Tenable in Trouble After Spamming Customers
Cybersecurity vendor Tenable is in trouble with its customers after removing features in its new product and deluging them with emails following an admin error.
The firm’s new Nessus Professional v7 scanning tool drops two features: an API which allowed users to run scans remotely and multi-user support.
Several customers took to Twitter to voice their frustration at the move. One, @redsnapper88, had the following:
“Pretty disappointed with Tenable's decision to drop API support from Nessus Pro. Can anyone suggest a decent alternative that doesn't break the bank?”
Another, @FreedomCoder, was even more forthright:
“It is sad how @TenableSecurity has been systematically killing Nessus Professional update after update. Instead of adding feature, removing them in order to push users to their less useful more expensive solutions. No API WTF !!!!!”
To add insult to injury, users were overwhelmed with email spam for a couple of hours on Tuesday after they were added to a new Nessus Professional group support forum.
Noted security expert Brian Honan had this to say on Twitter:
“Wow, @TenableSecurity not a nice move to sign me up without my permission to your Tenable Community and then hit my mailbox with emails I don't want. Then to have to sign in to opt-out not good. Four letters for you to become aware of #GDPR”
In firefighting mode, the firm’s co-founder and CTO, Renaud Deraison, apologized for the email snafu, claiming the firm had inadvertently turned on notifications for users for every post on the forum.
“This triggered a cascade of emails for a subset of Nessus Professional customers for approximately two hours yesterday,” he explained.
“We are currently implementing system changes to ensure no new notifications will be sent to group members unless you update your own notification preferences. Also, customers will only be added to Collaboration Groups upon their consent. As an extra precaution, we have temporarily disabled the community site as we update the settings.”
He also tried to explain the reasoning behind the new feature set in Nessus Professional v7, claiming that users who want to scan remotely can do so in Tenable.io.
“It was never intended for use in a purely automated fashion, using the API to run scans remotely and extract the data into another system. In fact, the first version of Nessus didn’t even have any form of command line support,” he said.
“As a result, we never built any safeguards in the API preventing a script from misusing it and overloading the scanner. Ultimately we decided to let go of this API after having seen some misuse of this functionality which stretched the capabilities of the scanner.”
Deraison added that multi-user support was dropped because “it adds confusion and falls short of expectations since users can’t share results.”
He maintained that only 2% of customers actually use the remote scan API and just a “handful” of scanners have multiple users.
“We believe using our engineering resources to make the scanner more efficient, flexible and scalable rather than focus on corner use cases is the right strategy to providing you with the best experience,” he added.
Source: Information Security Magazine