How does Application Vulnerabilities Response handle unmatched Application CIs

MdZakeerH
Tera Contributor

Hi Community,

 

We are currently exploring on Application Vulnerability (AVR) in ServiceNow, and i have come across a scenario where need your help to understand it.

 

When a vulnerability scanner (Veracode) identifies a new application vulnerability in ServiceNow, but the corresponding application Configuration Item (CI) is not present in the CMDB, how is this situation handled?

 

For example: similar to host vulnerability (in VR) when there is no matching CI found, it will automatically create a unclassed CI. Does ServiceNow automatically create a new application CI for application vulnerability if yes, will it be a unclassified application CI.

 

Any insight or guidance on this would be greatly appreciated.

Thanks & Regards,

Zakeer

 

1 ACCEPTED SOLUTION

william_tran
ServiceNow Employee
ServiceNow Employee

Hey Zakeer,

So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:

  • CI-based lookup
  • Product model-based lookup

 

If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.

 

If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.

 

I recommend you checkout this community post by @andy_ojhahttps://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...

 

It should help answer a ton of your questions.

 

I hope this helps!

 

William

View solution in original post

1 REPLY 1

william_tran
ServiceNow Employee
ServiceNow Employee

Hey Zakeer,

So conceptually, the way AVR handles 'Unmatched' applications is exactly the same as host Vulnerability Response, but there is some nuances in there depending on which flavor of Lookup you are using for AVR. We have two flavors of lookups:

  • CI-based lookup
  • Product model-based lookup

 

If you are using the CI-based lookup, it gets handled similar to Host VR, where AVR will create what we call a 'Scanned Application' record. This would similar to Host VR's 'Unclassed Hardware' record.

 

If you are utilizing the Product Model lookup feature of AVR, it gets handled a bit differently.

 

I recommend you checkout this community post by @andy_ojhahttps://www.servicenow.com/community/secops-articles/unpacking-common-questions-on-application-vulne...

 

It should help answer a ton of your questions.

 

I hope this helps!

 

William