Configure Application Vulnerability Response

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read

    • Do the following setup steps prior to configuration so that you can ensure that your configuration is complete.

    Before you begin

    Setup tasks Description
    Verify that the Vulnerability Response application is installed and activated.

    To verify that it’s activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions that your organization has purchased.

    If the application isn’t installed and activated, see Install Vulnerability Response.
    Verify that the Performance Analytics for Vulnerability Response is installed and activated to see Application Vulnerability Response reports.

    To verify that it’s activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions that your organization has purchased.

    If the application isn’t installed and activated, see Install and configure the Performance Analytics for Vulnerability Response [PA] application.
    Verify that the Veracode Vulnerability Integration is installed, activated, and configured. (Do not run the integrations at this point.)

    To verify that it’s activated, navigate to Subscription Management > Subscriptions in your instance. The list displays the subscriptions that your organization has purchased.

    If the application isn’t installed and activated, see Install the ServiceNow Vulnerability Response Integration with Veracode.
    Verify that the CWE 2000 integration is running in Vulnerability Response. To verify the integration, see Verify that the scheduled job for updating NVD records is running.
    [Optional] Verify that the NVD integration is running in Vulnerability Response. To verify, see Verify that the scheduled job for updating CWE records is running.
    Verify that you have the required ServiceNow roles for your instance. The following roles are required for installation, configuration, and verification of expected results:
    • If not already assigned, the user with the admin role installs the application and assigns users to the following user groups: App-Sec Manager, Security Champion, and Developer. For information on Group roles, see Application Vulnerability Response user groups and roles.
    • The App-Sec Manager group oversees configuration and verifies expected results.
      Note:
      Application Vulnerability Response configuration isn’t available from the Setup Assistant feature in Vulnerability Response.
    Role required: App-Sec Manager user group

    Procedure

    1. Navigate to Security Operations > CMDB > Lookup Rules.
      See Create a CI lookup rule to create or modify CI Lookup Rules for your environment.
    2. Navigate to Application Vulnerability Response > Administration.
    3. Select Assignment Rules.
      See Create or edit Application Vulnerability Response assignment rules to create or modify application assignment rules for your environment.
    4. Select Vulnerability Calculators.
      See Calculate risk in Application Vulnerability Response automatically to create or modify application vulnerability calculators for your environment.
    5. Select Remediation Target Rules.
      See Create or edit application remediation target rules to create or modify application remediation targets for your environment.
    6. Select Normalized Severity Maps.
      See Map the severity of an application vulnerable item automatically to create or modify severity maps for your environment.
    7. Navigate to either Veracode Vulnerability Integration > Integrations or Fortify Vulnerability Integration > Integrations.
    8. Open the Veracode Application List Integration or the Fortify On Demand Application List Integration.
    9. If it has not already run, select Execute Now.
      Note:
      The other Veracode or Fortify integrations are inactive by default.
      For integration run statuses, see View the Veracode Application Vulnerability Integration import run status or View the Fortify Vulnerability Integration import run status.
    10. After the Veracode or Fortify on Demand Application List Integration has completed its run, navigate to Application Vulnerability Response > Administration > Applications.
    11. For each application, enter a value for Support Group (used by assignment rules) and for Department (used in reporting).
      To update multiple entries, see Edit multiple records in a list using the list editor to complete the task in bulk.
      Note:
      To see the auto-updated Business Unit, refresh the page. For information on Scanned Application form fields, see Scanned application fields.
    12. Return to the Integrations list, and activate the other Veracode or Fortify integrations.
      See Activate Application Vulnerability Response Integrations to set your delta data integration imports.

      The Veracode and Fortify integrations are chained and will run consecutively when activated.

    13. Optional: Navigate to Application Vulnerability Response > Administration > Assignment Rules.
      1. Optional: If you chose Configuration Item: Support group for User group field when creating or editing your assignment rules earlier, the values you added to the Scanned Applications list view are available to use now.
        Your assignment rules are edited.
      2. Select Update.
      3. From the Vulnerability Assignment Rules list view, select Apply Changes to reapply the assignment rules to your AVIs.

    Result

    Your Application Vulnerability Response configuration is now complete.

    What to do next

    Navigate to Application Vulnerability Response > Overview and see Application Vulnerability Management [PA] dashboard for information on your overall security posture.