Web App Scanning

Tenable Web App Scanning

Tenable Web App Scanning offers significant improvements over the existing Web Application Tests policy template provided by the Tenable Nessus scanner, which is incompatible with modern web applications that rely on Javascript and are built on HTML5.

This leaves you with an incomplete understanding of your web application security posture. Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web applications. Tenable Web App Scanning’s accurate vulnerability coverage minimizes false positives and false negatives, ensuring that security teams understand the true security risks in their web applications. The product offers safe external scanning that ensures production web applications are not disrupted or delayed, including those built using HTML5 and AJAX frameworks.

Tenable One Exposure Management Platform

Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research and adds comprehensive analytics to prioritize actions and

communicate cyber risk. Tenable One allows organizations to:

• l Gain comprehensive visibility across the modern attack surface
• l Anticipate threats and prioritize efforts to prevent attacks
• l Communicate cyber risk to make better decisions

For more Tenable Products, Tenable License

Get Started with Tenable Web App Scanning

There are significant differences between scanning for vulnerabilities in web applications and scanning for traditional vulnerabilities with Tenable Nessus, Tenable Nessus Agents or Tenable Nessus Network Monitor. As a result, Tenable Web App Scanning requires a different approach to vulnerability assessment and management.

Tenable Web App Scanning offers significant improvements over the legacy Tenable Nessus-based web application scanning policy:

• The legacy scanning template for Tenable Nessus is incompatible with modern web application frameworks such as Javascript, HTML 5, AJAX, or single page applications (SPA), among others, which can potentially leave you with an incomplete understanding of your web application security posture.
•  Tenable Web App Scanning provides comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and false negatives to ensure that security teams understand the true security risks in their web applications. It offers safe external scanning so that production web applications do not experience disruptions or delays.
•  Tenable Web App Scanning uses region-specific cloud scanners. There is no need for more scanners if your web application analysis scope includes only publicly available assets. If your web applications are not public, your installation plan depends on where your web applications run and your organization’s data storage needs.

For more information, Security License

Prepare

Before you begin, familiarize yourself with Tenable Web App Scanning basics to establish a deployment plan and an analysis workflow for your implementation and configurations:

Types of Tenable Web App Scanning Programs

There are several viable ways to operate a web application scanning program based on dynamic application security testing (DAST) technology. Most programs use some combination of each approach to meet different needs for each site. The following list gives Tenable supported scan templates:

• Scan: The complete set of available checks which includes all other pre-built templates, except for the API scan
• Overview: A simplified version of the “Scan” template without several active tests to lower its impact and speed up the scan.
• PCI: A special template used as part of the attestation offering that Tenable provides for the payment card industry (PCI) security standard. Only submissions to attestation consume PCI licenses; otherwise, this template is a simplified version of the “Scan” template.
• SSL/TLS: A health check scan focused on the current state of the web server encryption settings and certificate state (for example, the remaining time on the certificate).
• l Config Audit: A compliance audit that detects externally viewable web server settings that external audit providers commonly review to evaluate the health of a security program.