Exception management in Container Vulnerability Response

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management in Container Vulnerability Response

    Exception management in Container Vulnerability Response enables your organization to request, review, approve, or reject exceptions when a container vulnerable item (CVIT) or remediation task (RT) cannot be remediated according to your security policies or standards. This process acknowledges and accepts the risk associated with deferring remediation, particularly when patches or fixes are unavailable. It supports controlled deferral of vulnerability remediation and provides visibility and governance over these exceptions.

    Show full answer Show less

    Key Features

    • Exception Lifecycle: An exception is a formal request to defer remediation of a CVIT or RT for a defined period. Once approved, the status changes to Deferred until remediation is possible.
    • Requesting Exceptions: Remediation owners can request exceptions for vulnerabilities that cannot be immediately fixed, such as missing patches.
    • Approval Workflow: Exception requests are reviewed and approved by vulnerability analysts or designated approvers. Approval can involve one or two levels of approvers depending on configuration. Without a first-level approver, requests cannot be submitted.
    • Configurable Approval Rules: Approval rules for exceptions and false positives can be viewed and customized, including the number of approval levels and approver groups. Timeframes for approvals and email notifications can be configured starting from version 2.5.
    • Tracking and Management: Exception statuses are tracked via the State Change Approvals tab on the CVIT or RT records. Actions such as reopening, deleting, or updating assignments are possible after approval.
    • Exception Expiry: When an exception expires, the CVIT or RT reverts to Open status, requiring attention. If subsequent scans show the vulnerability resolved, the status updates to Closed with a Fixed substate.
    • Automation: Exception rules can automate the deferral process by deferring matching CVITs when detected by the system.
    • False Positives: CVITs and remediation tasks can also be marked and approved as false positives through a similar approval process.

    Practical Benefits for ServiceNow Customers

    • Enables structured risk acceptance when vulnerabilities cannot be immediately remediated, ensuring compliance and governance.
    • Supports clear workflows for requesting and approving exceptions, improving collaboration between remediation owners and approvers.
    • Offers configurable approval processes and notifications to align with your organization's policies and approval hierarchies.
    • Provides visibility into the exception lifecycle and status, facilitating better vulnerability management and reporting.
    • Automates deferral of vulnerabilities based on rules, reducing manual overhead and speeding exception handling.
    • Allows marking of false positives, helping focus efforts on genuine vulnerabilities and maintaining accurate vulnerability records.

    When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to an container vulnerable item (CVIT) that cannot be remediated according to the policy.

    Some container vulnerabilities (CVIT) might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.

    Life cycle of an exception

    Definition of an exception
    An exception is a request to defer the remediation of a CVIT or RT for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine.
    Requesting an exception
    As the remediation owner, you can ask for an exemption for a CVIT or RT using the exception management process. After the exception approver approves this request, the CVIT or RT moves to a Deferred state.
    Approving an exception request
    CVIT or RTs that can't be remediated immediately are reviewed by vulnerability analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level workflow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for more information.
    Note:

    Starting from Vulnerability Response v15.0, if you are deploying the VR application for the first time, the flow designer for exception management is enabled by default. If you are already using the workflow, you can update to the flow designer. In both cases, you cannot change it back to workflow. To configure approval rules for exception management and false positive, see Configure approval rules for Exception Management.

    Once an exception request for a CVIT or RT is approved, you can perform the following actions:
    • Reopen
    • Delete
    • Update the Assignment to or Assignment groups fields
    Tracking an exception request
    After raising the exception, you can track its status by using the State Change Approvals tab of the CVIT or RT. If an action is taken on an RT, you can't track the status of the individual CVITs in that RT.
    Expiry of an exception request
    When an exception request for a particular CVIT or RT expires, the impacted CVIT or RT reverts to its Open state.

    If a single CVIT or all the CVITs in a RT pass in the next scan, then the CVITs and, where applicable, the RT State field changes to Closed with the substate Fixed.

    Configure approval rules

    View and configure approval rules by navigating to All > Container Vulnerability Response > Administration > Approval rules. Request an exception for the CVITs that cannot be remediated or deferred immediately, by identifying the impacted vulnerabilities, configuration items (CIs), or CVITs. Automate the CVIT deferral process. Defer the matching CVITs based on these rules when the system identifies these CVITs.
    The following approval rules are shipped by default:
    • Approval for Exception Requests: A default configuration with two approval levels is provided in the base system. Whenever there is an exception request on a vulnerable item, the approval request is sent to the users or groups present in level 1. Once approved by level 1 approvers, it is sent to the level 2 approvers.
      Note:
      You can change the default levels and edit as required. Starting from Container Vulnerability Response v2.0.6, you can use the system properties provided in the base system for exception approvals via workflow in the System Properties [sys_properties] table. So, when an exception or false positive request is raised via workflow, it’s sent for approval to the group IDs defined in the system property. Navigate to All > System Properties and select sn_vul_container.container_exception_approver_L1, sn_vul_container.container_exception_approver_L2, or sn_vul_container.container_false_positive_approver_group to change the property value.
    • Approval for Exception Rules: It does not have configuration but two approval levels.
    • Approval for False Positives: It has one configuration with one approval level.
    Note:
    Starting from v2.5 of Container Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the container vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the container vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.