Wednesday, December 13, 2017

Is Tenable pulling an Equifax / Ashley Madison ?


One of the founders tried to appeal to the security crowd with a posting about how these new FEATURES are better for the end user, and in my opinion it is the biggest pile of crap since the last US election (slight exaggeration for effect, but still a pile of dung).

https://www.tenable.com/blog/a-clarification-about-nessus-professional

He started by explaining how he created the product for consultants and penetration testers, etc.

Then goes on to explain that supporting multiple users is complicated and since the users cannot share reports it wasn't worth the effort.

Hey genius, if we migrate or version 6 to 7 any users we have created get ported over and according to Tenable support they will always be there, you just can't create NEW ones and if you install from scratch you are limited to just one.

So who is full of shit here.  If the system can continue to support multiple users, then limiting the addition of NEW users is a marketing game not a technical one.  Aside from the fact that limiting to a single user and forcing enterprise users to share passwords is absurdly nuts.

And this is how he explains it:  "We evaluated this feature and realized it adds confusion".  really... confusion.... each human has their own user account and this is confusing.   

Second issue, the API.

It's complicated to have a secure API and maintaining it is also complicated.
And people used it to aggressively and it could impact the performance of the product.

So we left it there but killed the features that allow you to launch a scan.

WHAT !!!!

So if I use my MacBook too aggressively (like a baseball bat) Apple will start making laptops with no mouse pad.

And all the features still work if you buy the bigger solution and it talks to the scan engines just fine.


  • The reason you removed multi users is marketing.
  • The reason you are crippling the API is marketing.
  • You want people to buy your TENABLE.IO solution and your Cloud based solution.


For the love of all gods please do not try to shovel shit down the throats of the hardcore technical folks who have supported you from the start and made you what you are today.

It's disgusting, insulting and revolting.

Actually, it's disrespectful, but it sure as hell is "Doing Business the American way".

And while we are on that note, please remove from the NEW FEATURES & IMPROVEMENTS section both items which for everyone who reads English, are NOT IMPROVEMENTS OR FEATURES.

I prefer being told the truth and not being filled with bull and then having someone add to it trying to tell us it is for our own good.   If I overload my Nessus scanner through the API, that's my problem, not yours.

And Renaud, as a founder, you have failed.  You've made a lot of money, and built an empire, but you have failed the "community" who supported you for the last 13 years since the fork of 2005.

So why the click bait title mentioning Equifax and Ashley Madison.  Simple, to some extent, they all treat their customers below what I deem acceptable, and the truth is we are not their customer we become their product (think about that), and one thing is for sure, they all lie about their true motives.

Shareholders care about increasing recurring revenue and growing large enterprise user base.  That's how you make your wall street value go up.

In this case we have not only a shareholder, but a founder making up numbers.

He states, and I quote "Less than 2% of users use the remote scan API, and there are only a handful of scanners out there with multiple users.".  These are numbers he has no way of knowing.    A "Handful"..... every scanner I have ever worked with had multiple users.  Must be a Canadian thing.    So the bull sounds just like Equifax and Ashley Madison to me, just write up a press release and make stuff up. 

Speaking of Canadians, and almost every other country.  We have data residency laws and the US has brilliant laws like the US Patriot Act.  What this means is that you can't push us to use a Cloud based solution unless it is hosted in our own country.  And Tenable doesn't offer cloud services in every Country.  So we simply can't use your cloud products.  Not that I would want to.

Sad day in my mind.   And I'm an optimist !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...