Yesterday I described my experience registering with Tenable Network Security to access their Registered Feed. I said "security consultants using Nessus must pay an annual $1200 fee to access the Direct Fee. Free use of the Tenable plugins is only allowed on one's own network."
This first part was correct, but the second part was not. It turns out that Tenable approves use of the Registered Feed (with the seven day plugin lag) if the consultant signs Tenable's commercial agreement. I downloaded, signed, and faxed the document to Tenable. I just received back a copy signed by Tenable. This means I can now use the Registered Feed plugins to scan networks I do not own.
If I want the most current plugins (without the seven day lag) I should still sign up for a Direct Feed and pay $1,200 per year. My original interest in using Nessus involved quick assessments as part of incident response remediation activities. The Registered Feed is sufficient in my mind for that purpose. Should a client contract me to perform a thorough vulnerability assessment, I plan to pay Tenable the $1,200 needed to access their Direct Feed.
Thanks to Ron Gula, who read my earlier blog entry and offered clarification on the licensing issues.