UncategorizedEnhancing Tenable.io Web Application Scanner Results | K2 Security

Blog

April 12, 2021 Timothy Chiu, VP of Marketing
Enhancing Tenable.io Web Application Scanner Results

With the movement to increase security testing during development, also known as “Shift Left”, Dynamic Application Security Testing (DAST) is one of the tools used by organizations to improve their detection rate of vulnerabilities in custom web applications and application workloads.  The goal of DAST is to reduce the amount of vulnerabilities that make it to production.  Tenable.io’s Web Application Scanner (WAS) is one of the leading DAST tools available today, and provides a way to black box test your web applications by launching attacks and looking for vulnerabilities in your web applications.

K2 is a Tenable.io Technology Partner

Tenable.io is one of K2’s technology partners, and K2’s vulnerability detection can enhance the testing results generated by a Tenable.io WAS test.  K2’s Security Platform is a complementary addition to Tenable.io WAS that offers 3 significant benefits to a standalone Tenable.io WAS scan.

Benefits of K2 with Tenable.io WAS

  • Detect vulnerabilities missed by Tenable.io’s WAS
  • For all detected vulnerabilities (by K2 and Tenable), provide additional telemetry to enable developers to remediate quickly, including proof of exploitability
  • Help identify possible false positives from Tenable.io WAS

No Change to the Tenable.io WAS Testing Environment

With K2, there’s no change to the existing Tenable.io WAS testing and environment.  K2’s agent runs on the application server under test, uses standard application instrumentation, like that used for Application Performance Monitoring (APM). By running on the application server and instrumenting the running code, K2 gets visibility into the running application that Tenable.io WAS lacks.

How K2 Improves Application Security

K2’s solution sits on same server as the application under test, and has visibility into the execution of the code as it’s running in memory.  By residing on the server, K2 gets visibility that Tenable.io WAS lacks as an edge testing server.

With this additional visibility K2 can see vulnerabilities being triggered in code, even if responses back to Tenable,io WAS do not indicate a vulnerability.  In our testing with customers we typically find additional significant vulnerabilities that would have made it to production without the addition of K2 to the testing environment.

In addition, for vulnerabilities discovered by Tenable.io WAS, K2 can provide significant additional telemetry to the details of the vulnerability being reported by Tenable.io, including exact location of the vulnerability down to the filename and line of code where the vulnerability resides.  In addition K2 will provide proof of exploitability and a stack trace to help the developer remediate the vulnerability quickly.

K2 can also help identify any false positives that may have been generated by Tenable.io’s WAS scan.  Because K2 resides on the application server and has additional visibility, K2’s agent can also see that no vulnerability was triggered, when Tenable.io believes there to be a vulnerability.  For results matching this scenario, these vulnerabilities can be treated as false positives, to reduce the amount of time developers spend researching vulnerabilities that are more likely to be false positives.

Improve how you test your applications, include K2 Cyber Security in your Tenable.io Web Application Scanning and get results that your developers can use.

Find out more about K2 today by requesting a demo, or get your free trial.

 

 

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *

K2 CYBER SECURITY

K2 Cyber Security delivers the Next Generation Application Workload Protection Platform to secure web applications and container workloads against sophisticated attacks including OWASP Top 10 and memory-based attacks, and provides additional vulnerability detection. K2’s Platform is deployed on production servers for runtime protection of applications and on pen-testing/pre-production servers to identify the location of the vulnerable code in real-time. K2’s solution generates almost no false alerts, eliminates breaches due to zero-day attacks, detects attacks missed by traditional security tools including Web Application Firewalls, and dramatically reduces security cost. K2 Cyber Security is located in the USA, and provides cyber security solutions globally.

CONTACT INFO

K2 Cyber Security, Inc.

2580 N. First Street, #130

San Jose, CA 95131