Get Started with Tenable Web App Scanning

There are significant differences between scanning for vulnerabilities in web applications and scanning for traditional vulnerabilities with Tenable Nessus, Tenable Nessus Agents or Tenable Nessus Network Monitor. As a result, Tenable Web App Scanning requires a different approach to vulnerability assessment and management.

Tenable Web App Scanning Application Topology

Tenable Web App Scanning offers significant improvements over the legacy Tenable Nessus-based web application scanning policy:

  • The legacy scanning template for Tenable Nessus is incompatible with modern web application frameworks such as Javascript, HTML 5, AJAX, or single page applications (SPA), among others, which can potentially leave you with an incomplete understanding of your web application security posture.

  • Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and false negatives to ensure that security teams understand the true security risks in their web applications. It offers safe external scanning so that production web applications do not experience disruptions or delays.

  • Tenable Web App Scanning uses region-specific cloud scanners. There is no need for more scanners if your web application analysis scope includes only publicly available assets. If your web applications are not public, your installation plan depends on where your web applications run and your organization's data storage needs.

Use the following sequence to configure and manage your Tenable Web App Scanning deployment:

  1. Prepare
  2. Install
  3. Configure Scans
  4. Configure Additional Settings
  5. Expand into Tenable One

Prepare

Before you begin, familiarize yourself with Tenable Web App Scanning basics to establish a deployment plan and an analysis workflow for your implementation and configurations:

For more information and guided product walk-throughs, visit our Tenable Product Education YouTube channel. These short, instructional videos explain how to make the best use of Tenable Web App Scanning, including the authentication and tuning procedures mentioned above to help you secure your vulnerable web applications.

Install

  1. Preparation for Deployment

    1. Confirm requisite access to the Tenable Vulnerability Management platform and Tenable Web App Scanning application. Create users with appropriate access to Tenable Web App Scanning for scanning and viewing of results. You can configure Role-Based Access Control (RBAC) to allow user access. You must have Administrative credentials for configuration.

    2. Determine whether you need a local scanner. You can deploy local or cloud-based scanners and connect them to Tenable Vulnerability Management. You can use these scanners on internet-facing web applications and development or pre-production environments (if suitable firewall rules apply).

      The Tenable Core + Tenable Web App Scanning scanner supports installation on VMware (.ova), Hyper-V (.zip), or a physical machine (.ISO). You can deploy it locally on-premises or within a cloud-based development environment to scan non-internet-facing web applications. For more information on VMware/vCenter, refer to the VMware integration documentation.

      You can download the local scanner here. Check that you have the following:

      • Outbound access to https://cloud.tenable.com via port 443 to communicate with Tenable Vulnerability Management.
      • Inbound access via HTTPS on port 8000 for browser access to the management interface.
  2. Identification and Planning

    1. Define the security objectives. Why are we scanning, what do we hope to achieve, and what does success look like?

    2. Determine scanning priorities. Identify which target web applications are within the scope of quick scanning and which require more detailed scanning.

    3. Ensure full coverage. Determine whether there are any other (possibly unidentified) web servers, services, or applications that you need to scan, and how to find them.

  3. Documentation

    1. Track everything. Produce and manage documentation that captures full details of the deployment requirements, deployed scanner resources (if applicable), web applications identified for scanning, and the tuning you applied to the scans with an accompanying rationale.
    2. Communicate your findings. Establish reporting requirements to identify: the recipients, the level of detail, and the frequency of the reports distribution. Developers may need PDFs, while ticketing systems require vulnerability details. Management often prefers a higher-level summary of overall exposure and risk reduction.

Configure Scans

After you prepare your analysis workflow and determine the scope of the web application assets, you can configure and run scans on those assets.

Tenable recommends that you first run high-level overview scans to help you determine the settings to configure for more in-depth scans.

  1. Do one of the following:

  2. Launch the scan.
  3. View and analyze your scan results:
    • Analyze the findings.

    • Use the sitemap crawled as an input to detailed scanning, tuning and optimization, reviewing for page timeouts, length of time to access a page, errors, or opportunities to remove repetitive content.

    • Review the “Scan notes” for any higher priority concerns, which may provide suggestions for scan improvement.

  4. Further tune your scans based on your business needs:
    1. Experiment with advanced settings. Perform scan tuning in a few locations based on the data gathered in the previous step. You can then update and deploy the scan for the targeted web applications. For more information, see

    For a demonstration on scan tuning in Tenable Web App Scanning, see the following video:

Note: With a Tenable Web App Scanning trial license, you can run up to five scans concurrently using your cloud scanners. You can run any number of scans concurrently using on-premises scanners.

Configure Additional Settings

Configure other features, if necessary, and refine your existing configurations:

  1. Add credentials to your scan:
  2. Consider further custom adjustments, such as scan settings, user permissions, and plugin settings.

    Tip: Each application is unique. Running scans and analyzing the results reveal techniques that help you run scans most efficiently and ensure coverage of all areas of the application. Depending on the size or complexity of the web application, the scan may finish allowing you to analyze the results for further optimization. Tenable highly recommends that you review the “scan notes” after a scan completes and the attachment to the sitemap plugin regularly.

Expand into Tenable One

Note: This requires a Tenable One license. For more information about trying Tenable One, see Tenable One.

Integrate Tenable Web App Scanning with Tenable One and leverage the following features:

  • In Lumin Exposure View, gain critical business context by getting business-aligned cyber exposure score for critical business services, processes and functions, and track delivery against SLAs. Track overall web application risk to understand the risk contribution of web applications to your overall cyber exposure score.

    • Review the Global exposure card to understand your holistic score. Click Per Exposure to understand what factors are driving your score, and by how much.

    • Review the Web Applications exposure card.

    • Configure the exposure view settings to set a customized Card Target and configure Remediation SLA and SLA Efficiency based on your company policy.

    • Create a custom exposure card based on business context (for example, Web App Owner, Asset Criticality, Application, Internal/External Web Servers, or Ecommerce/Supporting Asset).

  • In Tenable Inventory, enhance asset intelligence by accessing deeper asset insights, including related attack paths, tags, exposure cards, users, relationships, and more. Improve risk scoring by gaining a more complete view of asset exposure, with an asset exposure score that assesses total asset risk and asset criticality.

    • Review your Tenable Web App Scanning assets to understand the strategic nature of the interface. This should help set your expectations on what features to use within Tenable Inventory, and when.

    • Review the Tenable Queries that you can use, edit, and bookmark.

    • Familiarize yourself with the Global Search query builder and its objects and properties. Bookmark custom queries for later use.

      Tip: To get a quick view of what properties are available:
      • In the query builder, type has. A list of suggested asset properties appears.
      • Customize the list by adding a column. A list of available columns/properties appears.
    • Drill down into the asset details page to view asset properties and all associated context views.
    • (Optional) Create a tag that combines different asset classes.

  • In Attack Path Analysis, optimize risk prioritization by exposing risky attack paths that traverse the attack surface, including web apps, IT, OT, IoT, identities, ASM, and prevent material impact. Streamline mitigation by identifying choke points to disrupt attack paths with mitigation guidance, and gain deep expertise with AI insights.

    • View the Attack Path Analysis Dashboard for a high-level view of your vulnerable assets such as the number of attack paths leading to these critical assets, the number of open findings and their severity, a matrix to view paths with different source node exposure score and ACR target value combinations, and a list of trending attack paths.

      • Review the Top Attack Path Matrix and click the Top Attack Paths tile to view more information about the paths leading to your “Crown Jewels”, or assets with an ACR of 7 or above.

      You can adjust these if needed to ensure you’re viewing the most critical attack path data and findings.

    • On the Findings page, view all attack techniques that exist in one or more attack paths that lead to one or more critical assets by pairing your data with advanced graph analytics and the MITRE ATT&CK® Framework to create Findings, which allow you to understand and act on the unknowns that enable and amplify threat impact on your assets and information.

    • On the Discover page, generate attack path queries to view your assets as part of potential attack paths:

      Then, you can view and interact with the Attack Path Query and Asset Query data via the query result list and the interactive graph.