White paper
Get Started with Tenable Web App Scanning: Your Guide to DAST Implementation
Key takeaways
- Tenable Web App Scanning uses DAST to find previously undiscovered vulnerabilities and other risks in modern web application frameworks like SPA and those built using JavaScript.
- Effective DAST is not fully "push-button;" you must tune for the website or code you’re testing. In general, vulnerability management teams have limited understanding of the code that makes up each web application.
- A complex web application vulnerability, can take up to 130 days to fully address, making mitigation and prioritization critical.
We know that scanning for vulnerabilities in web applications is significantly different from scanning for traditional vulnerabilities with Nessus, Nessus Agents, or Nessus Network Monitor. The legacy scanning template for Nessus is incompatible with modern web application frameworks such as JavaScript, HTML 5, AJAX, or single page applications (SPA), among others, potentially leaving your organization with an incomplete understanding of your web application security posture. Tenable Web App Scanning, part of the Tenable One Exposure Management Platform, goes beyond what’s possible in Nessus to enable comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and false negatives, ensuring that your security teams understand the true security risks in your web applications. It offers safe external scanning that ensures production web applications are not disrupted or delayed.
Nessus vs. Tenable Web App Scanning: Why dynamic testing finds unknown vulnerabilities
The core difference between traditional vulnerability scanning with Nessus and Tenable Web App Scanning lies in what each is designed to find. Nessus looks for known vulnerabilities (e.g., Common Vulnerabilities and Exposures (CVEs)). WAS uses dynamic application security testing (DAST) to find unknown vulnerabilities. Tenable Web App Scanning uses the OWASP Top 10 Web Application Security Risks and other third-party web components to dynamically test how your web applications behave as the code is running. It typically finds previously undiscovered vulnerabilities by using techniques similar to those that attackers may use against your website. The OWASP Top 10 Web Application Security Risks is the benchmark report that outlines the most critical security risks for web applications. The vulnerabilities and other findings in this OWASP Top 10 list should be considered the most commonly abused web app security flaws, and therefore be prioritized for remediation.
The complexity of DAST: Authentication and tuning
DAST means evaluating the code as it is executing, potentially with varying inputs. There are unique structures, sitemaps, third-party libraries, components, and custom code that tie everything together. For these reasons, effective web app security can never be fully push-button; it requires tuning for factors such as authentication, speed, and complexity in the website or code you are testing.
Optimizing your scan results: 5 quick tips
Here are five tips for optimizing your Tenable Web App Scanning results:
- Identify where the web application is located (public or private).
- Ensure the scanner has a route, network-wise, to the target.
- Choose a scanner that is located as close as possible to the target to avoid issues of latency or server response times.
- Remember: the scanner will act as a user (or multiple users), following links and pushing buttons based on what it can gain access to.
- Map out whether there is a web application firewall (WAF), web proxy, or load balancer between the scanner and the target.
Overcoming developer resistance and prioritizing risk
Your organization’s web apps developers are likely to feel personally invested in their work and may not welcome DAST findings. Further complicating matters, web app vulnerability findings are often complex and fixing them could require any combination of patches, configuration changes and code updates. It is not unusual for an organization to take up to 130 days to fully address a complex web app vulnerability scanner finding such as an SQL injection.
To address these challenges, you must bring in the product owners and other sponsors to support your developers. Help the developers understand the importance of a web app scanning program in the overall business security requirements. Help developers prioritize which web-related vulnerabilities are critical to address first.
Tenable Web App Scanning architectural overview and key scan types
Tenable Web App Scanning is available as an on-premises or SaaS-based solution. For deployment, you can use the internet-based web application vulnerability scanner or an on-premises scanner, depending on whether you are scanning public or private websites.
Tenable Web App Scanning provides several pre-built templates to meet the unique needs of each site. These include:
- Scan: The complete set of available checks; all other pre-built templates are a subset of this template, other than the API scan.
- Overview: A simplified version of the "Scan" template with several of the active tests removed to lower its impact and speed up the scan.
- SSL/TLS: A health check scan focused on the current state of the web server encryption settings and certificate state.
- API scan: A special template requiring additional configuration to describe the application programming interface (API) for assessing potential exposures. This includes some of the same tests as the “Scan” template but adds others unique to API endpoints.
Implementation methodology for Tenable Web App Scanning
Deployment methodology for Tenable Web App Scanning starts with confirming access to the Tenable Vulnerability Management platform and the Tenable Web App Scanning application. If you are new to the process, Tenable Professional Services offers a highly recommended quick-start program to help establish the mechanics of developing a new program.
Frequently asked questions
Explore how to effectively tune your DAST scans, manage authentication risks, and collaborate with developers to bridge the gap between security findings and remediation.
How is Tenable Web App Scanning (WAS) different from a traditional Nessus scan?
Traditional Nessus scans look for known vulnerabilities (CVEs), focusing on hosts and OS-level flaws. Tenable Web App Scanning uses DAST to find unknown vulnerabilities, testing web applications as the code executes, which is necessary for modern web languages and frameworks like JavaScript, HTML 5, and single page applications (SPA). Tenable Web App Scanning, for example, may find an available SQL injection flaw, which can occur due to database misconfiguration or a lack of limiting input fields. Fixing a Nessus vulnerability typically requires a patch; fixing a web application flaw could include any combination of patches, configuration changes, and code updates.
What is the biggest risk when tuning a DAST scan for authentication?
When tuning Tenable Web App Scanning for authentication, a critical risk is running the scan using administrator credentials in production. This action could result in undesired administrative functions, such as creating or deleting users. Therefore, you should only run administrator-level scans in test or pre-production environments.
Why is tuning necessary for Tenable Web App Scanning?
Dynamic testing means evaluating the code as it is executing, potentially with varying inputs. Tenable Web App Scanning is not a fully push-button solution because web application architecture is bespoke, involving unique structures, sitemaps, and custom code. You must tune for the website or code you’re testing. Tuning — which may involve using session recordings to train the scanner — is required to accelerate scans, improve accuracy, and ensure coverage of all complex locations within a site.
How will my organization’s developers respond to Tenable Web App Scanning findings?
Hosts scanned with Nessus tend to be “cattle,” while web applications tend to be “pets.” The vulnerabilities that Nessus finds don’t usually have champions, but with web applications, developers have been known to comb through a 100-page DAST report for the one and only false negative, cry foul, and push to throw out the whole report as invalid or wrong. Make sure you bring in the product owners and other sponsors to support the developers, and help them understand the importance of a web application scanning program to your organization’s overall business risk management requirements. Help your organization's developers prioritize which web-related vulnerabilities are critical to address first.
- Tenable Web App Scanning
Contact our sales team