Managing state mapping for deferrals and false positives in Application Vulnerability Response

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing State Mapping for Deferrals and False Positives in Application Vulnerability Response

    This document outlines how ServiceNow customers can manage the state mapping for application vulnerability items (AVIs) imported from Veracode and Fortify Vulnerability Integrations. It introduces options for handling exceptions and false positives effectively within ServiceNow workflows starting from version 20.0 of Vulnerability Response.

    Show full answer Show less

    Key Features

    • Manage Exceptions: Enables customers to triage imported AVIs with the ServiceNow Exception Management workflow.
    • Manage False Positives: Allows for the triaging of AVIs marked as false positives through a structured workflow.
    • Configuration Options: Two checkboxes on integration configuration pages allow customers to choose whether to manage exceptions and false positives or preserve the original source states.

    Key Outcomes

    By configuring these options, ServiceNow customers can ensure that imported states are appropriately mapped to internal states, improving the accuracy of vulnerability management:

    • When exceptions are managed, AVIs are triaged in the Open state, allowing for better oversight.
    • False positives can be triaged similarly, enabling users to clearly identify and manage these records.
    • Deactivating the checkboxes preserves the original source states, avoiding unnecessary triaging for records already in a definitive state.

    You can manage how the Source states on application vulnerable items (AVIs) imported by the Veracode Vulnerability Integration and Fortify Vulnerability Integration are mapped in your instance after import.

    Starting with v20.0 of Vulnerability Response, you have more options for triaging your imported AVIs with ServiceNow workflows.

    When you Configure the Fortify Vulnerability Integration or the Configure the Veracode Vulnerability Integration, the integration configuration pages provide you with two options to help you manage exceptions and false positives in your instance.
    • Manage exceptions in ServiceNow
    • Manage false positives in ServiceNow
    Role required: App-Sec Manager.

    Use case for Exception management

    AVIs are imported from these integrations with Source states. Upon import, these state are mapped to Target and Target reason states in your instance, because in some cases there are no exact matches between the source states of your scanner and the states used by your instance.

    For example, source states such as Will Not Fix, Remediation Deferred, Risk Accepted, and Risk Mitigated from the Fortify Vulnerability Integration are mapped to the Deferred state with a substate of Risk Accepted or Mitigating Control in Place in your instance.

    You have the following options on the configuration pages for these integrations:

    Option Check box selected Description
    Manage exceptions in ServiceNow Y (by default)

    If you leave this option selected, you must request exceptions from AVI records.

    Imported AVIs marked for the Deferred state are triaged with the ServiceNow Exception Management workflow.

    AVIs with Source states that normally are mapped to a Deferred state are mapped to the Target triage state in the Open state.
    N

    If you deactivate the check box, you preserve the Source states imported from your scanner.

    These AVIs are mapped to the Target state as Deferred, and to a Target reason state in your instance. They are not triaged by the exception workflow, because they are not mapped to the Target triage state and Target triage reason states.

    The Request Exception UI action is not available on the AVI record, because the record already in the Deferred Target state.

    Use case for False positive

    For false positives from the Veracode Vulnerability Integration as an aexample, source states such as False Positive or Potential False Positive are mapped to the Closed Target state with a substate of False Positive.

    Option Check box selected Description
    Manage false positives in ServiceNow Y (by default)

    If you leave this option selected, you must request a False Positive from AVI records.

    Imported AVIs marked for the False Positive or Potential False Positive states are triaged with the ServiceNow Exception Management workflow.

    AVIs with Source states that normally are mapped to a Closed Target state are mapped to a Target triage state in Open.

    The False Positive UI action is available on the AVI record.
    N

    If you deactivate the check box, you preserve the Source states imported from your scanner.

    These AVIs are mapped to the Target state as Closed and a Target reason state in False Positive in your instance. They are not triaged by the false positive workflow.

    The False Positive UI action is not available on the AVI record, because the record is already in the Closed Target state.