Getting started with Tenable Web App Scanning (2023)

Tenable Vulnerability Management:

Agent Nesus:

There are significant differences between vulnerability scanning in web applications and traditional vulnerability scanning withsustainable nessus,Tenable Nessus AgentsoMonitor de red Tenable Nessus. As a result,Tenable Web Application Analytics(Tenable Web Application Analytics) requires a different approach to vulnerability assessment and management.

Tenable Web Application AnalyticsApplication topology

Tenable Web Application Analyticsoffers significant improvements over legacysustainable nessusweb application analysis policy based on:

  • The legacy scan template forsustainable nessusis incompatible with modern web application frameworks such as Javascript, HTML 5, AJAX, Single Page Applications (SPAs), etc., which can leave you with an incomplete understanding of your application's security posture Web.

  • Tenable Web Application Analyticsprovides a comprehensive vulnerability scan for modern web applications. Its accurate vulnerability coverage minimizes false positives and false negatives to ensure that security teams understand the true security risks in their web applications. It offers secure external scanning so that production web applications do not experience interruptions or delays.

  • Tenable Web Application Analyticsuses region-specific cloud scanners. There is no need for more scanners if the scope of your web application scan includes only publicly available assets. If your web applications are not public, your installation plan depends on where your web applications run and your organization's data storage needs.

Use the following sequence to set up and manage yourTenable Web Application Analyticsdeployment:

  1. Prepare
  2. install
  3. configure scans
  4. Configure additional settings


Before you begin, familiarize yourself withTenable Web Application Analyticsbasics to establish a deployment plan and analysis workflow for your deployment and configurations:

Types of Tenable Web Application Analytics Programs

There are several viable ways to operate a web application scanning program based on Dynamic Application Security Testing (DAST) technology. Most programs use some combination of each approach to meet the different needs of each site. The following list givesSustainablesupported scan templates:

  • Scan:The complete set of checks available that includes all other pre-built templates except API analysis.

  • General description:A simplified version of the "Scan" template without multiple active tests to reduce their impact and speed up the scan.
  • PCI:A special template used as part of the attestation offer thatSustainablesets the payment card industry (PCI) security standard. Only submissions to attestation consume PCI licenses; otherwise, this template is a simplified version of the "Scan" template.
  • SSL/TLS:A health check analysis focused on the current state of the web server's encryption configuration and the state of the certificate (for example, the time remaining on the certificate).

  • Configuration Audit:A compliance audit that detects externally visible web server configuration that external audit providers typically review to assess the health of a security program.

  • API scanning:A special template that requires further configuration to describe the application programming interface (API) so that the scanner can successfully detect relevant vulnerabilities.

Quick checks at surface level

Typically uses the "SSL_TLS" or "Config Audit" scan templates to run a quick test, often just a few minutes, on a more regular basis than deep scans to give you an overview of level checks superficial, like any certificate. encryption type and type issues with a given site or commonly exposed configuration parameters that are not best practices.

  • Untuned Detailed Scans:With no tuning or refinement required, this approach uses the "Scan" template to optimize detection of most vulnerabilities and simulates drive-by style attacks that sites commonly experience. These scans are quickly implemented and return valuable incremental visibility into the scan target while using basic validation to avoid obvious scan errors. However, this approach can lead to timeouts (such as the default of eight hours inTenable Vulnerability Management), or missing more complex sections of a site that require authentication or tuning for successful scans. These drawbacks are common with sites that have forums, blogs, a high volume of products, multiple languages, or a large number of pages.

  • Authenticated Detailed Scans:While similar to non-tuned drill-through, this approach uses authentication. You can do this on the scan settings page or in the Tenable Chrome extension. In addition to the benefits of a non-optimized scan, authenticated scans log in as a user to test for potential issues.Sustainablerecommends that you never log in as an administrator user, especially in production (see the "Key considerations" section). Authentication requires that you create and maintain the test user account and update any unique site settings.

  • Tight detailed scans:In addition to authentication, you can use other methods to optimize scans for speed or complexity (see “Key Considerations”). These refinements involve an initial time investment before implementation and may require semi-regular adjustments depending on the frequency of site updates.

pre-production scan

To limit scanner impact on a production site and maintain 100 percent uptime, you may consider integrating scans using theTenable Vulnerability ManagementAPI to trigger a scan based on a weekly or monthly build, or pre-production location on a regular schedule. This protects the most exposed production site which may differ from internal constructions. This scanning approach works to varying degrees with most mature organizations and is often dependent on site criticality and resource availability.

API scanning

Organizations are increasingly adopting APIs to power web applications, B2B transactions, mobile applications, and automation scenarios. You can assess these potential exposures by using the API scan template withinTenable Web Application Analyticsto provide critical visibility into more cyber risks. In general, the high risk and exposure are drivers for mature programs or organizations to scan APIs more frequently. Ultimately, as the security program develops, many organizations proactively identify all vulnerable locations to ensure complete coverage. This type of scanning may require more input from development staff and rely on an OpenAPI file to provide the endpoint definitions for the scanner to communicate with the API itself.

Deciding which Tenable web application scanner to use

Most programs start with a few scans based on the "SSL_TLS" or "Config Audit" templates to familiarize vulnerability managers with how to set up scans and review the results. They then move on to running an untuned scan using theTenable Web Application Analyticsscan template.

Timeouts are common when you first build your program. The default scan completion timeout inTenable Vulnerability Managementit is eight hours, and extending this may not "complete" the scan; this can only be achieved by tuning for higher speed.

It is feasible to run a program based on untuned scans while accepting the timeout. Because many web application vulnerabilities span multiple pages containing the same vulnerability, a scan is likely to automatically detect a significant proportion of vulnerabilities within hours.SustainableThe monitoring itself can confirm this. Tuned scans generally improve scan efficiency and accuracy only to a small degree and cost more time to refine scan settings.

Most mature organizations adjust scans at their most critical sites, which takes 10-20 minutes of effort per site and improves with operator experience. An organization's level of knowledge and resource availability can determine the percentage of sites that undergo detailed tuning. It's rare to see every site tuned in, especially in organizations with many websites. This is partly due to the dynamic nature of websites; they are often expanded or changed significantly every few years, and this requires a review of the scan configuration to accommodate the pace of test site development.

  • Focus on the process first:start with theTenable Web Application Analytics"Scan" templates (a full set of checks) or an "Summary" scan (fewer checks but less impact). Familiarize yourself with the scanner output and work with your teams to incorporate the findings into your workflows. Develop your mitigation and resolution programs.

  • Drill down into critical areas:Once you've established some of the basic procedures and identified the right owners within your organization for scanner output, start investing time in more advanced scans to gain better visibility into your most important sites.

  • To take action:The scans return a significant amount of data to drive organizational action. Consider the potential consumers of the data. Developers want details to identify necessary fixes and improve over time. Management must know which sites bring the greatest risk to the business and therefore allocate resources. Security leadership needs general category information such as OWASP vulnerability categories so that all sites are focused on a specific vulnerability classification.

Use:Tenable Professional Services offers a highly recommendedquick start programfor new users ofTenable Web Application Analyticsexploration to help establish the mechanics of developing a new program. In addition, the ProServe team runs atallerEstablish internal processes and initial goals for developing a broader vulnerability management program. These services help organizations gain a solid foundation and understanding of effective cybersecurity programs and become familiar with the product. Contact your Tenable sales representative at

Key considerations to optimize your scan results

  1. Identify where the location of the web application is:

    • public websites

      You can scan external websites fromTenable Vulnerability Managementusing internetTenable Web Application Analyticsor a local scanner.

    • private websites

      You can scan internal or intranet web applications fromTenable Vulnerability Managementusing a localTenable Web Application AnalyticsScanner.
  2. Make sure the scanner has a network path to the destination:

    If the scanner cannot reach the web application, or cannot deliver input and retrieve results, the scan fails. Network restrictions, such as latency, can affect network scanning or controls (for example, host-based firewalls, network firewalls, network segregation, etc.). Always include internal web application scanners in your "allowed" list.

  3. Scanner location can affect latency or server response times

    If there are too many timeouts during a scan, the session ends. Choose a scanner located as close to the targets as possible. Review the sitemap plugin attachments to check for long page load times or wait times. This can occur with too many concurrent tests on a slower server, a scanner that is not close enough to the web application (such as scanning Australia from a US scanner), or site settings that can result in longer load times. prolonged. Changing the location of the scanner can help prevent advanced settings resets that slow down the scanner. Counterintuitively, slow down thescan speed settingYou can speed up results on a slow responding site by reducing the query rate and adding less variability to returned queries.

  4. The scanner acts as a user:

    The scanner can follow links, press buttons, and simulate a user's actions based on what they can access. There may be unwanted interaction on the site as a result of your site discovery phase. For example, if a user can send an email, the scanner can fill out forms and hit the "send email" button potentially more than once. The scanner has no context for any specific button action, unless you teach it or exclude the entire page or page element to prevent you from inadvertently pressing a button. (For more information, see our documentation onscope setting.) Note that excluding page elements to prevent such actions reduces scanning accuracy, so consider plans to scan sites like this in pre-production on a regular schedule.

  5. The scanner acts like many users:

    With its default settings, the scanner can work as if multiple users were browsing the website at the same time. On servers with good capacity, the impact of this activity is typically minimal. However, if the status of the server is unknown, you can tune the speed of the scan, at least for the first test, to alert you to any potential site impacts due to concurrent sessions. For more details on setting up such a test, seeadvanced settings.

  6. Customize the tuning for each site; It takes effort, but it's optional.

    Custom tuning generally applies to most websites because every web application is different. There are unique frameworks, sitemaps, third-party libraries, components, and custom code that work together. Your investment in optimized scans depends on resource availability, site criticality, and business impact.

  7. When setting authentication, never run aTenable Web Application Analyticsscan as admin of the website in production, only in test or pre-production environments.

    Running a web application scan with administrator credentials could create or delete users, or perform other unwanted administrative functions.

  8. By adjusting the speed, a rudimentary understanding of your sites can help speed up DAST scans.

    1. Review the sitemap plugin and the associated attachment.
    2. Adjust your settings: Increase "Network Timeout" or decrease "Maximum Concurrent Requests" and "Requests Per Second" if you experience significant page timeouts or discover average page response times greater than five seconds in the sitemap attachment.

    3. Consider speeding up your scan setup if you get sub-second responses and only minimal web server impact.

    4. Deduplicate site content: The scanner does not test the text, image, and video content of the site, only input fields and interactions. If you have redundant pages, such as a site that uses multiple languages ​​but has the same underlying code, you only need to test one language version of the site.

    5. Add more binary exclusions:Tenable Web Application Analyticsit doesn't "test" text, images or videos and decides which file extensions to exclude. Hescan scopeThe section provides a default set that you can tailor for a specific site.

    6. Prioritize critical URLs – Identify critical parts of the application, such as forms that may return sensitive data. Add those URLs to the scope of your tests, either via "include" in thescan scopesection or through a manual trace script. You can also consider whether these sites require pre-production testing.

  9. When adjusting the complexity, use session recordings to train the scanner.

    You can do this using theSustainableChrome extension or Selenium IDE, and adding inside thescope sectionof a scan setup. With this process, you can perform a manual crawl to ensure that the scanner can test a very complex location within a site. For example, a site may require a specific series of button presses and a specific set of correct input values ​​to reach a page that is not otherwise available. You can record the steps to allow the scanner to play them back.

  10. Determine if there is a web application firewall (WAF), web proxy, or load balancer between the scanner and the target:

    Some network devices may interfere with the scan or completely invalidate the results. You may think that it is enough to receive only the "remote" view of the results filtered by the firewall; however, WAF's built-in protections may only prevent one or two methods of executing the fault. Getting a complete picture of the true state of the site is imperative to making risk-based decisions. Configure your WAF to support bypass functionality to allow specific IPs or a combination of IPs and agent header strings to test and authorize inbound scanning. A list of Tenable scanner IP ranges is available here.

  11. Some sites may require specific browser identities:

    Check if the application supports the default user agent (set to "WAS/%v" by default). If not, you may need a specific or commonly available header from a standard browser, such as Mozilla/5.0. Some server-side protections or a web application firewall may require a specific set of results. In this case, you can copy the user agent string from a known browser that can access the site successfully.

  12. Target critical sites more carefully from the start:

    Is the target site production oriented or critical in some other way? What is the business impact if the web app scanner causes a service outage? Always perform the first scan of a site in a controlled manner, either with available personnel or within a pre-production environment. Once you understand the nature of the site, full automation can begin.

For more information and guided product tours, visit ourTenable Product Education YouTube Channel. These short how-to videos explain how to make the best use ofTenable Web Application Analytics, including the authentication and tuning procedures mentioned above to help you protect your vulnerable web applications.


  1. Preparation for deployment

    1. Confirm the required access to theTenable Vulnerability Managementplatform andTenable Web Application Analyticsapplication.Create users with proper access toTenable Web Application Analyticsto scan and view the results. You can configure role-based access control (RBAC) to allow user access. You must have administrative credentials for configuration.

    2. Determine if you need a local scanner.You can deploy on-premises or cloud-based scanners and connect them toTenable Vulnerability Management. You can use these scanners in Internet-facing web applications and development or staging environments (if proper firewall rules are applied).

      HeTenable Core Scan + Tenable Web AppThe scanner supports installation on VMware (.ova), Hyper-V (.zip), or a physical machine (.ISO). You can deploy it locally on-premises or within a cloud-based development environment to scan non-Internet facing web applications.

      You can download local scannerhere. Check that you have the following:

      • Outbound access to through port 443 to communicate withTenable Vulnerability Management.
      • Inbound access via HTTPS on port 8000 for browser access to the admin interface.
  2. Identification and Planning

    1. Define security objectives.Why are we scanning, what do we hope to achieve, and what does success look like?

    2. Determine exploration priorities.Identify which target web applications are within the scope of the quick scan and which require further analysis.

    3. Ensure complete coverage.Determine if there are any other (possibly unidentified) web servers, services, or applications that you need to scan and how to find them.

  3. documentation

    1. Track everything.Produce and manage documentation that captures full details of the implementation requirements, the scanner resources deployed (if applicable), the web applications identified for the scan, and the setting you applied to the scans with accompanying justification.
    2. Communicate your findings. Establish reporting requirements to identify: recipients, level of detail, and frequency of distribution of reports. Developers may need PDF files, while ticketing systems require vulnerability details. Management often prefers a high-level summary of overall exposure and risk reduction.

configure scans

After you prepare your scan workflow and scope your web application assets, you can configure and run scans on those assets.

Sustainablerecommends that you first run high-level overview scans to help you determine the settings for configuring deeper scans.

  1. Do one of the following:

    • To configure and run general scans:

      1. Do one of the following:

        • To perform general analysis to determine which web application is being targetedTenable Web Application Analyticsscans by default, create a scan using theGeneral description scan template.
        • To perform a general scan to determine if your web application complies with common security industry standards, create a scan using theconfiguration audit scan template.

        Use: HeSustainable-Scan templates provided for general scans do not require authentication. However, the plugin's results from these scans can help you identify the types of credentials your web applications require for further analysis.

      2. Review the scan results, along with your scan strategy, and determine which configuration settings you want to adjust when running your standard web application scans.
    • To set up and run standard scans:

      1. Create a scan using the template that best meets your assessment needs:
        • To perform a full vulnerability scan, select theScantemplate.
        • To perform an analysis to determine if your web application correctly implements SSL/TLS public key encryption, select theSSL TLStemplate.
      2. (Optional) Configure your scan settings, including user permissions, andplugsettings.

        Use: You can also set yourcredentialsoptions in standard scans. However, you should add credentials only if your web application requires them for authentication.

      3. Monitor the status of the scan.
  2. Start the scan.
  3. View and analyze the results of your scan:
    • Analyze the findings.

    • Use the crawled sitemap as input for detailed analysis, tuning and optimization, review of page timeouts, page access time, errors, or opportunities to remove repetitive content.

    • Review the "Scan Notes" for any higher priority concerns, which may provide suggestions to improve the scan.

  4. Further tailor your scans to your business needs:
    1. Experiment with the advanced settings.Perform scan adjustment in some locations based on the data collected in the previous step. You can then update and deploy the analytics to the target web applications. For more information, see

      • scope setting
      • Evaluation Settings
      • advanced settings

    For a demonstration on scan tuningTenable Web Application Analytics, see the following video:

Use: With aTenable Web Application Analyticstrial license, you can run up to five scans simultaneously using your cloud scanners. You can run any number of scans simultaneously using local scanners.

Configure additional settings

Configure other features, if necessary, and refine your existing configurations:

  1. Addcredentialsto your scan:
    • If the scan must authenticate to the web application using methods required by your server's HTTP protocol,add HTTP server based authentication.
    • If the scan must authenticate to the web application using methods required by the web application,add web application authentication.
  2. download theTenable Web Application AnalyticsGoogle Chrome Extensionaset selenium credentials automatically.
  3. Consider more custom settings, such asscan settings, user permissions andplugsettings.

    Advice:Each application is unique. Running scans and analyzing the results reveal techniques that help you run scans more efficiently and ensure coverage of all areas of the application. Depending on the size or complexity of the web application, the scan may be completed and you can analyze the results for further optimization. Tenable strongly recommends that you review the "scan notes" after a scan is complete and the attachment to the sitemap plugin regularly.

Copyright ©2023Tenable, Inc. All rights reserved. Tenable, Nessus, Lumin, Assure, and the Tenable logo are registered trademarks of Tenable, Inc. or its affiliates. All other products or services are trademarks of their respective owners.


Top Articles
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated: 04/24/2023

Views: 6167

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.