Skip to main content

Tenable Web App Scanning

Tenable Web App Scanning (WAS), formerly Tenable Web Application Scanning, is a cloud-based application security tool that provides automated dynamic application security testing (DAST) to proactively identify and address vulnerabilities in web applications. You can bring site and security data from Tenable WAS into Brinqa to enhance your vulnerability management capabilities, therefore construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Tenable WAS and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Tenable Web App Scanning from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Tenable WAS with Brinqa:

  • API URL: The Tenable API URL. The default URL is https://cloud.tenable.com.

  • Access key and Secret key: The access key and secret key associated with the Tenable account, which must have permissions to log in to the API server and return data.

Generate Tenable access key and secret key

For the Tenable WAS connector to use the Tenable WAS API, you must provide the access key and secret key from Tenable. The Tenable WAS connector uses the same access key and secret key as the Tenable Vulnerability Management connector for authentication. If you are using both the Tenable Vulnerability Management and the Tenable WAS connector and you generate new API keys for the Tenable Vulnerability Management integration, you must update your Tenable WAS integration with the same keys.

In order for the Tenable WAS connector to successfully retrieve data from the Tenable WAS API, the access key and secret key must be tied to a Basic user role with Can View permissions. For additional information, see Tenable documentation on permissions.

Tenable does not allow retrieving the access key and secret key for an existing user, therefore, you must generate new keys instead. To generate a new access key and secret key for your own Tenable account, follow these steps:

  1. Log in to your Tenable account.

  2. Click the Menu button on the upper-left corner of the page. A navigation pane appears.

  3. Click Settings, and then click My Account.

  4. Click the User Account button on the upper-right corner of the page, and then click the API Keys tab.

  5. Click Generate. The Generate API Keys window appears.

  6. Review the warning on the page and click Generate.

    Your new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.

To generate a new access key and secret key for another user as an administrator, follow these steps:

  1. Log in to your Tenable account as an administrator.

  2. Click the Menu button on the upper-left corner of the page. A navigation pane appears.

  3. Click Settings, and then click Access Control.

  4. Click the name of the user for which you want to generate an access key and secret key. The Edit User page appears.

  5. In the API Keys section, click Generate API Keys.

  6. Review the warning on the page and click Replace & Generate.

    The new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.

note

If you do not have permissions to create Tenable access and secret keys, contact your Tenable administrator. For additional information, see Tenable documentation on API keys.

Additional settings

The Tenable WAS connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 8.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable WAS API before giving up and reporting a failure. The default setting is 10.

Types of data to retrieve

The Tenable WAS connector can retrieve the following types of data from the Tenable WAS API:

Table 1: Data retrieved from Tenable WAS

Connector ObjectRequiredMaps to Data Model
Dynamic Code FindingYesDynamic Code Finding
Dynamic Code Finding DefinitionYesDynamic Code Finding Definition
SiteYesSite
info

For detailed steps on how to view the data retrieved from Tenable WAS in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Dynamic Code Finding

Table 2: Dynamic Code Finding attribute mappings

Source Field NameMaps to Attribute
asset.uuidtargets
finding_iduid, name
first_foundfirstFound
last_foundlastFound
outputresults
plugin.idtype
scan.uuidLocal variable
statestatus, sourceStatus, statusCategory
urlurl
Dynamic Code Finding Definition

Table 3: Dynamic Code Finding Definition attribute mappings

Source Field NameMaps to Attribute
cpeaffected
cvescveIds, cveRecords
cvss_base_scoreUse CVSS calculator
cvss3_base_scoreUse CVSS calculator
cvss_vectorUse CVSS calculator
cvss3_vectorUse CVSS calculator
cweweaknesses
descriptiondescription
exploit_availableexploits
familycategories
namename
owasptags
patch_publishedpatchAvailable, Local variable
plugin_iduid
plugin_modifiedsourceLastModified
plugin_publishedpublishedDate
policyLocal variable
risk_factorseverity, sourceSeverity, severityScore
see_alsoreferences
solutionrecommendation
synopsissummary
vuln_publishedLocal variable
wasctags
Site

Table 4: Site attribute mappings

Source Field NameMaps to Attribute
asset.agent_namesLocal variable
asset.agent_uuidLocal variable
asset.aws_availability_zoneLocal variable
asset.aws_ec2_instance_ami_idLocal variable
asset.aws_ec2_instance_group_nameLocal variable
asset.aws_ec2_instance_idLocal variable
asset.aws_ec2_instance_state_nameLocal variable
asset.aws_ec2_instance_typeLocal variable
asset.aws_ec2_namename, Local variable
asset.aws_ec2_product_codeLocal variable
asset.aws_owner_idLocal variable
asset.aws_regionLocal variable
asset.aws_subnet_idLocal variable
asset.aws_vpc_idLocal variable
asset.azure_resource_idLocal variable
asset.azure_vm_idLocal variable
asset.created_atsourceCreatedDate
asset.deleted_atLocal variable
asset.deleted_byLocal variable
asset.first_scan_timeLocal variable
asset.first_seenfirstSeen
asset.fqdnsdnsNames, privateDnsName, publicDnsName
asset.gcp_instance_idLocal variable
asset.gcp_project_idLocal variable
asset.gcp_zoneLocal variable
asset.has_agentLocal variable
asset.hostnameshostname, hostnames
asset.iduid
asset.ipv4sprivateIpAddresses, publicIpAddress, publicIpAddresses
asset.ipv6sipAddresses
asset.last_authenticated_scan_dateLocal variable
asset.last_licensed_scan_dateLocal variable
asset.last_scan_idLocal variable
asset.last_scan_timelastScanned
asset.last_schedule_idLocal variable
asset.last_seenlastSeen
asset.mac_addressesmacAddresses
asset.mcafee_epo_agent_guidLocal variable
asset.mcafee_epo_guidLocal variable
asset.network_idLocal variable
asset.operating_systemsoperatingSystem, Local variable
asset.servicenow_sysidLocal variable
asset.sourcesLocal variable
asset.tagstags
asset.terminated_atstatus, Local variable
asset.terminated_byLocal variable
asset.updated_atsourceLastModified
categoriescategories
descriptiondescription
instanceIdinstanceId
lastScan.nameLocal variable
info

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.

Operation options

The Tenable WAS connector supports the following operation options:

Table 5: Operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Dynamic Code Finding,
Site		chunk_sizeAny number ranging from 100 to 10000Specifies the number of records that are exported in a batch. Tenable recommends not exceeding 5000.Key: chunk_size Value: 100. This key and value combination only retrieves 100 records at a time. Once 100 records are exported, the next group of 100 records exports.
include_unlicensedtrue, falseFilters data by whether or not to include unlicensed sites.Key: include_unlicensed Value: true. This key and value combination retrieves data from both licensed and unlicensed sites.
sourcesAWS, NESSUS_AGENT, PVS, NESSUS_SCAN, or WASA comma-separated list of sources that filter data by whether or not they are discovered by the specified source.Key: sources Value: NESSUS_SCAN, AWS. This key and value combination only retrieves data from AWS or discovered in a Nessus scan.

APIs

The Tenable WAS connector uses the Tenable WAS API v2. Specifically, it uses the following endpoints:

Table 6: Tenable WAS API Endpoints

Connector ObjectAPI Endpoint
Dynamic Code Finding/was/v1/export/vulns
/was/v1/export/vulns/{exportUuid}/cancel
/was/v1/export/vulns/{exportUuid}/chunks/{chunkId}
/was/v1/export/vulns/{exportUuid}/status
Dynamic Code Finding Definition/was/v2/plugins
/was/v2/plugins/{plugin_id}
Site/assets/export
/assets/export/{exportUuid}/cancel
/assets/export/{exportUuid}/chunks/{chunkId}
/assets/export/{exportUuid}/status

Changelog

The Tenable WAS connector has undergone the following changes:

note

This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.

Table 7: Tenable WAS Changelog

VersionDescriptionDate Published
3.1.38No change.February 3rd, 2026
3.1.37No change.January 22nd, 2026
3.1.36Updated to use the Tenable WAS Exports API for data retrieval, improving data synchronization reliability and performance.January 2nd, 2026
3.1.35No change.August 26th, 2025
3.1.34No change.August 11th, 2025
3.1.33No change.July 10th, 2025
3.1.32Fixed an issue where the Dynamic Code Finding Definition object sync was failing.July 1st, 2025
3.1.31The Tenable Web Application Scanning connector has been renamed to "Tenable Web App Scanning" to reflect Tenable's product name changes. This change only affects the connector label and does not impact functionality. You can update without making any changes to your existing configurations.June 10th, 2025
3.1.16Addressed precision issues by changing the data type for CVSS scores from Float to Double.January 18th, 2024
3.1.15- Changed the SOURCE_SEVERITY attribute type on the Vulnerability object to a string.
- Added the SOURCE_SEVERITY_SCORE attribute to the Vulnerability Definition object.		December 17th, 2023
3.1.12Added a new additional setting to help manage API throttling and optimize API call handling: Maximum retries.September 12th, 2023
3.1.2Added a check for null or empty dates.June 29th, 2023
3.0.16Initial Integration+ release.June 11th, 2023
Last updated on