Penetration testing

Danny Costas · 13 hours ago

Hello,

I am looking for more information about the Penetration Testing module. Are there any past webinars or trainings that I can take?

Outside of the few docs on it, I am not finding much information/demos, or collateral we can use. Does Application Vulnerability Response have to be set up first in order for Penetration Testing to be usable? Can you create pen test assessment requests that are not specifically testing an app, per se?

If anyone has contact information for anyone within the ServiceNow community who specializes in this module, please let me know!

Simon Hendery · 4 hours ago

Hey @Danny Costas

Best place to start is the VR Implementation course available in ServiceNow University. It includes a (short) section on pen testing.

andy_ojha · 3 hours ago

Hey there - it's a valid observation, and an area we will work towards creating more content for on the SecOps Community.

For the Application VR > Penetration Testing solution, there are some other resources that you will find handy in the interim, beyond Docs

Best Practices (Formerly, NowCreate)
- Vulnerability Process Process Guide > Page 57 covers the Pentest experience in AVR
ServiceNow University
- VR Implementation > Has a section specific to the Pentest experience in AVR
- You can also check-out the self-paced course and the eBook that also has content around Pentest

In terms of the AVR setup and AVR Pentest Workflow

The AVR Pentest workflow, does not quite have the same setup steps as an AVR scanner integration (e.g. DAST, SAST, etc.) in terms of CI Lookup Rules, etc.
As we think about creating AVITs to track Pentest findings - we still may need some of the configs in place like Risk Score Calculators, Remediation Target Rules, etc. to handle the AVITs created from the Pentest Assessment workflow