Tenable introduced the free Nessus Essentials product, and also discussed the wisdom of building apps in Electron, along with fixes for Spectre and Meltdown.
Cybersecurity firm Tenable is making their vulnerability assessment tool Nessus more widely available with the free Nessus Essentials version, introduced earlier this month, which replaces the previous non-commercial-use Nessus Home version. Nessus Essentials permits users to scan up to 16 IPs on home or work networks, Tenable touts it as having “more than 100,000 plugins, coverage for more than 45,000 CVE and over 100 new plugins released weekly within 24 hours of vulnerability disclosure.”
“Last year, we celebrated 20 years of Nessus, and as part of that, we talked to other professionals,” Nessus creator and Tenable CTO Renaud Deraison told TechRepublic. “Something which honestly I did not realize until we started to do that exercise was that a lot of people actually got started in security, or had their careers impacted, by the use of Nessus,” adding that the motivation for creating Nessus Essentials was a desire to “expand the notion of teaching the basics of security through a tool.”
SEE: Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic)
Deraison also noted Tenable’s insight into what applications and tools are practically in use in the enterprise, prompting a dedicated task force of full-time researchers studying these, to look for vulnerabilities.
“We found vulnerabilities in CCTV cameras. We found a flaw in Zoom conferencing software. Last week, we released something about Slack… we’re building a fairly good relationship with a lot of these vendors and we try to be a wake-up call on how to improve security practices,” Deraison said. “For some of them it works really well, for others it’s more like business as usual. But as a company, we’ve reached a size where we can actually influence them much more than we could five years ago.”
On the wisdom of building applications in Electron
Tenable’s discovery of a vulnerability in Slack echoes back to a similar vulnerability from 2018 in Electron’s handling of custom URIs. Electron—which is used in popular applications such as Skype, Signal, Wire, Discord, and GitHub’s text editor Atom—provides an easy-to-use cross-platform framework for developers, though is often criticized for performance bloat and security issues, as Electron is functionally a purpose-built, stripped-down browser.
“If you look at… a typical web browser, a lot of work is done by Apple, Microsoft, and Google to really nail down everything which has to do with encryption, and credentials, and they warn you appropriately if a certificate is not recognized,” Deraison said. “We looked at using Electron for Nessus internally and… I am kind of afraid that we will miss something which the browser solved.”
Searching for a solution to patching Spectre, Meltdown, and other side-channel attacks
Perhaps the most intractable problem in information security is the existence of hardware-level vulnerabilities in CPUs, which require changes to how compilers work, as well as patches to CPU microcode to change the behavior of processors themselves to mitigate potential damage. While not all mitigations are made equal, some of these do incur a sizable performance penalty, while others are marginal, or workload-dependent.
“There is a certain certain lack of pragmatism from our industry, when it comes to some of these attacks. …In general these type of attacks tend to be not that easy to carry [out],” Deraison said. “If you look back at the security industry over the last 20 years, we’re very black or white, and it’s either safe or unsafe… We try to bring a healthy dose of pragmatism, to say ‘Yeah, on paper it is a big bomb. In practice, there’s no exploit for it. Or it’s only a proof of concept, but nobody really did something at scale with that flaw.’ So as an industry we need to be more about shades of gray than just black and white.”
For more, check out “Why MDS vulnerabilities present a threat as serious as Spectre and Meltdown,”and “Survey: IT industry vets do not think today’s new IT professionals have adequate training” at TechRepublic.