Tag Archives: Tenable.io

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products

On May 21, I spoke at the PHDays 9 conference. I talked about new methods of Vulnerability Prioritization in the products of Vulnerability Management vendors.

PHDays9 new ways of prioritizing vulnerabilities

During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit. ?

Continue reading

Tenable IO WAS Chrome Extension

In the comments of the previous post about Tenable IO WAS Fergus Cooney mentioned a new Google Chrome extension for Tenable IO WAS, that should help in configuring scan Authentication setting. You can install it in Chrome Web Store.

Tenable IO WAS Chrome App

The idea is great. Authentication process in modern web applications is actually too complicated for Web Application Scanners. It is almost impossible to determine automatically which elements of the web interface should be clicked and where to enter the login and password. So it’s great that we can help scanner to do this with the Selenium script. And if Selenium IDE is somehow integrated into the scanner, it is even better. With Tenable.io Web Application Scanning Chrome extension you simply perform the authentication procedure in Chrome once manually, and the recorded script will be sent to Tenable IO WAS.

However, the actual implementation of this extension, IMHO, could be better.

Continue reading

First look at Tenable.io Web Application Scanner (WAS)

When Tenable firstly announced Web Application Security scanner as a part of their new Tenable.io platform, it was quite intriguing. Certainly, they already had some WAS functionality before in Nessus. For example, path traversal check was pretty good. But this functionality was quite fragmental and barely manageable. How Tenable now write in their docs: “Nessus is incompatible with modern web applications that rely on Javascript and are built on HTML5”.

First look at Tenable.io Web Application Scanner (WAS)

That’s why Nessus couldn’t be called fully functioning Web Application Scanning solution. However, Tenable.io WAS is a completely new story. The full description is available on official site. Here I will make a very fast review and give some comments.

Continue reading

My short review of “The Forrester Wave: Vulnerability Risk Management, Q1 2018”

Last week, March 14, Forrester presented new report about Vulnerability Risk Management (VRM) market. You can purchase it on official site for $2495 USD or get a free reprint on Rapid7 site. Thanks, Rapid7! I’ve read it and what to share my impressions.

Forrester VRM report2018

I was most surprised by the leaders of the “wave”. Ok, Rapid7 and Qualys, but BeyondTrust and NopSec? That’s unusual. As well as seeing Tenable out of the leaders. 🙂

The second thing is the set of products. We can see there traditional Vulnerability Management/Scanners vendors, vendors that make offline analysis of configuration files and vendors who analyse imported raw vulnerability scan data. I’m other words, it’s barely comparable products and vendors.

Continue reading

Tenable University: Nessus Certificate of Proficiency

Yesterday I finished “Nessus Certificate of Proficiency” learning plan at Tenable University and passed the final test. Here I would like to share my impressions.

Nessus Certificate test completed

First of all, few words about my motivation. I use Nessus literally every day at work. So, it was fun to check my knowledge. I already wrote about Tenable education portal in “Study Vulnerability Assessment in Tenable University for free” post. It’s free. It’s available for everyone on demand. However, Tenable customers get access to way more content.

At this moment there are four learning plan available for Tenable customers: for Nessus, Tenable.io, SecurityCenter and SecurityCenter Continuous View. Each learning plan consist of short video lessons grouped in courses and the final test.

Continue reading

Nessus Manager disappeared and Tenable.io On-Prem was announced

If you open Tenable Products page right now you will not see Nessus Manager there anymore.  Nessus Manager page “The Power of Nessus for Teams” was also deleted.

Tenable products

However, it is still mentioned in the product comparison. Agent-Based Scanning in SecurityCenter and SecurityCenter Continuous View “* Requires Tenable.io Vulnerability Management or Nessus Manager for agent management.”

Continue reading

New Nessus 7 Professional and the end of cost-effective Vulnerability Management (as we knew it)

It’s an epic and really sad news. 🙁

Nessus 7 release

When people asked me about the cost-effective solution for Vulnerability Management I usually answered: “Nessus Professional with some additional automation through Nessus API”.

With just a couple of Nessus Professional scanning nodes it was possible to scan all the infrastructure and network perimeter (see “Vulnerability Management for Network Perimeter“). Price for each node was fixed and reasonable. And you could make your any reports from the raw scan data, as you like it.

Nessus Pro was still were best choice even when Tenable:

  • Cut off master/slave functionality in Nessus and created “Nessus Manager”.
  • Changed API completely during the update from 5 to 6 version.
  • Gradually increased the price from $1,5k to $2,7k per scanning node per year.

But unfortunately it’s not anymore. End of an era.

And what is even more sad is that Tenable does not mention disabling the API and multi-user function in the main Nessus 7 marketing, as it never was, as if it’s not very important. Just look at “Announcing Nessus Professional v7” – not a word  about “API” or users. Only in additional link:

get more information Nessus7

Only there, in the text (not a video) there is an information about removed features.

The nice little things like “Easily transferable license” and “Emailed scan reports and custom report name / logo” do not make it any better.

So, what next?

Continue reading