The current state of NVD integration on ServiceNow
At the time of writing, Common Weakness Enumeration (CWE) integration is an on-demand scheduled integration. The integration imports CWE’s and creates associated vulnerability knowledge base articles describing flaws, faults, bugs, or other software, hardware implementation, or architecture errors. They are typically used as a source of reference; however, if running the ServiceNow Application Vulnerability Response with Veracode integration, the CWE IDs are more prominent even in the Third-Party libraries, thus taking a more active role in determining risks, prioritisation, and escalations.
Another feature that can identify software flaws or vulnerabilities is the Exposure Assessment (EA) application. This application has a dependency on the IT Asset Management (ITAM) Software Asset Management (SAM) application and comes in two flavours; SAM Foundation and SAM Pro, with the latter needing a separate subscription from the Vulnerability Response subscription.
The idea of the EA application is to allow users to be more proactive in determining their potential exposures to vulnerable software whilst waiting for Third-Party vendors to publish the vulnerability, as seen with Zero-Day attacks. Using this feature requires the Publisher and Product information of the suspected vulnerable software for matching against the Software Discovery Models. Once the matching is complete, Exposure Discover Model records are created. You can then create Vulnerable Items (VITs) for existing or new vulnerabilities.
With the National Vulnerability Database (NVD) integration, ServiceNow revamped and released a new version; Vulnerability Response Integration with NVD v1.0 as a store app in the Orlando release. They addressed the irritation with the previous integration that required periodic updates to the NVD data feed in line with NVD releases.
Since the NVD v1.0 release, another upside I have generally observed for Common Vulnerabilities and Exposures (CVE) imported to ServiceNow is an increase in its use. This is due to an increased appetite for integrating multiple threat & vulnerability tools that use CVEs and not a proprietary augmented CVE, as discussed in Part 1 of this article. And, the increasing adoption of the ServiceNow platform across various security disciplines, like Pen Testers, whose reference point most often start with these security standards. So, the ‘reference only’ tag line is slowly but surely dissipating for these imported vulnerability standards.
Addressing the Common Platform Enumeration (CPE), the NVD integration ServiceNow released in February 2021 introduced the CPE integration. CPE is a standardised method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets.
CPEs can be used for interoperability between tools, software and hardware inventory and better vulnerability management when using the results from one product to be tracked in a different product. For example, identifying the presence of a Product-ABC could trigger a vulnerability management tool to check the system for known vulnerabilities in the software and also trigger a configuration management tool to verify that the software is configured securely per the organisation’s policies.
Similarly, another use case in network-based discovery is when CPEs are used to enumerate software running on a host. Running either authenticated or unauthenticated scans will result in CPE information, albeit partial CPE details with unauthenticated scans. Thus, CPEs can be leveraged for asset tagging, discovery & reporting.
So, where are the CPEs stored in ServiceNow? - on the Vulnerable Software (sn_vul_software) table and is visible as a related list on the NVD Vulnerability Entry (sn_vul_nvd_entry) table as shown below.
In the concluding part of this article, I will share some tips on how to surface these vulnerability standards up to proactively include them in the day to day vulnerability analysis workflow whilst also sharing my thoughts on CCEs and benefits.
