Pen test Vulnerabilities Integrated into ServiceNow for Vulnerability Management and Reporting

Richbrowne · ‎03-10-2021

Hi,

Is there an approach to integrating a third party's Penetration Testing vulnerabilities into ServiceNow to provide vulnerabilities management and reporting please?

The Penetration Test results are not from an automated vulnerability scanning system they are from a third party Penetration testing consultancy that has performed exploitative tests to assess systems security status.

Chris McDevitt · ‎03-12-2021

These are complex questions, so this answer is; It depends.

"Did the solution that your team provided enable the full management of the imported Penetration Testing vulnerabilities in ServiceNow?"

- How does your organization define "full management"?

One thing that comes to mind; The pentest result became a Vulnerable Item and then follow the VR lifecycle. Except..... Normally a VR scanner is the final judge on whether or not something was truly resolved. Manually generating pentest results does not have the same mechanism. This part will need to be worked out.

"Did the solution provide the ability to provide full in-depth reports on vulnerability statistics from within ServiceNow?"

- How does your organization define "full in-depth reports"? Does your organization have Performance Analytics? As the data matures does your organization have the skill set to enhance the reporting?

View solution in original post

Chris McDevitt · ‎03-10-2021

Hi,
I was on a team of people who just implemented this for a Customer. We designed a standard format that the findings would be in (we settled on JSON as the data container). The customer's Pentesting teams (internal and external) will provide their result in this standard JSON format.
We then created a Record Producer that parses the data (Attachment to the Record Producer form) and creates the Vulnerabilities leveraging the VR framework.

We also added NIST and PCI to the Thrid-Party Libraries (you will need to decide on a standard format that will be identified in the Pentest finding)

It would be nice if the Pentest community would come up with a standard... if you come across one, I would love to hear about it!
Hopes this helps.

Richbrowne · ‎03-10-2021

Hi Chris,

Thank you for your response.

How long did this solution take from design to implementation please and was this a bespoke module developed for the client? I assume this is not possible with an existing ServiceNow module?

Thank you for your help.

Kind regards,

Richard.

Chris McDevitt · ‎03-10-2021

Hi,

It took us about +/-80 hours to do this.

No, we used the Vulnerability Response module.

Here is the key: The Pentest owner needs to agree that Pentest findings need to fit into the VR framework and NOT try and make the VR Framework fit Pentest.

🙂

New components:

Record Producer

Custom fields (on VR)

UI Policies

ACL's

Custom script include

Third-Party Integration Record

CI Lookup Rules

Transform Scripts

Record Producer (Attachment with json) -> Transform Map (CI Lookup Rules + Match one or create Third-Party) Create VI. From there, Assignment Rules, Risk, and Grouping rules run.

Richbrowne · ‎03-11-2021

Hi Chris,

Thank you again for the reply, much appreciated.

With regards the circa 80 hours timeframe to provide this service, was that 80 man hours or was that how long it took a team working in parallel please?

In addition, were the resource(s) that provided the solution skilled ServiceNow developers/engineers?

Thanks again.

Kind regards.