Get Started with WAS

Use the following getting started sequence to configure and manage your Tenable.io Web Application Scanning deployment.

  1. Prepare
  2. Install
  3. Configure Scans
  4. Refine

Prepare

Before you begin, learn about Tenable.io Web Application Scanning and establish a deployment plan and analysis workflow to guide your implementation and configurations.

To establish a deployment plan and analysis workflow:

  1. Review principles of the TCP/IP internet protocol suite. Tenable.io Web Application Scanning documentation assumes you have knowledge of basic networking concepts and principles.

  2. Review principles of web application management and security. Tenable.io Web Application Scanning documentation assumes you have knowledge of web application management concepts and principles.
  3. Get your Tenable.io Web Application Scanning access and license information and credentials from your Tenable representative.
  4. Develop a deployment plan based on the following:

    • Your organization's security policies — Determine whether the policies allow you to store scanning data in Tenable.io Web Application Scanning, or require that you store data on your premises.

    • How you manage and access the assets that host your web applications — Determine the following about your web application assets:
      • Which web applications you want to include in your scanning strategy.

      • Whether these web applications can be accessed via publicly available sites or only on internal sites (for example, behind a firewall, on a staging site, deployed within a third-party cloud computing service).

  5. Review the Tenable.io and Tenable.io Web Application Scanning requirements and ensure your machine and system meet the requirements.

Install

Tenable.io Web Application Scanning is configured with region-specific cloud scanners. You do not need to install additional scanners if your web application analysis scope includes only publicly available assets.

If your web applications are not available publicly, your installation plan depends on where your web applications run, as well as your organization's data storage needs.

  • If you want to analyze web applications that are available only internally, you must obtain and install the Tenable Core + Tenable.io Web Application Scanning platform and application package.

    For more information, see the Tenable Downloads site and the Tenable Core + Web Application Scanning User Guide.

  • If you want to analyze web applications deployed within Microsoft Azure, you must provision a Tenable Core Web Application Scanner (BYOL) instance.

    For more information, see the Microsoft Azure Integration Guide.

Configure Scans

After you prepare your analysis workflow and determine which web application assets are in scope, you can configure and run scans on those assets.

Tenable recommends that you first run high-level overview scans to help you determine which settings you want to configure for your more in-depth scans.

Note: With a Tenable.io Web Application Scanning trial license, you can run up to five scans concurrently using your cloud scanners. You can run any number of scans concurrently using on-premises scanners.

To configure and run overview scans:

  1. Do one of the following:

    • To perform an overview scan to determine which web application targets Tenable.io Web Application Scanning scans by default, create a scan using the Overview scan template.
    • To perform an overview scan to determine if your web application is compliant with common security industry standards, create a scan using the Config Audit scan template.

    Note: The Tenable-provided scan templates for overview scans do not require authentication. However, the plugin results from these scans can help you identify the types of credentials your web applications require for more in-depth scans.

  2. Review the scan results, along with your scanning strategy, and determine which configuration settings you want to adjust when you run your standard web application scans.

To configure and run standard scans:

  1. Create a scan using the template that best matches your assessment needs:
    • To perform a comprehensive vulnerabilities scan, select the Scan template.
    • To perform a scan to determine if your web application appropriately implements SSL/TLS public key encryption, select the SSL TLS template.
  2. (Optional) Configure your scan settings, including user permissions, and plugin settings.

    Note: You can also configure your credentials options in standard scans. However, you need to add credentials only if your web application requires them for authentication.

  3. Launch the scan.
  4. Monitor the scan status.
  5. View and analyze your scan results.

Refine

Configure other features, if necessary, and refine your existing configurations.

To configure/refine your configurations:

  1. Further adjust your current scan settings, including user permissions, and plugin settings.
  2. If you want to add credentials to your scan, add the appropriate credentials type:
  3. If you want to change basic scan settings, including the schedule, scanner used, or user permissions, adjust the Basic Settings in WAS Scans in the scan configuration.
  4. If you want to widen or narrow the scope of URL targets your scan crawls, adjust the Scope Settings in WAS Scans in the scan configuration.
  5. If you want to increase or decrease your scan intensity, adjust the Assessment Settings in WAS Scans in the scan configuration.
  6. If you want improve your scan performance, adjust the Advanced Settings in WAS Scans in the scan configuration.