Penetration testing on a single Application.

daiva · ‎05-29-2024

Hello Everyone,

I'm New to Penetration Testing in ServiceNow.
I've gone through several Blogs, documents and Knowledge article but i like to know, how it works in practical.
I have a Single Application "ABC Insur" it doesn't have any CI items it is a Standalone Application(Software).
Can i use Penetration Test on it?
Like CI Item consists of several Items instead i use only one Item ABC Insur and Test on it?
Any information appreciated.

Thanks,
Daiva

Abhinav37 · ‎05-30-2024

Hi,

Yes the OOB Penetration Test Assessment Request lets you create penetration testing assessment requests on a single application as long as the application has a record on the "sn_vul_app_release" table. So any end user (typically app owners) can raise these requests using the OOB record producer on Service Portal -Service Catalog to be assessed by the Pen testing team (Ethical Hacker assignment group)..

The Penetration Testing Assessment Request Record Producer that shows the Application reference field that references the sn_vul_app_release table.

Below is the typical workflow (As of Vancouver release) in application vulnerability response for penetration testing assessment requests. Typically the App owner and Pen testing teams are involved in the process and any issues found during the pent ests are recorded as manual Application Vulnerable Items (AVITs).

If this post is helpful please mark it as helpful and accept as solution

Cheers!

AB!

View solution in original post

Simon Hendery · ‎06-10-2024

Hi @daiva - thanks for clarifying.

1. This workflow is available in 'Application Vulnerability Response' which requires a Professional or Enterprise Vulnerability Response lisense: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

2. See the workflow diagram that @Abhinav37 posted earlier in this thread.

3. Further instructions on configuring the workflow can be found here: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-app-v...

I hope that helps.

View solution in original post

Simon Hendery · ‎06-10-2024

Sorry @daiva, I don't know how you would do black-box testing.

View solution in original post

Abhinav37 · ‎05-30-2024

Hi,

Yes the OOB Penetration Test Assessment Request lets you create penetration testing assessment requests on a single application as long as the application has a record on the "sn_vul_app_release" table. So any end user (typically app owners) can raise these requests using the OOB record producer on Service Portal -Service Catalog to be assessed by the Pen testing team (Ethical Hacker assignment group)..

The Penetration Testing Assessment Request Record Producer that shows the Application reference field that references the sn_vul_app_release table.

Below is the typical workflow (As of Vancouver release) in application vulnerability response for penetration testing assessment requests. Typically the App owner and Pen testing teams are involved in the process and any issues found during the pent ests are recorded as manual Application Vulnerable Items (AVITs).

If this post is helpful please mark it as helpful and accept as solution

Cheers!

AB!

Sravani36 · ‎09-24-2024

Hi @Abhinav37 this record producer can be seen on installation of any plugin?

Thank you

Abhinav37 · ‎10-24-2024

@Sravani36

This record producer will be available when you install the Vulnerability Response plugin.

daiva · ‎06-06-2024

Hi @Abhinav37

My Applications does not have any Kind of CI Items/CMDB.
This was a software application. So can i test it?
If yes, How can i do that? Need to build the CI Items and Relationships where i don't have any elements relationship.
Because to request for Penetration Testing it is referring to this "cmdb_ci" table.
So what can i do in this case.

Thanks,
Daiva