How I Used OpenVAS to Uplift Essential Eight Maturity For Free!

-
When it comes to the ASD Essential Eight (E8), one of the hardest parts isn’t implementing the controls, it’s proving you’re actually maturing. Auditors want evidence, not promises. The good news is that you don’t always need expensive vulnerability management platforms to get there.

I’ve previously used OpenVAS (Open Vulnerability Assessment System), a completely free, open‑source scanner, to help an organisation uplift its E8 maturity. It wasn’t perfect, and I learned a few lessons the hard way, but it worked. Here’s how.

The Problem We Needed to Solve

We were aiming to uplift maturity for:

  • Patch Applications
  • Patch Operating Systems

But we had a few constraints:

  • No budget for commercial vulnerability management tools
  • A requirement for audit‑ready evidence
  • A need to map everything directly to the Essential Eight maturity model

OpenVAS ended up being the perfect fit.

Why OpenVAS Worked

OpenVAS gave us exactly what we needed without the licensing cost:

  • Automated vulnerability scans across servers and network devices
  • Exportable reports that could be dropped straight into audit packs
  • Regular feed updates from Greenbone to detect the latest CVEs

By scheduling recurring scans, we created a repeatable control, something auditors look for when assessing uplift from Maturity Level 0 to Level 1 or 2.

How OpenVAS Supports the Essential Eight

OpenVAS doesn’t patch systems or enforce allowlisting. What it does provide is visibility, and that visibility becomes evidence.

Essential Eight Strategy How OpenVAS Helps What You Still Need
Patch Applications Identifies outdated or vulnerable third‑party apps and reports CVEs Patch management workflows
Patch Operating Systems Highlights missing OS patches and insecure versions WSUS, Intune, SCCM, or similar tools

OpenVAS is the flashlight — patching tools are the hands that fix what you find.

Building Audit‑Ready Evidence

Instead of saying “we patch monthly,” we could now prove it.

We provided:

  • Before/after scan reports
  • Trend data showing vulnerability reduction
  • Documented workflows linking scans to patching tickets

This shifted our audit submissions from storytelling to evidence‑driven, which dramatically improved credibility.

Lessons Learned (Including the Painful One)

One of my early scans took down a production server.

Yes — completely down.

The Full and Fast scan profile overloaded an application during peak usage. Even though the scan was approved, it was a wake‑up call.

Here’s what that incident taught me:

  • Always run scans on high‑demand systems after hours
  • Set scan windows (e.g., 10pm–5am) so OpenVAS can pause/resume safely
  • Communicate clearly with system owners before scanning

I also faced resistance from some teams:

  • Concerns about performance
  • “We don’t have time to patch anyway”

What changed their minds?

Evidence.

  • Before/after reports
  • Trend lines
  • Clear proof that vulnerabilities were shrinking

How to Schedule Scans Without Breaking Production

OpenVAS is powerful, but like any scanner, it consumes CPU, memory, and bandwidth. Running it at the wrong time can slow down critical systems.

Setting Up Scheduled Scans

  • Create a Scan Task in the Greenbone Security Assistant (GSA).
  • Attach a Schedule with start time, recurrence, and duration.
  • Tune the scan profile:
    • Enable safe checks
    • Limit concurrency
    • Break large networks into smaller segments
  • Assign your targets and let the schedule handle the rest.

Working With Your Team

  • Agree on a scan window (overnight, weekends, maintenance periods).
  • Communicate early and often.
  • Pilot on non‑critical systems first.
  • Document everything in your ITSM/change calendar.

Remediation Workflow

Use your organisation’s ITSM tool to:

  • Raise tickets for system owners
  • Track remediation progress
  • Link scan results to patching activities

For some systems, you may need recurring patch cycles or regular check‑ins with owners.

Appendix: Installing OpenVAS

Recommended Operating Systems

  • Ubuntu Server (LTS) — best for production
  • Debian — lightweight and stable
  • Kali Linux — great for labs, not ideal for production

Install on Ubuntu/Debian

sudo apt update && sudo apt upgrade -y
sudo apt install openvas -y
sudo gvm-setup
sudo gvm-start
gvm-check-setup

Access the web UI at:
https://localhost:9392

Install on Kali Linux

sudo apt update && sudo apt upgrade -y
sudo apt install openvas -y
sudo gvm-setup
sudo gvm-start

Access the web UI at:
https://localhost:9392

Key Takeaways

  • Free tools can still deliver enterprise‑grade visibility
  • Evidence drives maturity, not assumptions
  • OpenVAS detects, patching tools fix
  • Repeatability is essential for E8 uplift
  • Mistakes are part of the journey (especially the server‑crashing kind)

Final Thought

If your organisation needs to demonstrate Essential Eight maturity uplift but doesn’t have the budget for commercial tools, OpenVAS is a practical, no‑cost way to generate audit‑ready evidence and build momentum.

Sometimes uplift isn’t about spending more, it’s about using what you already have, learning from the bumps, and turning those lessons into stronger, more resilient practices.

References

Comments

Post a Comment

Popular posts from this blog

Launching My Cyber Blog: A New Chapter for 2026

-
This project originally started on GitHub, built on top of the Jekyll Chirpy theme. I loved the customisation, the clean structure, and the power of Markdown, it felt like a proper developer’s home for writing. But as much as I enjoyed that level of control, I realised something important: I needed a space where I could publish quickly. A place where posting regularly felt effortless, not like a mini‑deployment. So I’ve moved the blog to Blogger and connected my own domains. It gives me the speed and simplicity I need to write more often, while still letting me shape the space into something that feels like mine. This marks a fresh start for the blog, though I’ll be weaving in ideas and lessons from my earlier posts throughout the year. I’ve always admired the writers at Ars Technica, the way they blend technical depth with clarity, personality, and genuine curiosity. Their work has inspired me to start publishing my own cyber‑security‑focused content, written from the perspective of s...
Read more