Try Tenable.io Vulnerability Management
Run your first scan in under 60 seconds.
What is Tenable.io™?
Tenable.io is the first cloud-based vulnerability management platform built for today’s modern IT assets, like cloud, containers and web applications.
Tenable.io brings clarity to your security and compliance posture. Built on the leading Nessus® technology from Tenable, Tenable.io delivers a fresh, asset-based approach that accurately tracks your resources, while accommodating dynamic assets like cloud and containers. To maximize visibility and insight, Tenable.io effectively prioritizes your vulnerabilities while seamlessly integrating into your environment.
Tenable.io offers applications that address specific security needs, including Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.io Container Security. Tenable.io applications can be licensed individually; there are no prerequisites or co-purchase requirements.
How can I learn more about Tenable.io?
How can I evaluate Tenable.io applications?
Please register for a free evaluation of Tenable.io by visiting http://www.tenable.com/how-to-buy
How can I buy Tenable.io applications?
Can I license Tenable.io applications individually?
Yes. Tenable.io applications can all be licensed individually. For example, Tenable.io Container Security and Tenable.io Web Application Scanning can be licensed on their own, without Tenable.io Vulnerability Management.
How is Tenable.io Vulnerability Management priced and licensed?
Tenable.io Vulnerability Management is licensed by annual subscription and priced by asset, rather than by IP address. This enables customers to embrace new technologies like cloud without fear of double-counting.
For more information on pricing and licensing, please see the section below.
How is an asset defined?
An asset is an entity that can be analyzed. Examples include desktops, laptops, servers, storage devices, network devices, phones, tablets, virtual machines, cloud instances and containers.
For more information on pricing and licensing, please see the section below.
How are other Tenable.io applications priced and licensed?
Both Tenable.io Container Security and Web Application Scanning are licensed by annual subscription and priced by asset quantity. Tenable.io Container Security is priced by total storage volume of unique container image layers assessed by the product, and Tenable.io Web Application Scanning is priced by total number of fully qualified domain names (FQDN) assessed by the product.
For more information on pricing and licensing, please see the section below.
Does Tenable offer a service level agreement (SLA) for Tenable.io?
Yes, Tenable provides the vulnerability management industry’s first uptime guarantee through a robust service level agreement (SLA) for Tenable.io. Service credits are offered if the SLA is not met, just like leading cloud vendors such as Amazon Web Services.
Where can I find documentation on Tenable.io?
Technical documentation for all Tenable products, including Tenable.io, can be found at https://docs.tenable.com/
What IPs does Tenable use for scanning from the cloud?
Does the release of Tenable.io impact SecurityCenter / SecurityCenter CV?
No. There is no impact on SecurityCenter / SecurityCenter CV or our customers who use these products. While Tenable.io is the evolution of our cloud-based vulnerability management solution, we have a strong ongoing commitment to SecurityCenter.
Can I use both SecurityCenter and Tenable.io?
Yes. You can use both solutions, and we expect many SecurityCenter / SecurityCenter CV customers will be interested in using Tenable.io Web Application Scanning, Tenable.io PCI/ASV, and/or Tenable.io Container Security alongside SecurityCenter.
Can I migrate from SecurityCenter / SecurityCenter CV to Tenable.io?
Yes. For customers who are interested, there are a range of options to smoothly migrate from SecurityCenter to Tenable.io, with full support from Tenable or your certified partner. For more information, please contact your Tenable Certified Partner or Tenable representative.
What is Tenable.io Web Application Scanning?
Tenable.io Web Application Scanning provides comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and negatives, ensuring security teams understand the true security risks in their web applications.
The product offers safe external scanning that ensures production web applications, even those built using HTML5 and AJAX frameworks, are not disrupted or delayed. When issues are identified, security teams can view an intuitive dashboard that presents the information needed to assess and manage vulnerabilities.
Where can I learn more about or evaluate Tenable.io Web Application Scanning?
For more information about Tenable.io Web Application Scanning, please visit the Tenable.io product page. Please register for a free evaluation by visiting tenable.com/try-was or contact your Tenable certified partner or Tenable representative for more information.
Does the product scan source code or perform static analysis?
No. Tenable.io Web Application Scanning is a dynamic application security testing (DAST) solution that tests a web application “from the outside” when the application is running in a test or production environment.
What is Tenable.io Container Security?
As the only container security offering integrated into a vulnerability management platform, Tenable.io™ Container Security continuously monitors container images for vulnerabilities, malware and enterprise policy compliance. By bringing security into the container build process up front, organizations can gain visibility into the hidden security risks present in containers and remediate them before they reach production, without slowing innovation cycles.
Based on FlawCheck technology, Tenable.io Container Security stores container images and scans them as they are built. It provides vulnerability and malware detection, along with continuous monitoring of container images. By integrating with the continuous integration and continuous deployment (CI/CD) systems that build container images, Tenable.io Container Security ensures every container reaching production is secure and compliant with enterprise policy.
Where can I learn more about or evaluate Tenable.io Container Security?
Elastic Asset Licensing Questions
Elastic Asset Licensing, built into Tenable.io Vulnerability Management (VM), is an innovation that aligns vulnerability management licensing with today’s elastic IT environments. Elastic Asset Licensing avoids double counting assets that have multiple and/or changing IP addresses. Additionally, it automatically reclaims licenses from assets that have not been recently scanned, including retired assets and assets that may have been inadvertently scanned.
What is Tenable.io VM Elastic Asset Licensing?
Elastic Asset Licensing partners Tenable with customers to cost-effectively secure customer networks. It includes the following features:
- Assets, not IPs: Tenable.io Vulnerability Management analyzes multiple asset attributes, not just IP addresses, to identify an asset. A proprietary algorithm matches newly discovered assets with already discovered assets to eliminate double-counting and ensure more accurate vulnerability reporting.
- Balanced, not high-water licensing: Tenable.io Vulnerability Management allocates licenses only to assets that have been seen in the previous 90 days. It automatically reclaims licenses for assets that have been decommissioned, scanned inadvertently or are active infrequently. Tenable.io Vulnerability Management retains the vulnerability and configuration data from those assets so there is no downside to automated license reclamation.
- True-up, not lock-out: Tenable.io Vulnerability Management enables customers to monitor and adjust license consumption and then true up when necessary. It does not automatically lock out functionality if the license is temporarily exceeded.
What are the benefits of Elastic Asset Licensing?
The primary benefits are:
- Customers purchase the right amount of licenses, based on asset quantities, not inflated IP counts.
- Customers avoid time-consuming and often inaccurate projects needed to reclaim licenses from decommissioned and/or inadvertently scanned assets.
- Vulnerability management metrics are not corrupted by double and triple counting vulnerabilities for assets that have multiple IP addresses.
Can Tenable.io VM customers scan more assets than licensed?
Yes, on a temporary basis, customers can exceed the licensed number of assets. Of course, customers need to true-up when license counts continue to be exceeded.
How can Tenable.io Vulnerability Management customers determine license status?
The Tenable.io Vulnerability Management user interface displays both the licensed number of assets and the actual license usage.
What is an asset?
An asset is an entity that can be analyzed. Examples include desktops, laptops, servers, storage devices, network devices, phones, tablets, VMs, hypervisors and containers.
How does Tenable.io VM identify an asset?
When Tenable.io Vulnerability Management first discovers an asset, it gathers multiple identification attributes, which may include a BIOS UUID, the system’s MAC Address, NetBIOS name, FQDN, and/or other attributes that can be used to reliably identify an asset. Additionally, authenticated scanning and Nessus agents assign a Tenable UUID to the device. When Tenable.io Vulnerability Management subsequently scans an asset, it compares it to previously discovered assets. If the newly discovered asset does not match a previously discovered asset, the asset is added to the Tenable.io Vulnerability Management asset inventory.
How are assets different than IPs?
IPs are typically a property of an asset, and many assets have multiple IPs assigned (such as DHCP devices, systems with both wired and wireless interfaces, etc.).
Why are asset counts likely to be lower than IP counts?
Frequently, assets have multiple network interface cards, enabling them to be accessed by multiple networks. As examples, a web server may have simultaneously been on a production network and an administrative network, or a laptop will often have both a wired and wireless network interface. Additionally, laptops often get new IPs as they move from one location to another. If they are scanned with one IP and then another, they will be counted twice.
How can prospects estimate their asset count?
Tenable.io VM supports unlimited discovery scans using both active and passive sensors. Customers can use these scans to comprehensively inventory all of their assets and determine the appropriate license size.
How do you avoid counting the same asset multiple times?
Tenable.io supports a variety of methodologies to avoid double- or triple- counting the same asset for calculating the appropriate licensing size. With traditional assets, Tenable.io VM uses proprietary algorithm that matches newly discovered assets with already discovered assets to eliminate duplicates and ensure more accurate vulnerability reporting. With Docker containers, Tenable.io Container Security identifies Docker layers used multiple times across your container registries and removes them in the licensing calculation. In other words, when a Docker layer is used in multiple tags, in multiple images or in multiple registries, that layer is only counted once toward the cost of a product license.
Data Security and Privacy Questions
Customer data security and privacy is the top priority of Tenable. Thousands of customers, including financial service providers, healthcare providers, retailers, educational institutions and government agencies trust Tenable with their vulnerability data in our cloud platform.
Data security and privacy include not allowing customers to access any data other than their own and ensuring that any non-customer, hacker, bad actor or unauthorized Tenable representative cannot access, disclose, copy or otherwise violate the privacy and protection of the customers' data stored in the Tenable.io service.
Tenable also focuses on the availability and reliability of the Tenable.io service because poor security controls can create problems that, while not a risk to customers’ data, can affect the service availability. Tenable implements and enforces measures to make Tenable.io highly available, guarded against attacks or simple faults and outages, and always usable for our customers.
Tenable.io uses state-of-the-art container technology to create and segregate customer environments. All customer accounts, vulnerability data and user settings are contained within a container uniquely allocated to each specific customer. Data contained within one container cannot leak or otherwise be intermingled with another container, thus ensuring the privacy, security and independence of each customer environment.
What customer data does Tenable.io manage?
Ultimately, the customer data Tenable.io manages has a single purpose: to deliver an exceptional experience as customers manage assets and vulnerabilities to secure their environments. To that end, Tenable.io manages three categories of customer data:
- Asset and vulnerability data
- Environmental performance data
- Customer usage data
What customer asset and vulnerability data does Tenable.io manage?
Tenable.io inventories assets on customers’ networks and manages asset attributes that may include IP address, MAC address, NetBIOS name, operating system and version, active ports and more.
Tenable.io collects detailed current and historical vulnerability and configuration data, which may include criticality, exploitability and remediation status and network activity. Additionally, if customers enhance Tenable.io data with integrations to third-party products, such as asset management systems and patch management systems, Tenable.io may manage data from those products.
Does Tenable analyze or use customer data?
Currently, Tenable does not analyze customer data in any way. However in the future, Tenable may anonymize and analyze customer data for the purpose of determining trends in the industry, trends in vulnerability growth and mitigation, and trends in security events. For example, correlating the presence of a vulnerability with its exploitation would have enormous benefits to Tenable customers. Additional benefits include advanced analytics and improved correlation of customer data with industry and security events and trends. Collecting and analyzing such data also would allow customers to baseline themselves against others in the industry or overall. Tenable will provide a method for customers to opt out if desired.
What Tenable.io health and status data is collected?
To maintain Tenable.io performance and availability and deliver the best possible user experience, Tenable.io collects customer-specific application status and health information. This includes how often the scanner communicates to the platform, the number of scanned assets and versions of software deployed, as well as other general telemetry to identify and address potential issues as soon as possible.
Can customers opt out of health and status data collection?
Tenable uses health and status data to detect and address potential issues in a timely manner, thereby maintaining SLA commitments. Therefore, customers cannot opt out of this data collection.
What Tenable.io usage data is collected?
To evaluate and improve customer experience, Tenable collects anonymized user usage data. This data includes page access, clicks and other user activity which give the user a voice into streamlining and improving the user experience.
Can users opt out of usage data collection?
Yes. A customer can request that their container no longer be part of the collection process.
Where is Tenable.io customer data located?
Tenable.io is currently hosted on Amazon Web Services. The AWS cloud allows Tenable.io to quickly scale, meeting even the largest customer’s needs while maintaining a secure foundation.
Where is customer data located?
Tenable uses data centers and services from Amazon Web Services (AWS) to provide and deliver Tenable.io to customers. By default, Tenable will choose to create a customer container in the region that is most appropriate to ensure the best possible experience for that customer. Current locations are:
- US / N. Virginia, N. California
- EU / Germany
- APAC / Singapore
By exception, if prior to deployment, a customer requests a specific AWS region, Tenable will activate the customer in that region.
As all customer data is stored in secure, regional AWS services, the certifications for EU data protection that AWS maintains apply to the Tenable Cloud. More information is available https://aws.amazon.com/compliance/eu-data-protection/.
Will Tenable.io support additional countries in the future? If so, what is the timeframe?
Yes. However, the timeframe of additional locations is not yet determined.
Can data be stored in AWS regions other than the original region?
There are situations where data could be stored in regions other than the initial AWS region.
- Tenable.io customers can run external scans using the public, shared scanning pools available in a number of AWS regions. Choosing a scanner close to the target will generally result in faster scans. Note that when a customer uses a cloud scanner in a different locality than the one hosting their account, scan data will temporarily exist outside the account’s hosting locality, but it is not stored. For example, if a customer with an account hosted in EU / Germany scans with a scanner in US / N. Virginia, the scan data will temporarily pass through the USA before being stored in Frankfurt. If data locality is an issue, customers should only do external scans with cloud scanners in their region. This is easily selectable on a per-scan basis.
- If a customer is using Tenable SecurityCenter®, their scan data is not stored in the cloud, even if they are using Tenable.io to scan part of their entire infrastructure.
- Nessus Agent scan data is stored in Tenable.io when customers run scans from Tenable.io. If customers are running agent scans with Nessus Manager, that data will not be stored in Tenable.io, regardless of where the agents are deployed.
- Currently, scans submitted to Tenable for PCI ASV validation are stored in the USA.
Can a customer force data to remain in a specific location/country, even in a failover situation?
This is not supported. Ensuring the platform is available for all our customer will take precedence over an individual customer's concern.
How is customer data protected within Tenable.io?
Tenable applies multiple security measures to deliver Tenable.io data security and privacy.
What physical security is provided?
Tenable uses data centers and services from Amazon Web Services (AWS) to provide and deliver Tenable.io services to customers. AWS is responsible for policies and controls for physical and environmental security of its datacenters and offers documentation on its practices via its website at https://aws.amazon.com/compliance/.
AWS maintains many certifications, including ISO 9001 and 27001, CSP Level 3, and SOC 3. Its current certifications are available on its website at https://aws.amazon.com/compliance/published-certifications/.
Tenable.io is available in the AWS GovCloud region, which has additional US federal government certifications. For the Department of Defense, the US-East and US-West regions have a DoD Level 2 PA, and for GovCloud, AWS has a Level 2 and Level 4 DoD PA. More information is available at https://aws.amazon.com/compliance/dod/.
How does Tenable perform secure development?
Tenable follows a number of practices to ensure security of Tenable.io application software.
Testing is done by three separate groups within Tenable:
- Security testing is done by the development team;
- The Tenable IT Security team performs vulnerability testing on Tenable.io both before and after deployment (post-deployment tests are unscheduled with no advance warning to other teams); and
- Tenable provides additional security review of source code and changes prior to deployment.
All software deployment is automated and performed only via the build system, which is authenticated via corporate LDAP credentials or by Ansible, which is authenticated using SSH private keys. All deployments are logged and tracked, and notification of deployment action (planned or unplanned) is automatically sent to the Tenable development team.
All changes to the source code are tracked and linked to the release where that change gets installed. This tracking ensures that there is a complete history of every change, who made it, when it was made, and finally, when the change was deployed into production.
Each deployment is approved by at least two Tenable team members. All changes and deployments are broadcast to all team members. Software is first deployed to test environments, and then deployed in a "rolling fashion" to production instances over a window of time.
What customer application security is available?
- Ensuring access to Tenable.io in a secure and authorized manner is a high priority for our development and operations teams. Tenable.io provides a number of mechanisms to keep customer data secure and control access. We protect against brute force attacks by locking accounts out after five (5) failed login attempts.
- To protect from data interceptions all communication to the platform is encrypted via SSL (TLS-1.2). Further, older insecure SSL negotiations are rejected to ensure the highest level of protection.
- To protect access to the platform customers can configure two-factor authentication through services provided by Twillo.
- Customers can integrate Tenable.io with their SAML deployment. Tenable.io supports both IdP and SP initiated requests. Lastly, users can reset their password directly inside of the application using their email address.
- Customers often build customer connections to Tenable.io using our documented APIs or SDKs. Access can be granted and controlled by the creation of specific APIs "keys.” Using different keys for different integrations is supported without having to share user credentials.
How is customer data protected?
Tenable applies multiple security measures to deliver Tenable.io data security and privacy.
How is data at rest encrypted?
Tenable believes that the protection customer data is our number one goal. We have implemented numerous protections to ensure customer data is properly isolated and encrypted.
- At rest all customer data collected are encrypted using AES-256 encryption.
- All customer data in motion is encrypted using TLS v1.2 with a 4096-bit key. This includes browser, API and intra-application communication.
- All customer data is marked with a "container ID", which corresponds to a single customer subscription. This container ID assures that access to a customer’s data is limited to only that customer.
Can customers upload their own keys?
Key management is not customer configurable. Tenable manages the keys and key rotation.
Has Tenable achieved any privacy or security certifications?
Tenable has completed the Cloud Security Alliance (CSA) STAR self-assessment. Tenable responses to the Consensus Assessment Initiative Questionnaire (CAIQ) answer a set of over 140 security related questions a Tenable.io prospect, customer or partner may require. CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR (Security Trust & Assurance Registry) encompasses key principles of transparency, rigorous auditing, and harmonization of standards, including indications of best practices and validation of security posture of cloud offerings.
How is Personally Identifiable Information (PII) protected?
The Tenable.io platform makes every effort not to collect PII data types in a format that would require additional certifications or security measures. This includes credit card numbers, Social Security numbers and other custom checks. Where Tenable plug-ins capture character strings that may contain sensitive or personal information, the platform will automatically obfuscate at least 50% of the characters to protect data that may be sensitive.
Is customer data separated?
Each customer’s data is marked with a "container ID,” which corresponds to a specific customer subscription. This container ID assures that access to a customer’s data is limited to only that customer.
What security controls protect Tenable.io?
- Daily vulnerability scans are performed by Tenable.
- Firewalls and network segmentation control access.
- Automated tools and processes monitor the Tenable.io platform for uptime, performance and to detect anomalous behavior.
- Logs are monitored with automation 24/7/365 and Tenable staff are available 24/7/365 to respond to events.
How are Tenable.io sensors secured?
The sensors that connect to the platform play a major role in a customer’s security, collecting vulnerability and asset information. Protecting this data and ensuring the communication paths are secure is a core function of the Tenable.io. Tenable.io supports several sensors today: Nessus vulnerability scanners, Passive scanners and Nessus Agents.
These sensors connect to the Tenable.io platform after cryptographically authenticating and linking to Tenable.io. Once linked, Tenable.io manages all updates (plugins, code, etc.) to ensure the sensors are always up to date.
Traffic from the sensors to the platform is always initiated by the sensor and is outbound-only over port 443. Traffic is encrypted via SSL communication using TLS 1.2 with a 4096-bit key. This removes the need for firewall changes and allows the customer to control the connections via firewall rules.
- Scanner-to-platform authentication
- The platform generates a random key of 256 bit length for each scanner connected to the container and passes that key to scanner during the linking process
- Scanners uses this key to authenticate back to the controller when requesting jobs, plugin updates and updates to the scanner binary
- Scanner-to-platform job communication
- Scanners contact the platform every 30 seconds
- If there is a job, the platform generates a random key of 128-bits
- The scanner requests the policy from the platform
- The controller uses the key to encrypt the policy, which includes the credentials to be used during the scan
How is Tenable.io availability managed?
The Tenable.io services strive to provide a 99.95% or better uptime, and have delivered 100% uptime on the majority of services. Tenable has published an SLA which describes our commitment to ensure the platform is available to all users and how we credit customers in the event of unplanned downtime.
"Up" status is determined simply by public availability tests hosted by a third party that regularly test the availability of all the services. The uptime for the services (both current and historical) is available at http://uptime.tenable.com/ This link also provides also daily, monthly, quarterly and yearly uptime percentages.
Tenable.io makes extensive use the the AWS platform and other leading technologies to ensure that our customers experience the best possible service and overall quality. Below is a partial list of the solutions deployed the benefits to customers:
- ElasticSearch Clusters - Elasticsearch clusters are highly available and can recover from the loss of master nodes, lb nodes and at least 1 data node, without impacting service availability.
- Elastic Block Stores - used to take daily snapshots and store eight (8) copies
- Kafka ecosystem - Kafka and Zookeeper both replicate data across the cluster to provide fault tolerance given catastrophic failure of any node.
- Postgres Instances - manage the back end microservice framework to keep 30 days of snapshots
Where is data replicated?
Tenable Cloud services are replicated both within and across AWS regions. Should both instances in a region fail (or the region suffers an outage in general), the regional-failover layer (usually using dynamic DNS) will instead direct traffic to the other three regions. Failover is closest-path to the traffic origin.
What disaster recovery capabilities are in place?
Disasters are events that result in the unrecoverable loss of data or equipment in one or more regions.
Tenable.io disaster recovery procedures have several levels and are designed to react to situations that may occur from anywhere between once in five years to once in 50 years. Depending on the scope of the disaster, the recovery procedures vary in time from 60 minutes to 24 hours.
Who can access customer data?
Customers control who has access to their data, including assigning roles and permissions to their personnel and temporarily granting access from Tenable support staff.
How are user roles and permissions managed?
Tenable.io customer administrators can assign user roles (basic, standard, administrator and disabled) to manage access to scans, policies, scanners, agents and asset lists.
Can Tenable staff access customer data?
Yes. With customer permission, tier three members of Tenable’s global support staff can impersonate user accounts, which allows them to perform operations in Tenable.io as another user without needing to obtain that user's password. Tenable support staff, or the customer, can make the request to activate the feature. Tenable support staff requires the customer to “approve” the impersonation via a note in an active support case. Permission must be granted for every issue logged with support. Tenable will not operate on a blanket “OK” to impersonate at any time. User impersonation may result in data leaving the primary location.
All Tenable.io operations staff are required to pass a third-party background check. In addition, all senior team members have at least five years of experience at SaaS-based security software companies and many carry security certifications such as being a CISSP.
Tenable has a defined hiring and termination process. All employees are required to sign non-disclosure agreements as a part of their hiring, and all accounts and access keys are immediately revoked upon termination.
Who can use the impersonate function?
Only Tenable tier three support staff members are allowed to use the impersonate function.
Is impersonation activity logged?
Does the data leave the country when Tenable is troubleshooting a technical issue?
Tenable is making every effort to ensure that customer data is protected and we ensure that their policies are being followed by working with customers to ensure the data remains in the region required. However, there are instances where customers could email a report to Tenable or otherwise break their own policy emailing outside of their region.
Will Tenable support staff have access to a customer’s internal network?
No. All traffic is initiated by the scanner and is outbound only. The scanners are installed behind the customer's firewall and can control the access of the scanners via their firewall.
How long is customer data retained within Tenable.io?
Data retention periods are designed to meet various customer and regulatory requirements.
How long is active scan data retained?
The ability to measure progress over time is a core function of the Tenable.io platform. Tenable.io will automatically store customer data for 15 months to allow them to report over a 1 year period of time.
If customers need longer than 15 months of storage, Tenable.io provides several methods to download customer data and customers can store it as they wish.
If a customer discontinues the Tenable.io service, how long is data retained?
Should a customer's account expire or terminate, Tenable will retain the data, as it was at the time of expiration, for no more than 180 days. After that time, this data may be deleted and cannot be recovered.
How long is PCI-related data retained?
Data which is involved in a PCI compliance validation process is not deleted until at least three years after the date of the PCI attestation, as required by PCI regulations. Tenable retains this data for this time period, even if the customer chooses to delete their scans or account, or terminates their Tenable.io service.
How long is Tenable.io usage data retained?
In order to ensure the best possible experience, we are collecting this information as long as a customer container remains active. Once a customer discontinues the service, the data will be retained for no more than 180 days.
Does Tenable.io have Common Criteria certification?
Common Criteria certification is generally not applied to a SaaS solution, as the frequency of updates does not lend itself to a certification process that takes 6-9 months to complete.
What is PCI ASV?
PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools (“ASV Scanning Solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.
What systems are in scope for ASV Scanning?
The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.
What is the ASV process?
The main phases of ASV scanning consist of:
- Scoping: performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
- Scanning: using the Tenable.io VM PCI Quarterly External Scan template
- Reporting/remediation: results from interim reports are remediated.
- Dispute Resolution: Customer and ASV work together to document and resolve disputed scan results.
- Rescan (as needed): until a passing scan that resolves disputes and exceptions is generated.
- Final Reporting: submitted and delivered in a secure fashion.
How frequently are ASV scans required?
ASV Vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications, or product upgrades.
How is an Approved Scanning Vendor (ASV) different from a Qualified Security Assessor (QSA)?
An ASV specifically performs only the external vulnerability scans described in PCI DSS 11.2. A QSA refers to an assessor company that has been qualified and trained by PCI Security Standards Council (SSC) to perform general PCI DSS on-site assessments.
Tenable.IO PCI ASV Solution Capabilities
Is Tenable a certified PCI ASV?
Yes. Tenable is qualified as an Approved Scanning Vendor (ASV) to validate external vulnerability scans of internet facing environments (used to store, process, or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable employees responsible for the remote PCI Scanning Services. The third consists of the security testing of the Tenable remote scanning solution (Tenable.io Vulnerability Management and Tenable.io PCI ASV).
As an Approved Scanning Vendor (ASV), does Tenable actually perform the scans?
How is the new product different than the existing product?
New or improved capabilities include:
- A single UI for users to scan/manage/submit/complete the ASV attestation process.
- Ability for more than one person to file disputes and submit for ASV certification.
- Ability to apply the same disputes/exceptions to multiple IPs. (Ability to create disputes based on plugins instead of by asset)
- Ability to mark an IP as out-of-scope
- Ability to annotate compensating controls
Does Tenable.io PCI ASV comply with EU data sovereignty requirements?
Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.
Tenable.io ASV Pricing/Licensing/Ordering
Does Tenable.io VM include any PCI ASV licenses?
Yes, Tenable.io VM includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business", Tenable has simplified their purchasing and licensing. A customer can change their asset every 90 days.
How is Tenable.io PCI ASV licensed?
For customers having more than a single, unique PCI asset, the Tenable.io PCI ASV solution is licensed as an add-on to Tenable.io Vulnerability Management subscriptions.
Why isn’t Tenable.io PCI ASV licensed according to the number of a customer’s internet-facing PCI assets?
The number of internet-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.
How many attestations may a customer submit per quarter?
Customers can submit an unlimited number of quarterly attestations.
Are Trial/Evaluation customers eligible to evaluate Tenable.io PCI ASV?
Yes. evaluation customer can use the PCI Quarterly External Scan template to scan assets, review results, and created disputes. However, they cannot submit scan reports for attestation.
How will existing Tenable.io VM customers transition to the new capability?
The new capability will be activated automatically on July 24, 2017 so customers will be able to use it for their next PCI ASV scan. Existing customers will not need to license the new PCI ASV capability for a minimum of one year.
How will SecurityCenter customers that have licensed the current PCI ASV capability transition to the new capability?
SecurityCenter® customers that have already licensed External/PCI Scanning will start using Tenable.io PCI ASV after it becomes available. At renewal, those customers can simply renew using their existing SKUs. However, it may be to their advantage to license Tenable.io PCI ASV instead.