Tenable.io Vulnerability Management
Strengths: Solid implementation of a venerable vulnerability assessment tool, this one adds several dimensions of vulnerability management.
Weaknesses: We found the documentation, extensive as it is, lacking in some key concepts that would help deployment teams move faster in getting the product up and running.
Verdict: Well worth your time. This is a company with solid experience in the technology – and it shows.
Tenable.io Vulnerability Management is the latest iteration of commercial products built off of Nessus. Nessus probably is the most used and certainly most recognised vulnerability assessment tool. There probably is not a security professional worth the name that has not used the free version of Nessus over the years. It is a strong - though somewhat limited - tool and gets used by lots of consultants.
That said, this latest iteration is excellent. However, we did run into a couple of glitches and they point to what we view as deficiencies in documentation, among other, very minor faults.
Tenable.io is a cloud-based vulnerability management platform featuring cloud, container security and web application vulnerability scanning, scoring, remediation and reporting.
Using a Tenable.io 60-day trial we created an account and logged into the portal. The Cloud User Interface is clean and well-equipped with all of the navigation tools needed for linking scanners and agents into the Tenable cloud, as well as a "Help" button for access to supporting information.
Linking a default regional scanner and two virtual machine agents to the Tenable cloud went smoothly, although we struggled a bit with running a scan and received an error indicating "Scan forbidden - Rejected attempt to scan (IP Address), as it violates user-defined rules."
After attempting to resolve this error, re-running the scan and receiving the same error, we then emailed Tenable for additional assistance. A tenable product specialist promptly emailed back that a "Scan forbidden" error can occur when attempting to use an external scanner for an agent scan within the Tenable.io platform. To scan using an agent, that agent must be part of an "Agent Group." Once the agent is part of a group, a "Basic Agent Scan" can be created using the group name. The email resolution response that we received from Tenable also included a visual click-by-click navigation video providing a quick and easy guide for changes needed. After applying the changes, we launched a new agent scan, which ran successfully, and completed with no errors found.
We searched the documentation for this solution and found none. It seems that users are supposed to know that you cannot scan a private address space from the internet. Of course we knew that. What we didn't know was how to configure the tool to use the internal agents for the scan. This was complicated by the fact that the internal agents had no trouble communicating with the mothership. So, we hit a wall until support showed us how to turn the agents into what we can think of as "mini-scanners."
There are a variety of dashboards and reports templates available. Any of these can be added by clicking "+New Dashboard" or "+New Reports" button. When a report is selected, Tenable.io provides a description of content, which can be useful when looking for specific vulnerability data requirements. Also available is an option to encrypt [report] PDF, for added security.
Tenable.io. supports Mac, Linux and Windows, with more than 86,000 plugins (checks), covering tens-of-thousands of unique CVE IDs and Bugtraq IDs for firewalls, operating systems, databases, web applications, virtual and cloud environments. The website is excellent with just about any link you might need, as well as access to the customer portal and support. Standard support is at no additional cost and there are fee-based premium support offerings, some very pricey.
(Judy Traub contributed to this review.)