Web Applications (Tenable Web App Scanning)

Vulnerability Priority Rating

In Tenable One, the concept of Vulnerability Priority Rating (VPR) extends to web application scanning. Where a web application detection is associated with a CVE, VPR scores already exist at the CVE level. For detections not associated with CVEs, such as OWASP Top 10 vulnerabilities, Tenable uses the Common Weakness Enumeration (CWE) as a surrogate to measure the threat for a given detection, and uses the CVSS vector for the detection to determine the potential impact.

Asset Criticality Rating

As with VPR, the concept of Asset Criticality Rating (ACR) extends to web applications. The algorithm is a function of three primary components:

• Exposure: Represents the extent to which the web application is exposed to external internet factors (e.g., "Crawler hidden, public internet facing web application")

• Type: Represents the character of the web application (e.g., "Moderately complex web application supporting legacy HTTP protocol access, using paid digital certificates with valid SSL certs")

• Capabilities: Represents the web application’s abilities, hinting at purpose (e.g., "Web application supports user logins, significant API usage, and handles PCI data")

Tenable combines these features and components in a rules engine to produce the ACR for the web application.