Tenable.io Platform Release Notes - December 2020

Important Highlights from this Release

Tenable.io

  • Frictionless Assessment GA roll out started.

    • Includes new cloud connector user experience.

    • ap-sing-1, jp01, ap-syd-1, eu-fra-1, uk-lon-01, ca-01, us-1a are released, as of December 1, 2020.

  • New Tenable plugin for Splunk Mission Control.

  • Version 3.0 of the Tenable apps for ServiceNow.

    • Add ServiceNow Paris Support.

    • Move from custom CI matching/create engine to ServiceNow IR. For more information, see Upgrade to 3.0.x Tenable Applications.

    • Add ACR and AES to Tenable asset attributes when the customer has Lumin.

Tenable.io Web Application Scanning

  • WAS API Scanning is in Beta.

    • A new API template is available, allowing users to scan their RESTful API endpoints by providing a Swagger or OpenAPI specification file. The WAS scanner will parse the specification and audit all the endpoints described in the specification.

    • As part of this new feature, a new Path Parameter element is now available for auditing, and enabled by default for API scan templates, allowing the scanner to detect vulnerabilities against dynamic parameters inside endpoint paths.

  • WAS Landing Page with Export Functionality

    • Tenable.io WAS landing page now provides export functionalities, allowing each widget or the whole page to be exported to PDF, PNG or JPEG formats.

  • New HTTP Request Body in vulnerability details

    • The vulnerability HTTP Information section now includes a new REQUEST BODY element which presents the contents submitted in the HTTP request, when available. This information was already available, however located in the REQUEST HEADERS section, making it more difficult for users to distinguish the 2 types of information.

  • Aborted Scans Export Functionality

    • It is now possible to export scan marked as aborted in all possible formats, allowing users to review the scan results collected before the scan has been aborted.

  • Response Max Size Setting Updates

    • The default value of this setting has been increased from 500Kb (500,000) to 5Mb (5,000,000) to take into consideration modern web applications bundling their Javascript into large files that could have been truncated with the previous value. This setting has also been available to PCI WAS scans templates.

      Note: This setting cannot be set a value lower than 500kb (500,000).
  • WOFF Fonts Excluded from Scans

    • Web Open Font Format (WOFF) fonts have been added to the list of file extensions to exclude by default from scan assessment, which will reduce scan duration for sites using this standard font format.

Tenable Lumin

  • Main Lumin Dashboard UI Refresh and exporting

    • The Lumin dashboard UI has been updated, providing users more information and allowing them to export the entire dashboard or any widget on the dashboard to PDF, PNG, or JPG.

      Note: The Business Context/Tag table is not yet exportable.
    • Asset Exposure Score Column in Asset Views

      • For Lumin users, each asset that has an Asset Exposure Score (AES) now includes this information.

      • The AES is displayed in the Asset View with the column labeled "Exposure".

      • The AES is also displayed in the Asset Details page under the section named "Asset Exposure Score"

      • Known and Predicted AES values are represented differently, both visibly and by label.

    • Mitigations

      • A breakdown of assets with and without a mitigation detected is now on the Lumin dashboard, allowing a user to quickly drill in to see which assets have a mitigation either detected or not detected

      • A list of all detected mitigations is available along with the assets covered and the current state of that mitigating control.

PCI

  • PCI Scan Submission Optimization

    • PCI scan submission process has been optimized, allowing large scans of more than a thousand assets to be imported in a few minutes instead of hours. This allows customers to quickly create attestations for their scans and speed up the attestation process.

  • NVD JSON Feed Support

    • Tenable.io PCI now relies on new NVD JSON feeds, which allows it to get latest updates for vulnerabilities.