particular QIDs. You can create a static list with specific QIDs enabled and disabled, or a dynamic list, where you specify criteria, and the list can adapt as new QIDs come out.
Active scanning versus passive
Both solutions will do active scanning, which is a scanner probing your system and, ideally, logging in and looking around. But Tenable offers passive scanning, which is placing a sensor on a span port or network tap so it can examine traffic. By analyzing protocols, it can find vulnerabilities in systems based on banners and other tell-tale signs in the traffic without ever touching your systems.
In environments with a lot of medical or SCADA equipment, passive scanning is invaluable. It allows you to find missing patches without scanning fragile systems. It’s less accurate, but it’s also completely non-invasive. If you need passive scanning, you need it pretty badly.
Qualys doesn’t do much for mobile devices. Tenable doesn’t do much either, but it does more than Qualys. It won’t scan mobile devices directly, but it will scan your mobile device manager and report back on what it finds. This varies, but if you have mobile devices running outdated operating systems, it will tell you. It probably won’t tell you about outdated apps. Tenable does enough to win RFPs but it’s not what I would call a robust solution. Then again, it’s not mobile phones that are hurting most companies. It’s Java and browser plugins. There are companies who have time to worry about whether someone is reading e-mail on a phone running Android 2.0, but there aren’t many of them.
Doing something in this space would add quite a bit of perceived value to Qualys. I think Qualys is looking at actual value and not perceived value. That’s commendable, but I know it’s also causing them to lose sales to Tenable.
The cloud is changing fast and both solutions have a ways to go here. Both solutions are pre-authorized to scan assets residing in Amazon Web Services. Qualys is also pre-authorized for Microsoft Azure and Google Cloud, so Qualys is a better solution for now if you have assets at Google or Microsoft. Tenable has better support for Docker containers and has been supporting Docker longer.
It’s likely that right now neither solution has everything you want. That could change sometime in 2018 though.
In terms of accuracy, Qualys vs Nessus is a tight race. Both give you fewer false positives and false negatives than the #3 vulnerability scanner, Rapid7 Nexpose. Nexpose looks at the registry, but doesn’t dig into the filesystem as deeply as Qualys or Nessus do. This makes Nexpose faster, but makes it a lot less accurate. This drives remediation teams crazy, but if the file containing a vulnerability didn’t update, the system is still vulnerable. False negatives are bad. The solution isn’t to ignore them, it’s to dig deep and fix them. Here’s how I used to do it.
Also, with either solution, you need authenticated scans for any degree of accuracy. Neither tool gives good results without authentication–they’ll have too many false negatives and false positives.
I have noticed one major difference between Qualys and Nessus. Nessus does a better job of finding missing updates to open-source software running on Windows. In a test environment I scanned, Nessus found vulnerable versions of Libreoffice and VLC that Qualys missed. Both solutions find these programs on Linux systems, but some people do run them on Windows.
All of these tools are licensed on an annual subscription basis. Tenable’s solutions are cheaper than Qualys, even their enterprise-grade solutions. You will need twice as many scanners with Tenable than you will with Qualys, unless you have fewer than 3,000 machines on your network. That can eat up some of the cost savings in the form of more virtual infrastructure. I don’t know exactly how Tenable.io is priced, since I just manage it, and I’ve never sold it. My understanding from talking to other customers is that Tenable.io isn’t much cheaper.
That said, Tenable doesn’t charge extra for policy compliance. Qualys charges a lot for policy compliance. If you want to harden your systems to a standard like CIS or NIST or the DISA STIGs and scan your systems to see how well you’re doing, the appropriate solution from Tenable will be much less expensive.
That said, beware of the hidden cost when evaluating Qualys vs Nessus. With Qualys being a cloud-based SaaS solution, Qualys handles the maintenance and upgrades. With Nessus and with Security Center, you have to handle them.
The Patch Report
Both Qualys and Nessus have a secret weapon called the Patch Report. Use it.
Effective vulnerability management teams don’t give raw scan results to patching teams unless they ask for it. Patching teams generally don’t want 8,000 pages of raw scan results. They want to know what patches to deploy. Both Qualys and Nessus patch reports eliminate superseded patches from the list, giving the most concise list of action items possible.
Security teams that use patch reports, in my experience, have 50-75% fewer vulnerabilities in their networks than security teams that don’t.
Here’s another suggestion. Save your patch reports forever. When the time comes for annual reviews, compare the patch report from 12 months ago against the current one. The difference isn’t a perfect measure of what you’ve done over the course of a year, but it’s a good estimate that takes five minutes and comes from an objective third party. Security teams have to compete with project managers for priority. When you can give your patching team data like, “You applied no fewer than 20,000 patches and closed no fewer than 60,000 vulnerabilities in the corporate network in the past 12 months,” they become very interested in what else you have to say.
The Qualys patch report is nice because it has a nice summary at the beginning of how many patches you need and how many vulnerabilities the list will fix.
I used to spend 2-3 days building get-well plans for infrastructure teams. These tools’ patch reports automate that process. That’s been my secret weapon for a while, but here are some other vulnerability management best practices that can help you, regardless of tool.
Qualys vs Nessus: In conclusion
If you just need to scan a few machines to make sure they’re up to date, buy Nessus. It’s the best, most cost-effective solution for ad hoc scans for small networks.
If you’re running a vulnerability management program for a large enterprise, it’s hard to go wrong with Qualys. It scales well, to the point where companies with millions of active IP addresses can use it. Often when you contact hardware makers to ask if it’s safe to scan their stuff with Qualys, they’ll tell you that’s what they use themselves.
Tenable has some large customers too, but they aren’t using Nessus.