by Cody Dumont
August 14, 2023
Web applications often have the ability to interface with system functions and critical databases to add or modify data. By design, web applications need to enable customers and users access to this data. This capability means that attackers are often able to leverage the same forms or other data entry methods to exploit flaws in web frameworks or other related software to bypass access controls. Web applications exist on remote servers or in cloud environments, and data is transmitted over public networks, presenting a very real and present attack path in the organization’s global attack vector. Web application security is a critical aspect to ensure the confidentiality, integrity, and availability of web applications. This report provides a combined view of data collected using the Tenable Web App Scanner and Tenable Vulnerability Management using Nessus.
Organizations need to know what web services are operating in the environment to ensure these web services are analyzed for current known vulnerabilities and attacks. Tenable Security Center along with Tenable Web App Scanning provides a thorough view of risks related to web services. Leveraging both scan methods enables the security operations team and application developers to see risk and threat vectors from application frameworks and vulnerabilities on the host servers themselves.
Security and compliance frameworks, such as the Open Web Application Security Project (OWASP) Top 10, provides risk managers insight into methods used by adversaries to exploit common flaws and misconfigurations. Tenable Web App Scanner attributes vulnerabilities using the Cross Reference field to link to all published OWASP versions. Upon completion of the web application scan, the vulnerabilities detected and linked to OWASP 2021 provide an industry best practice approach to mitigating vulnerabilities.
The report and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable Security Center Feed under the category Threat Detection & Vulnerability Assessments. The requirements for this report are:
- Tenable Security Center 6.2.0
- Tenable Nessus 10.5.4
- Tenable Web Application Scanner
Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Security Center discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture.
Chapters
Executive Summary: The chapter provides a high-level view of web related vulnerabilities collected by Tenable Web App Scanner and Tenable Nessus. Through trending and comparative charts, security managers are able to view current and past health of web applications and the associated server assets.
SSL Related Vulnerabilities: This chapter provides the development team with information related to SSL, TLS and other encryption related vulnerabilities. The trending charts and tables enables risk migration teams to identify the affected assets and begin the remediation process.
Most Critical OWASP 2021 Vulnerabilities: This chapter combines the OWASP 2021 categories along with CVSSv3 categories to identify the top vulnerably that needs to be mitigated first. A series of tables and charts provide the vulnerability details and affected URL assets.
Web Application Vulnerabilities by Collection Method: This chapter provides a summarized list of all web application vulnerabilities from both Nessus and Tenable Web App Scanner. A series of tables and trend charts helps security operations teams and risk managers to track progress and focus efforts as needed.