PRODUCT COMPARISON: Tenable.io WAS vs Nessus WAS Last updated 9/4/2018 Use the following tables to help you understand key differences between Tenable.io Web Application Scanning and the legacy Nessus Web Application Scanning product. Table 1 provides a high-level summary comparison, and Table 2 provides specific comparison details. Features Tenable.io WAS Legacy Nessus WAS VM & WAS Unified Visibility ✓ - Safe Scanning ✓ - Advanced Authentication ✓ ✖︎ Manual Crawling ✓ ✖︎ OWASP Top 10 Project Support ✓ ✖︎ Known Vulnerability Detection - ✓ Unknown Vulnerability Detection ✓ - Modern Framework Support ✓ ✖︎ High Detection Accuracy ✓ - Table 1: Summary of capabilities between Tenable.io WAS and legacy Nessus WAS COPYRIGHT 2018 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE, TENABLE.IO, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS. 1 Features Tenable.io WAS Legacy Nessus WAS Web application assets are integrated in the same Tenable.io dashboard as other assets automatically for unified visibility. Web application assets can be integrated into SecurityCenter by creating additional filters to customize the dashboard. No asset integration is available in Tenable.io. Safe Scanning Users can create a list of blocked urls to exclude from scans and define customized scan performance thresholds to avoid application disruption. Users can define customized scan performance thresholds to avoid application disruption. Advanced Authentication Supports a broad range of authentication options such as forms, cookies, NTLM and Selenium scripts to address most web application requirements. Automatically detect when authentication is required and validate when authentication has been successfully configured. Supports only login forms and cookie-based authentication. The product is unable to automatically detect or validate successful authentication. Manual Crawling Records manual crawling of web applications using Selenium to assess and validate user-defined workflows. This is an important capability for assessing Single Page Applications. Manual crawling is not available. The product is purpose-built for the OWASP Top 10 and provides out-of-the-box vulnerability assessment and reporting aligned to OWASP risk categories. OWASP Top 10 is not supported out-of-the-box. Users can create custom dashboards to manually align specific vulnerabilities to OWASP risk categories. Known Vulnerability Detection Detects known or specified vulnerabilities related to Content Management Systems (WordPress, Joomla! And Drupal). New CVE plugins supporting web application servers, language engines, web frameworks and JavaScript libraries will be available in 3Q 2018. Supports a leading range of known or specified vulnerabilities based on CVE plugins. Unknown Vulnerability Detection Detects unknown or unspecified vulnerabilities in support of OWASP Top 10 without the need for specific CVE plugins. Provides detection of generic cross-site scripting and injection vulnerabilities in support of OWASP Top 10. Modern Framework Support Supports web applications built with modern web frameworks such as HTML5, JavaScript, AJAX and Single Page Applications, as well as traditional web frameworks. Modern web framework support is not available. Leading vulnerability detection accuracy with minimal false positives and negatives across all web applications. Strong vulnerability detection accuracy across web applications built using traditional frameworks. VM & WAS Unified Visibility OWASP Top 10 Project Support High Detection Accuracy Table 2: Details of capabilities between Tenable.io WAS and legacy Nessus WAS For More Information: Please visit tenable.com Contact Us: Please email us at sales@tenable.com or visit tenable.com/contact COPYRIGHT 2018 TENABLE, INC. ALL RIGHTS RESERVED. TENABLE NETWORK SECURITY, NESSUS, SECURITYCENTER, SECURITYCENTER CONTINUOUS VIEW AND LOG CORRELATION ENGINE ARE REGISTERED TRADEMARKS OF TENABLE, INC. TENABLE, TENABLE.IO, ASSURE, AND THE CYBER EXPOSURE COMPANY ARE TRADEMARKS OF TENABLE, INC. ALL OTHER PRODUCTS OR SERVICES ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS. 2