Is it possible to import pentest data into Infrastructure VR module, instead of AVR?

Go to solution
ankita dutta1
Tera Contributor

‎02-27-2024 01:56 AM

 
0 Helpfuls
  • 736 Views
1 ACCEPTED SOLUTION

Go to solution
Community Alums
Not applicable

‎02-27-2024 02:00 AM

Hi @ankita dutta1 ,

 The pentest result became a Vulnerable Item and then follow the VR lifecycle. Except..... Normally a VR scanner is the final judge on whether or not something was truly resolved. Manually generating pentest results does not have the same mechanism. 

So the answer is yes and No, depends on your organization.

 

View solution in original post

3 REPLIES 3

Go to solution
Community Alums
Not applicable

‎02-27-2024 02:00 AM

Hi @ankita dutta1 ,

 The pentest result became a Vulnerable Item and then follow the VR lifecycle. Except..... Normally a VR scanner is the final judge on whether or not something was truly resolved. Manually generating pentest results does not have the same mechanism. 

So the answer is yes and No, depends on your organization.

 

Go to solution
ankita dutta1
Tera Contributor
In response to Community Alums

‎02-27-2024 02:16 AM

Ok. Thanks for the response. How about the data model requirements. Dont pentests always need to be mapped to an application? Is this possible in normal/host VR module - without customization?

0 Helpfuls

Go to solution
AC12
Tera Contributor
In response to Community Alums

‎02-29-2024 04:53 AM

Sandeep. forcing pentest results to fall under AVR is not in alignment with what penetration testing encompasses (the term pentest should not be only associated with application pentests).  For example a penetration test could find SMB v1 enabled on a server, this should be mapped as a VIT and tied to the CMDB CI record of the server.   Manually creating/ingesting pentest findings into ServiceNow should allow the customer to determine/dictate which of the apps (VR, AVR etc) the finding should fall under and reference corresponding CI datasets where/when applicable.