I think that the bottom line is that Nessus would have performed much better with non-default configuration options, but one could argue that not everyone is knowledgeable enough to tweak everything.
Forgive me for ignoring Renaud's "case closed" long enough to comment on one overlooked thing -
Whether the author of this article is a competent tech, quality writer, bedwetter, serial killer or the most brilliant person alive are all irrelevant to a comparison article of this kind being any good. Just as in basic logic, these comparisons are usually bad because they start from flawed or indeterminate principles.
Presumably for marketing reasons, there's no intended audience announced or apparently intended for this article, leaving open the question of should the person running this software be a grade school student, chef, MSCE, computer science grad, nuclear engineer, manager - apparently the article will speak to all of them, meaning that perhaps the person running the tests will have some familiarity with the flaws being found, perhaps not. Maybe they understand altering the ports scanner, maybe not.
Further, since it makes no statements about "we'll try these fresh out of the box with default settings" or "we'll go through the steps as outlined in included documentation but not consult external how-to information" (although these are somewhat implied if you read between the lines) versus "we're going to simulate setting these up for continued use within the network" (although -THAT- is somewhat implied by the complaint about the lack of auto-updating) it's not clear what minimum level of commitment is assumed or expected if the reader is going to implement these things themselves.
Clearly the extreme position of "you don't have to know anything" would yield an article that was about a paragraph long and which says "Toss some money at Qualys or someone like them who will run scans on demand and provide you with reports." The opposite extreme, in fairness, would likely appeal to few of their readers since anyone interested in and capable of setting up a completely comprehensive and regular scanning process will likely not be doing it based on a magazine article. Nor could you really document the steps required and impart all the necessary knowledge in a magazine-length document. You probably couldn't even do it in book length if you intended to survey all those possible scanner choices.
To make a horridly long story marginally less so, any complaints about this article past it's failure to clearly define it's starting point and objective are just rearrangements of deck chairs on a sinking ship. It's impossible to define the failures in design of something that doesn't know what it's supposed to be.
Don Whiteside, Managing Partner Terminus Security LLC 703-421-9996 http://www.terminus-security.com
Don Whiteside, Managing Partner Terminus Security LLC 703-421-9996 http://www.terminus-security.com
