Penetration testing on a single Application.

daiva
Tera Guru

Hello Everyone,

I'm New to Penetration Testing in ServiceNow.
I've gone through several Blogs, documents and Knowledge article but i like to know, how it works in practical.
I have a Single Application "ABC Insur" it doesn't have any CI items it is a Standalone Application(Software).
Can i use Penetration Test on it?
Like CI Item consists of several Items instead i use only one Item ABC Insur and Test on it?
Any information appreciated.

Thanks,
Daiva

3 ACCEPTED SOLUTIONS

Abhinav37
ServiceNow Employee
ServiceNow Employee

Hi, 

Yes the OOB Penetration Test Assessment Request lets you create penetration testing assessment requests on a single application as long as the application has a record on the "sn_vul_app_release" table. So any end user (typically app owners) can raise these requests using the OOB record producer on Service Portal -Service Catalog to be assessed by the Pen testing team (Ethical Hacker assignment group).. 

 

The Penetration Testing Assessment Request Record Producer that shows the Application reference field that references the sn_vul_app_release table.

Abhinav37_0-1717120501311.png

 

Below is the typical workflow (As of Vancouver release) in application vulnerability response for penetration testing assessment requests. Typically the App owner and Pen testing teams are involved in the process and any issues found during the pent ests are recorded as manual Application Vulnerable Items (AVITs).

 

Abhinav37_1-1717120607739.png

If this post is helpful please mark it as helpful and accept as solution

 

Cheers!

AB!

View solution in original post

Hi @daiva - thanks for clarifying.

 

1. This workflow is available in 'Application Vulnerability Response' which requires a Professional or Enterprise Vulnerability Response lisense: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

 

2. See the workflow diagram that @Abhinav37 posted earlier in this thread.

 

3. Further instructions on configuring the workflow can be found here: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

 

I hope that helps.

View solution in original post

Sorry @daiva, I don't know how you would do black-box testing.

View solution in original post

15 REPLIES 15

Hi @daiva - I apologize in advance if I'm about to tell you something you already know, but just putting it out there in case it's helpful ...

 

In ServiceNow there are three types of vulnerability response:

  • standard/infrastructure VR
  • Application VR
  • Cloud VR

 

The type of pen testing you're referring to is covered by Application VR and has a specific workflow, due in part to the point you make about the lack of relationship to the CMDB/CIs.

 

If you haven't already, check out this section in the docs, which includes a chart of the App VR pen testing workflow, so may be helpful:

https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

 

Hi @Simon Hendery 

Thanks for the insight.
I've gone through the Article you have provided. I'm clear that we can request for a Penetration Test through the "HI Portal" which was called as White-Box Penetration Testing. 
We have a limitation in ServiceNow for this Testing once in a Year and remaining requests will be Paid Test's.

 

So i would like to do Black-Box Penetration Testing where we need to use Vulnerabilty Scans in our ServiceNow to achieve, correct me if i'm Wrong. 
If we can not do the Black box testing through the ServiceNow? Should i use Metasploit to do that or Can achieve that through the ServiceNow.
If yes, please provide me further instructions to achieve that like through any Article, Now Learning Course or any other insights will be help full.

Thanks,
Daiva

Hi @daiva,

 

I think there's been a bit of confusion in this thread because it's covered two different topics:

 

1. How to use ServiceNow's Vulnerability Management solution to set up a workflow across your organization to enable penetration testing of business applications.

 

2. How to effectively pen-test your organization's ServiceNow instance as part of your security posture.

 

From what I understand, it's the second topic you're asking about?

 

If so, that's something I don't know much about, sorry. I suggest, if you don't get any useful feedback here on the Community, you contact your ServiceNow account rep or submit a case through Now Support.

 

That will be the best way to ensure you get accurate information about the instance pen testing services available under your organization's specific contract with ServiceNow.

 

I hope that helps!

Hello @Simon Hendery 

Apologies for not providing a clear question.
I'm Asking about the 1st question 
1)How to use ServiceNow's Vulnerability Management solution to set up a workflow across your organization to enable penetration testing of business applications.
Thanks for the feedback you provided. 
Please give me some insights if you know about it.

Thanks,
Daiva

Hi @daiva - thanks for clarifying.

 

1. This workflow is available in 'Application Vulnerability Response' which requires a Professional or Enterprise Vulnerability Response lisense: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

 

2. See the workflow diagram that @Abhinav37 posted earlier in this thread.

 

3. Further instructions on configuring the workflow can be found here: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

 

I hope that helps.