Getting started with Tenable Web App Scanning (2023)

There are several viable ways to operate a web application scanning program based on Dynamic Application Security Testing (DAST) technology. Most programs use some combination of each approach to meet the different needs of each site. The following list givesSustainablesupported scan templates:

• Scan:The complete set of checks available that includes all other pre-built templates except API analysis.

• General description:A simplified version of the "Scan" template without multiple active tests to reduce their impact and speed up the scan.
• PCI:A special template used as part of the attestation offer thatSustainablesets the payment card industry (PCI) security standard. Only submissions to attestation consume PCI licenses; otherwise, this template is a simplified version of the "Scan" template.

• SSL/TLS:A health check analysis focused on the current state of the web server's encryption configuration and the state of the certificate (for example, the time remaining on the certificate).

• Configuration Audit:A compliance audit that detects externally visible web server configuration that external audit providers typically review to assess the health of a security program.

• API scanning:A special template that requires further configuration to describe the application programming interface (API) so that the scanner can successfully detect relevant vulnerabilities.

Typically uses the "SSL_TLS" or "Config Audit" scan templates to run a quick test, often just a few minutes, on a more regular basis than deep scans to give you an overview of level checks superficial, like any certificate. encryption type and type issues with a given site or commonly exposed configuration parameters that are not best practices.

• Untuned Detailed Scans:With no tuning or refinement required, this approach uses the "Scan" template to optimize detection of most vulnerabilities and simulates drive-by style attacks that sites commonly experience. These scans are quickly implemented and return valuable incremental visibility into the scan target while using basic validation to avoid obvious scan errors. However, this approach can lead to timeouts (such as the default of eight hours inTenable Vulnerability Management), or missing more complex sections of a site that require authentication or tuning for successful scans. These drawbacks are common with sites that have forums, blogs, a high volume of products, multiple languages, or a large number of pages.

• Authenticated Detailed Scans:While similar to non-tuned drill-through, this approach uses authentication. You can do this on the scan settings page or in the Tenable Chrome extension. In addition to the benefits of a non-optimized scan, authenticated scans log in as a user to test for potential issues.Sustainablerecommends that you never log in as an administrator user, especially in production (see the "Key considerations" section). Authentication requires that you create and maintain the test user account and update any unique site settings.

• Tight detailed scans:In addition to authentication, you can use other methods to optimize scans for speed or complexity (see “Key Considerations”). These refinements involve an initial time investment before implementation and may require semi-regular adjustments depending on the frequency of site updates.

Most programs start with a few scans based on the "SSL_TLS" or "Config Audit" templates to familiarize vulnerability managers with how to set up scans and review the results. They then move on to running an untuned scan using theTenable Web Application Analyticsscan template.

Timeouts are common when you first build your program. The default scan completion timeout inTenable Vulnerability Managementit is eight hours, and extending this may not "complete" the scan; this can only be achieved by tuning for higher speed.

It is feasible to run a program based on untuned scans while accepting the timeout. Because many web application vulnerabilities span multiple pages containing the same vulnerability, a scan is likely to automatically detect a significant proportion of vulnerabilities within hours.SustainableThe monitoring itself can confirm this. Tuned scans generally improve scan efficiency and accuracy only to a small degree and cost more time to refine scan settings.

Most mature organizations adjust scans at their most critical sites, which takes 10-20 minutes of effort per site and improves with operator experience. An organization's level of knowledge and resource availability can determine the percentage of sites that undergo detailed tuning. It's rare to see every site tuned in, especially in organizations with many websites. This is partly due to the dynamic nature of websites; they are often expanded or changed significantly every few years, and this requires a review of the scan configuration to accommodate the pace of test site development.

• Focus on the process first:start with theTenable Web Application Analytics"Scan" templates (a full set of checks) or an "Summary" scan (fewer checks but less impact). Familiarize yourself with the scanner output and work with your teams to incorporate the findings into your workflows. Develop your mitigation and resolution programs.

• Drill down into critical areas:Once you've established some of the basic procedures and identified the right owners within your organization for scanner output, start investing time in more advanced scans to gain better visibility into your most important sites.

• To take action:The scans return a significant amount of data to drive organizational action. Consider the potential consumers of the data. Developers want details to identify necessary fixes and improve over time. Management must know which sites bring the greatest risk to the business and therefore allocate resources. Security leadership needs general category information such as OWASP vulnerability categories so that all sites are focused on a specific vulnerability classification.

Use:Tenable Professional Services offers a highly recommendedquick start programfor new users ofTenable Web Application Analyticsexploration to help establish the mechanics of developing a new program. In addition, the ProServe team runs atallerEstablish internal processes and initial goals for developing a broader vulnerability management program. These services help organizations gain a solid foundation and understanding of effective cybersecurity programs and become familiar with the product. Contact your Tenable sales representative at

1. Identify where the location of the web application is:

   • public websites

     You can scan external websites fromTenable Vulnerability Managementusing internetTenable Web Application Analyticsor a local scanner.

   • private websites

     You can scan internal or intranet web applications fromTenable Vulnerability Managementusing a localTenable Web Application AnalyticsScanner.

2. Make sure the scanner has a network path to the destination:

   If the scanner cannot reach the web application, or cannot deliver input and retrieve results, the scan fails. Network restrictions, such as latency, can affect network scanning or controls (for example, host-based firewalls, network firewalls, network segregation, etc.). Always include internal web application scanners in your "allowed" list.

3. Scanner location can affect latency or server response times

   If there are too many timeouts during a scan, the session ends. Choose a scanner located as close to the targets as possible. Review the sitemap plugin attachments to check for long page load times or wait times. This can occur with too many concurrent tests on a slower server, a scanner that is not close enough to the web application (such as scanning Australia from a US scanner), or site settings that can result in longer load times. prolonged. Changing the location of the scanner can help prevent advanced settings resets that slow down the scanner. Counterintuitively, slow down thescan speed settingYou can speed up results on a slow responding site by reducing the query rate and adding less variability to returned queries.

4. The scanner acts as a user:

   The scanner can follow links, press buttons, and simulate a user's actions based on what they can access. There may be unwanted interaction on the site as a result of your site discovery phase. For example, if a user can send an email, the scanner can fill out forms and hit the "send email" button potentially more than once. The scanner has no context for any specific button action, unless you teach it or exclude the entire page or page element to prevent you from inadvertently pressing a button. (For more information, see our documentation onscope setting.) Note that excluding page elements to prevent such actions reduces scanning accuracy, so consider plans to scan sites like this in pre-production on a regular schedule.

5. The scanner acts like many users:

   With its default settings, the scanner can work as if multiple users were browsing the website at the same time. On servers with good capacity, the impact of this activity is typically minimal. However, if the status of the server is unknown, you can tune the speed of the scan, at least for the first test, to alert you to any potential site impacts due to concurrent sessions. For more details on setting up such a test, seeadvanced settings.

6. Customize the tuning for each site; It takes effort, but it's optional.

   Custom tuning generally applies to most websites because every web application is different. There are unique frameworks, sitemaps, third-party libraries, components, and custom code that work together. Your investment in optimized scans depends on resource availability, site criticality, and business impact.

7. When setting authentication, never run aTenable Web Application Analyticsscan as admin of the website in production, only in test or pre-production environments.

   Running a web application scan with administrator credentials could create or delete users, or perform other unwanted administrative functions.

8. By adjusting the speed, a rudimentary understanding of your sites can help speed up DAST scans.

   1. Review the sitemap plugin and the associated attachment.

   2. Adjust your settings: Increase "Network Timeout" or decrease "Maximum Concurrent Requests" and "Requests Per Second" if you experience significant page timeouts or discover average page response times greater than five seconds in the sitemap attachment.

   3. Consider speeding up your scan setup if you get sub-second responses and only minimal web server impact.

   4. Deduplicate site content: The scanner does not test the text, image, and video content of the site, only input fields and interactions. If you have redundant pages, such as a site that uses multiple languages ​​but has the same underlying code, you only need to test one language version of the site.

   5. Add more binary exclusions:Tenable Web Application Analyticsit doesn't "test" text, images or videos and decides which file extensions to exclude. Hescan scopeThe section provides a default set that you can tailor for a specific site.

   6. Prioritize critical URLs – Identify critical parts of the application, such as forms that may return sensitive data. Add those URLs to the scope of your tests, either via "include" in thescan scopesection or through a manual trace script. You can also consider whether these sites require pre-production testing.

9. When adjusting the complexity, use session recordings to train the scanner.

   You can do this using theSustainableChrome extension or Selenium IDE, and adding inside thescope sectionof a scan setup. With this process, you can perform a manual crawl to ensure that the scanner can test a very complex location within a site. For example, a site may require a specific series of button presses and a specific set of correct input values ​​to reach a page that is not otherwise available. You can record the steps to allow the scanner to play them back.

10. Determine if there is a web application firewall (WAF), web proxy, or load balancer between the scanner and the target:

    Some network devices may interfere with the scan or completely invalidate the results. You may think that it is enough to receive only the "remote" view of the results filtered by the firewall; however, WAF's built-in protections may only prevent one or two methods of executing the fault. Getting a complete picture of the true state of the site is imperative to making risk-based decisions. Configure your WAF to support bypass functionality to allow specific IPs or a combination of IPs and agent header strings to test and authorize inbound scanning. A list of Tenable scanner IP ranges is available here.

11. Some sites may require specific browser identities:

    Check if the application supports the default user agent (set to "WAS/%v" by default). If not, you may need a specific or commonly available header from a standard browser, such as Mozilla/5.0. Some server-side protections or a web application firewall may require a specific set of results. In this case, you can copy the user agent string from a known browser that can access the site successfully.

12. Target critical sites more carefully from the start:

    Is the target site production oriented or critical in some other way? What is the business impact if the web app scanner causes a service outage? Always perform the first scan of a site in a controlled manner, either with available personnel or within a pre-production environment. Once you understand the nature of the site, full automation can begin.