Web Application Scanning (WAS)

Vulnerability Priority Rating

In Tenable One, the concept of Vulnerability Priority Rating (VPR) extends to web application scanning. Where a web application detection is associated with a CVE, VPR scores already exist at the CVE level. For detections not associated with CVEs, such as OWASP Top 10 vulnerabilities, Tenable uses the Common Weakness Enumeration (CWE) as a surrogate to measure the threat for a given detection, and uses the CVSS vector for the detection to determine the potential impact.

Asset Criticality Rating

As with VPR, the concept of Asset Criticality Rating (ACR) extends to web applications. The algorithm is a function of three primary components:

• Exposure: Represents the extent to which the web application is exposed to external internet factors (e.g., "Crawler hidden, public internet facing web application")

• Type: Represents the character of the web application (e.g., "Moderately complex web application supporting legacy HTTP protocol access, using paid digital certificates with valid SSL certs")

• Capabilities: Represents the web application’s abilities, hinting at purpose (e.g., "Web application supports user logins, significant API usage, and handles PCI data")

These features and components are combined in a rules engine to produce the ACR for the web application being measured.

Asset Exposure Score Computation

Each licensed asset belonging to the WAS Exposure class is given a score from 0 to 1000. Tenable One computes these values by weighing the VPR values of active weaknesses and the ACR.

Enhancements

The weakness severity weights have been adjusted for the WAS exposure class vulnerability density calculation. The weights for low and medium plugins have been reduced. As in the VM exposure class, the result of these changes is that Tenable One highlights assets that have high or critical vulnerabilities to a greater degree than before.