Get Started with Tenable Web App Scanning

There are significant differences between scanning for vulnerabilities in web applications and scanning for traditional vulnerabilities with Tenable Nessus, Tenable Nessus Agents or Tenable Nessus Network Monitor. As a result, Tenable Web App Scanning (Tenable Web App Scanning) requires a different approach to vulnerability assessment and management.

Tenable Web App Scanning Application Topology

Tenable Web App Scanning offers significant improvements over the legacy Tenable Nessus-based web application scanning policy:

  • The legacy scanning template for Tenable Nessus is incompatible with modern web application frameworks such as Javascript, HTML 5, AJAX, or single page applications (SPA), among others, which can potentially leave you with an incomplete understanding of your web application security posture.

  • Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and false negatives to ensure that security teams understand the true security risks in their web applications. It offers safe external scanning so that production web applications do not experience disruptions or delays.

  • Tenable Web App Scanning uses region-specific cloud scanners. There is no need for more scanners if your web application analysis scope includes only publicly available assets. If your web applications are not public, your installation plan depends on where your web applications run and your organization's data storage needs.

Use the following sequence to configure and manage your Tenable Web App Scanning deployment:

  1. Prepare
  2. Install
  3. Configure Scans
  4. Configure Additional Settings


Before you begin, familiarize yourself with Tenable Web App Scanning basics to establish a deployment plan and an analysis workflow for your implementation and configurations:

For more information and guided product walk-throughs, visit our Tenable Product Education YouTube channel. These short, instructional videos explain how to make the best use of Tenable Web App Scanning, including the authentication and tuning procedures mentioned above to help you secure your vulnerable web applications.


  1. Preparation for Deployment

    1. Confirm requisite access to the Tenable Vulnerability Management platform and Tenable Web App Scanning application. Create users with appropriate access to Tenable Web App Scanning for scanning and viewing of results. You can configure Role-Based Access Control (RBAC) to allow user access. You must have Administrative credentials for configuration.

    2. Determine whether you need a local scanner. You can deploy local or cloud-based scanners and connect them to Tenable Vulnerability Management. You can use these scanners on internet-facing web applications and development or pre-production environments (if suitable firewall rules apply).

      The Tenable Core + Tenable Web App Scanning scanner supports installation on VMware (.ova), Hyper-V (.zip), or a physical machine (.ISO). You can deploy it locally on-premises or within a cloud-based development environment to scan non-internet-facing web applications.

      You can download the local scanner here. Check that you have the following:

      • Outbound access to via port 443 to communicate with Tenable Vulnerability Management.
      • Inbound access via HTTPS on port 8000 for browser access to the management interface.
  2. Identification and Planning

    1. Define the security objectives. Why are we scanning, what do we hope to achieve, and what does success look like?

    2. Determine scanning priorities. Identify which target web applications are within the scope of quick scanning and which require more detailed scanning.

    3. Ensure full coverage. Determine whether there are any other (possibly unidentified) web servers, services, or applications that you need to scan, and how to find them.

  3. Documentation

    1. Track everything. Produce and manage documentation that captures full details of the deployment requirements, deployed scanner resources (if applicable), web applications identified for scanning, and the tuning you applied to the scans with an accompanying rationale.
    2. Communicate your findings. Establish reporting requirements to identify: the recipients, the level of detail, and the frequency of the reports distribution. Developers may need PDFs, while ticketing systems require vulnerability details. Management often prefers a higher-level summary of overall exposure and risk reduction.

Configure Scans

After you prepare your analysis workflow and determine the scope of the web application assets, you can configure and run scans on those assets.

Tenable recommends that you first run high-level overview scans to help you determine the settings to configure for more in-depth scans.

  1. Do one of the following:

  2. Launch the scan.
  3. View and analyze your scan results:
    • Analyze the findings.

    • Use the sitemap crawled as an input to detailed scanning, tuning and optimization, reviewing for page timeouts, length of time to access a page, errors, or opportunities to remove repetitive content.

    • Review the “Scan notes” for any higher priority concerns, which may provide suggestions for scan improvement.

  4. Further tune your scans based on your business needs:
    1. Experiment with advanced settings. Perform scan tuning in a few locations based on the data gathered in the previous step. You can then update and deploy the scan for the targeted web applications. For more information, see

    For a demonstration on scan tuning in Tenable Web App Scanning, see the following video:

Note: With a Tenable Web App Scanning trial license, you can run up to five scans concurrently using your cloud scanners. You can run any number of scans concurrently using on-premises scanners.

Configure Additional Settings

Configure other features, if necessary, and refine your existing configurations:

  1. Add credentials to your scan:
  2. Download the Tenable Web App Scanning Google Chrome Extension to configure Selenium credentials automatically.
  3. Consider further custom adjustments, such as scan settings, user permissions, and plugin settings.

    Tip: Each application is unique. Running scans and analyzing the results reveal techniques that help you run scans most efficiently and ensure coverage of all areas of the application. Depending on the size or complexity of the web application, the scan may finish allowing you to analyze the results for further optimization. Tenable highly recommends that you review the “scan notes” after a scan completes and the attachment to the sitemap plugin regularly.