Improving Usage of CWE, CVE & CPE
One common theme to improving the usage of these vulnerability standards across the ServiceNow (SN) platform is to handle the challenges of visibility and accessibility. Unfortunately, it’s common for security professionals to still struggle with navigating the platform and understanding the table structures mainly because of the lack of inadequate bespoke training programs for customers’ configured processes on the SN platform.
In addition to providing training for the security teams, technical approaches can be implemented. Making these vulnerability standards more visible reduces the number of clicks, therefore providing a better user experience.
One way is to have custom relationships using the SN System Relationships [sys_relationship] feature to create a direct relationship viewed as a related list. For example, a related Common Vulnerabilities and Exposures (CVE) related list could be created on the Vulnerable Items (VIT) table, providing the Vulnerability Analyst or Remediation teams more straightforward access to the CVEs to help coordinate their efforts in prioritising and addressing vulnerabilities.
Below is an example of building a custom relationship by defining the queries that create the relationship represented as a related list on the target table.
A good grasp of the underlining tables structures, relationships and workflow are required to create efficient queries. Disclaimer: the system relationships feature can be a lifesaver when used correctly; it can also significantly impact performance, especially when running inefficient queries.
In this example, we are leveraging the out of box relationships of CVEs to the Third-Party Third-Party Vulnerabilities Entries table shown as a related list. The configuration mentioned above can be replicated on any of the imported vulnerability standards to any tables in SN as long as you fully understand the table structures and relationships.
Third-Party Vulnerability record with associated CVEs
VIT record showing the associated CVEs based on the Third-Party Vulnerability
Another advantage of using the System relationship feature is that it doesn’t consume tables from the allocated custom table quota.
Similarly, the same results can be achieved with the Database (DB) views feature. Its advantage over the System Relationships feature is the ability to run reports. Adoption tends to increase with accessibility, so It’s worth considering not just visibility but reporting and search functionality as well. DB views don’t count towards the allocated custom table quota but sadly can share similar performance drawbacks when not optimised and have other limitations to consider before implementing.
CCE Forward-looking
Common Configuration Enumeration (CCE) is a unique identifier describing security-related software-based configuration issues. I came across CCEs while working on Centre for Internet Security (CIS) Benchmarks, a documented industry best practice for securely configuring IT systems, software, and networks. It was a compliance use case for automated and system configuration. The task was to investigate importing CCEs to assist different teams in the configuration management lifecycle in coordinating their actions better.
Typically, when deploying new systems, these teams would have to work on spreadsheets and internal documents often not accessible to other teams, not to mention using their own internal naming conventions. Using CCEs, teams can find information across their domain on configuration issues, fostering cross-boundary coordination of action for the different teams within security configuration management.
It seems like a one to watch to see whether ServiceNow could include a CCE integration in a future release. Currently, there are a couple of ServiceNow applications that could align to a CCE workflow, for example, Integrated Risk Management (IRM) application; since there already is Cybersecurity Controls Accelerator that enables users to adopt the Centre for Internet Security (CIS) Controls quickly, or ServiceNow could look into enhancing Configuration Compliance application to ingest CCE’s from Third-Party Security Configuration Assessment (SCA) tools.
