Tenable Web Application Scanning
Tenable Web Application Scanning (WAS), formerly Tenable.io Web Application Scanning, is a cloud-based application security tool that provides automated dynamic application security testing (DAST) to proactively identify and address vulnerabilities in web applications. You can bring site and security data from Tenable WAS into Brinqa to enhance your vulnerability management capabilities, therefore construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Tenable WAS and how to obtain that information from Tenable. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Tenable.io Web App Scanning from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Tenable WAS with Brinqa:
-
API URL: The Tenable.io API URL. The default URL is
https://cloud.tenable.com. -
Access key and Secret key: The access key and secret key associated with the Tenable.io account, which must have permissions to log in to the API server and return data.
Generate Tenable.io access key and secret key
For the Tenable WAS connector to use the Tenable WAS API, you must provide the access key and secret key from Tenable.io. The Tenable WAS connector uses the same access key and secret key as the Tenable.io connector for authentication. If you are using both the Tenable.io and the Tenable WAS connector and you generate new API keys for the Tenable.io integration, you must update your Tenable WAS integration with the same keys.
In order for the Tenable WAS connector to successfully retrieve data from the Tenable WAS API, the access key and secret key must be tied to a Basic user role with Can View permissions. For additional information, see Tenable.io documentation on permissions.
Tenable does not allow retrieving the access key and secret key for an existing user, therefore, you must generate new keys instead. To generate a new access key and secret key for your own Tenable.io account, follow these steps:
-
Log in to your Tenable.io account.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click My Account.
-
Click the User Account button on the upper-right corner of the page, and then click the API Keys tab.
-
Click Generate. The Generate API Keys window appears.
-
Review the warning on the page and click Generate.
Your new Tenable.io access key and secret key display. Copy the access key and secret key to a safe and secure location.
To generate a new access key and secret key for another user as an administrator, follow these steps:
-
Log in to your Tenable.io account as an administrator.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click Access Control.
-
Click the name of the user for which you want to generate an access key and secret key. The Edit User page appears.
-
In the API Keys section, click Generate API Keys.
-
Review the warning on the page and click Replace & Generate.
The new Tenable.io access key and secret key display. Copy the access key and secret key to a safe and secure location.
If you do not have permissions to create Tenable.io access and secret keys, contact your Tenable.io administrator. For additional information, see Tenable.io documentation on API keys.
Additional settings
The Tenable WAS connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 1000. It is not recommended to go over 1000.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 8.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Tenable WAS API before giving up and reporting a failure. The default setting is 10.
Types of data to retrieve
The Tenable WAS connector can retrieve the following types of data from the Tenable WAS API:
Table 1: Data retrieved from Tenable WAS
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Site | Yes | Site |
| Vulnerability | Yes | Dynamic Code Finding |
| Vulnerability Definition | Yes | Dynamic Code Finding Definition |
The Tenable WAS connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Tenable WAS in the Brinqa Platform, see How to view your data.
Attribute mappings
Click the tabs below to view the mappings between the source and the Brinqa data model attributes.
- Site
- Vulnerability
- Vulnerability Definition
Table 2: Site attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| input_name | Local variable |
| input_type | Local variable |
| is_page | Local variable |
| payload | Local variable |
| plugin_id | type |
| proof | Local variable |
| scan_id | Local variable |
| selector | Local variable |
| selector_url | Local variable |
| signature | Local variable |
| uri | uid, name |
Table 3: Vulnerability attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| created_at | firstFound |
| input_name | Local variable |
| input_type | Local variable |
| is_page | Local variable |
| output | results |
| payload | Local variable |
| plugin_id | type |
| proof | Local variable |
| request | request |
| response | response |
| scan_id | Local variable |
| selector | Local variable |
| selector_url | Local variable |
| signature | Local variable |
| uri | targets |
| vuln_id | uid |
Table 4: Vulnerability Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| cpe | affected |
| cves | cveIds, cveRecords |
| cwe | cweIds, weaknesses |
| cvss_base_score | Use CVSS calculator |
| cvss_base_score | Use CVSS calculator |
| cvss3_vector | Use CVSS calculator |
| cvss_vector | Use CVSS calculator |
| description | description |
| exploit_available | exploits |
| family | categories |
| name | name |
| owasp | tags |
| patch_published | patchAvailable, Local variable |
| plugin_id | uid |
| plugin_modified | sourceLastModified |
| plugin_published | publishedDate |
| policy | Local variable |
| risk_factor | severity, severityScore |
| see_also | references, Local variable |
| solution | recommendation |
| synopsis | summary |
| vuln_published | Local variable |
| wasc | tags |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Use CVSS calculator indicates that the CVSS (Common Vulnerability Scoring System) vectors and scores aren't directly mapped to a specific attribute on the UDM. Instead, a specialized library calculates the CVSS scores from the provided CVSS vector strings.
APIs
The Tenable WAS connector uses the Tenable WAS API v2. Specifically, it uses the following endpoints:
Table 5: Tenable WAS API v2 endpoints used by the connector
| Connector Object | API Endpoint |
|---|---|
| Vulnerability | POST https://cloud.tenable.com/was/v2/vulnerabilities/search |
| Vulnerability Definition | GET https://cloud.tenable.com/was/v2/plugins |
GET https://cloud.tenable.com/was/v2/plugins/{plugin_id} |
Changelog
The Tenable WAS connector has undergone the following changes:
3.1.16
- Addressed precision issues by changing the data type for CVSS scores from Float to Double.
3.1.15
- Changed the SOURCE_SEVERITY attribute to a String type.
- Added a SOURCE_SEVERITY_SCORE attribute in the Vulnerability Definition object.
3.1.12
- Added a new setting to configure maximum retries.
3.1.2
- Added a check for null or empty dates.
3.0.16
- Initial Integration+ release.