Open Vulnerability Assessment System (or OpenVAS for short) is a full-featured, cross-functional, open-source web security scanner (opens in new tab) that started when Nessus stopped being an open source software and turned into a commercial security solution.
Once called GnessUs and launched as a spin-off of Nessus, it still uses numerous plugins written in Nessus Attack Scripting Language (NASL). Eventually, in 2006, OpenVAS would become the enterprise-level tool we know today.
Today, OpenVAS comes in two forms: as an open source module and as part of commercial software, both of which are maintained by Germany-based Greenbone Networks.
OpenVAS’s official site is so simplistic that it instantly redirects you to Greenbone’s site and their GitHub pages so you can learn a bit about OpenVAS and its history.
But to be fair, their GitHub page offers a lot of information – maybe even more than you’d like to read. Plus, there’s a blog and it seems pretty much alive.
Both the Greenbone and OpenVAS sites are available in English and German.
In addition to GitHub, you will find Greenbone on LinkedIn.
Subscriptions and prices
OpenVAS allows you to stay one step ahead of cybercriminals and you can do it without spending a dime – after all, it’s a free-to-use, open-source solution.
However, if you want something more than what this freeware has to offer, you can buy one of Greenbone’s paid products: Greenbone Enterprise Appliances or Greenbone Cloud Service. While both products are described in great detail, to get their price you will need to request a quote through the ticket form, which will ask you to provide details about yourself, your company and the security requirements.
You can also request a free 14-day trial to test Greenbone’s paid products for yourself.
While OpenVAS is made with Linux (opens in new tab) in mind it can easily run on Windows if you create a Linux virtual machine on it – this requires some technical skills though.
Features and functionality
OpenVAS is a vulnerability scanner, meaning its mission is to proactively look for security vulnerabilities in your systems and software running on them, identify them, and predict how strong your cybersecurity measures will be in the event of an attack. It is one of the most critical tools in any cybersecurity toolbox.
Its core capabilities include unverified and verified testing, a slew of high- and low-level Internet and industrial protocols, performance tuning, and an internal programming language for implementing various vulnerability tests.
OpenVAS comes in two feeds, Greenbone Community Feed (a free and an open-source feed) and Greenbone Enterprise Feed (a commercial one).
While the open source feed is a bit short on features, it still has quite extensive coverage with home apps (e.g. those for Ubuntu, AVM Fritzbox, and MS Office).
It also comes with common and custom scan configurations, report formats, port lists, and critical vulnerability tests. However, because Greenbone has a creative and contributing community spread across the globe, the community feed currently contains over 100,000 vulnerability tests.
We must also take into account that all data is updated daily, but without any guarantee.
Interface and ease of use
Downloading and installing OpenVAS is quite complex and is sure to overwhelm non-tech savvy users – which is why many will stop there and look for alternatives.
In short, if you are a Linux enthusiast who is familiar with building software from source code, you will have no problem with this as to install OpenVAS you have to build it from source code. If not, you may need to consider other options.
Alternatively, you can use an OpenVAS virtual machine that requires a virtual machine player – so consider using VirtualBox – it’s free, open-source, and available on all operating systems (OS’).
While the virtual machine option is much simpler than the source code, it’s still far from being beginner-friendly.
If all goes well, you’ll be taken to the OpenVAS user interface (UI) which looks overly outdated but isn’t counter-intuitive. It also includes a wizard that helps you set up both basic and advanced scans for target machines – so find a magic staff symbol in the top left corner, click on it, select “Task Wizard” (or “Advanced Task Wizard” for advanced scans), add Enter an IP address you want to scan and tap the “Start Scan” button.
Our scan completed surprisingly quickly, and even after we changed several scan policies, the time it took was perfectly reasonable.
OpenVAS isn’t exactly strong on customer support, so if you get stuck along the way (and yes, you probably will), you’ll have to settle for self-support options. Unfortunately, even if you’re willing to pay a pretty penny for premium support, there’s just no option to get one.
In the meantime, you are welcome to contact the Greenbone team via email or submit a support ticket if you have created an account with them. However, to get technical support, you should find out if someone on the Greenbone Community Forum is willing to lend you a hand out of the goodness of their heart.
In addition to the documentation page on the Greenbone site, you will also find an FAQ section, a glossary and a changelog.
Besides being a source of inspiration for OpenVAS, Nessus is also its most powerful competitor. In terms of performance, Nessus wins with a fizzle – it covers a wider range of vulnerabilities and offers a lower false positive rate. On the other hand, OpenVAS is more pocket-friendly and also offers a free module – so, if you’re on a tight budget to think about, give OpenVAS a try.
While Vulnerability Manager Plus beats OpenVAS when it comes to beginner-friendly, easy-to-use, and modern-looking UI, OpenVAS is much more than a simple vulnerability scanner, so it wins in terms of complexity, customization, and scanning coverage.
If you’re looking for something more user-friendly and much simpler than OpenVAS, Probely will probably be the way to go. However, the free plan is as simple as they get.
OpenVAS is a powerful all-in-one vulnerability scanner that can perform large-scale assessments and a whole range of network vulnerability tests. Its main selling points are its colorful developer community, extensive scanning coverage, and the fact that it’s free open source software.
On the other hand, it is aimed at tech-savvy, DIY users.