Pen test Vulnerabilities Integrated into ServiceNow for Vulnerability Management and Reporting

Richbrowne · ‎03-10-2021

Hi,

Is there an approach to integrating a third party's Penetration Testing vulnerabilities into ServiceNow to provide vulnerabilities management and reporting please?

The Penetration Test results are not from an automated vulnerability scanning system they are from a third party Penetration testing consultancy that has performed exploitative tests to assess systems security status.

Chris McDevitt · ‎03-12-2021

These are complex questions, so this answer is; It depends.

"Did the solution that your team provided enable the full management of the imported Penetration Testing vulnerabilities in ServiceNow?"

- How does your organization define "full management"?

One thing that comes to mind; The pentest result became a Vulnerable Item and then follow the VR lifecycle. Except..... Normally a VR scanner is the final judge on whether or not something was truly resolved. Manually generating pentest results does not have the same mechanism. This part will need to be worked out.

"Did the solution provide the ability to provide full in-depth reports on vulnerability statistics from within ServiceNow?"

- How does your organization define "full in-depth reports"? Does your organization have Performance Analytics? As the data matures does your organization have the skill set to enhance the reporting?

View solution in original post

Chris McDevitt · ‎03-11-2021

There were three of us working in parallel.

Skilled? Well... the more I learn about ServiceNow, the more I realize there is a lot more to learn.
🙂

I would say you will need someone who has worked building customization integration into the Vulnerability Framework before. The rest of the team needs to have good ServiceNow development skills.

As I mentioned before, all this depends on your design fitting into Vulnerability Response and not the other way around. This is a critical point to figuring out how long things will take to do.

Richbrowne · ‎03-12-2021

Thank you Chris, very helpful.

Richbrowne · ‎03-12-2021

Apologies Chris, a few more queries...

Did the solution that your team provided enable the full management of the imported Penetration Testing vulnerabilities in ServiceNow?
Did the solution provide the ability to provide full in-depth reports on vulnerability statistics from within ServiceNow?

Thank you for your help.

Chris McDevitt · ‎03-12-2021

These are complex questions, so this answer is; It depends.

"Did the solution that your team provided enable the full management of the imported Penetration Testing vulnerabilities in ServiceNow?"

- How does your organization define "full management"?

One thing that comes to mind; The pentest result became a Vulnerable Item and then follow the VR lifecycle. Except..... Normally a VR scanner is the final judge on whether or not something was truly resolved. Manually generating pentest results does not have the same mechanism. This part will need to be worked out.

"Did the solution provide the ability to provide full in-depth reports on vulnerability statistics from within ServiceNow?"

- How does your organization define "full in-depth reports"? Does your organization have Performance Analytics? As the data matures does your organization have the skill set to enhance the reporting?

Chris McDevitt · ‎08-09-2022

Hi,

I have an update for this.... I took everything I built, and I have extended it to now be brought in via an Import Set through the Import Set API.

https://docs.servicenow.com/bundle/tokyo-application-development/page/integrate/inbound-rest/concept/c_ImportSetAPI.html

Baby steps... I tell all my customers, "let's take baby steps first."

First, they were doing a low volume of Pentest into VR using the Record Producer. Once the process was successful... guess what? The customer wanted more...

We shifted left in their process, and now the Pentest teams push their findings into SN VR via the Import Set API.