Automate remediation target tracking in Application Vulnerability Response

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automate Remediation Target Tracking in Application Vulnerability Response

    Application Remediation Target Rules establish specific timeframes for addressing application vulnerabilities (AVIs). These rules help App-Sec Managers track vulnerabilities based on their risk ratings, ensuring timely remediation actions are taken.

    Show full answer Show less

    Key Features

    • Remediation Targets: Rules define how long it should take to fix vulnerabilities based on their risk ratings.
    • Default Rules: Three inactive default rules are available for critical, medium-high, and less critical risk ratings, each with specified remediation and reminder timelines.
    • Color-Coded Tracking: AVIs are color-coded in the list view to indicate their status relative to the remediation target date (green, orange, red).
    • Rule Management: App-Sec Managers can activate, deactivate, or delete remediation rules, affecting the target dates of AVIs.
    • Scheduled Job: The 'Evaluate remediation targets' job runs daily to update target dates based on active rules.

    Key Outcomes

    By implementing remediation target rules, ServiceNow customers can effectively manage application vulnerabilities, prioritize remediation based on risk levels, and ensure compliance with security standards. This structured approach enables proactive vulnerability management, reducing the risk of security breaches and improving overall application security posture.

    Application Remediation Target Rules define the expected timeframe for remediating application vulnerable items (AVIs), providing a timeframe for remediating the vulnerability itself. For example, if an application vulnerable item contains a critical risk rating then the vulnerability on that item needs to be fixed within 15 days.

    App-Sec Managers can create application remediation target rules by defining:
    • The remediation target.
    • The reminder target.

    App-Sec Managers can see the remediation target date in the AVI form and list views, however dates are not updated for AVIs in the Deferred, Resolved, or Closed state.

    The Remediation target date is color-coded coded on the AVI list view as dots, as follows:
    • AVIs that have not reached their notification date are shown in green.
    • AVIs approaching the remediation target date are shown in orange.
    • AVIs past the remediation target date are shown in red.

    Default rules

    Application Vulnerability Response ships with three default rules which are inactive by default:
    • Critical Risk Rating Rule: A remediation target with a 1-Critical risk rating, a remediation target of 15 days, and a reminder of 7 days before the target date.
    • Medium-High Risk Rating rule: A remediation target with either a 2-High or 3-Medium risk rating a remediation target of 30 days, and a reminder of 7 days before the target date.
    • Less Critical Risk Rating rule: A remediation target with a 4-Low risk rating a remediation target of 45 days, and a reminder of 7 days before the target date.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the AVIs it was applied to, are cleared. If an AVI satisfies any active rule that rule is applied, otherwise the AVI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed AVIs are preserved. The Remediation target date and related fields on non-closed AVIs are cleared and any dependent rules are reapplied.

    Remediation rule scenario

    When multiple remediation target rules are applied to the same AVI, the most restrictive rule is applied.

    For example, if an AVI meets the condition for two application remediation target rules:

    Scenario: AVI last opened on 03/01/2018 at 10:00:00.
    • Application remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Application remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Application remediation target rule 2 applies to the AVI since it has the more restrictive date. 10 days since the AVI was first identified versus 15 days.
    Note:
    Application remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments). You can add this field to the AVI form from the Form Layout slushbucket. It is the date the AVI was most recently opened in your instance.

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last Opened date.

    Note:
    Once the application remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job or the Apply Changes button on the Remediation Target Rules list view.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    Evaluate remediation targets iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all AVIs that:
    • Are not in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the application remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one does not exist, or if this rule contains an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target date and Remediation status fields in the AVI form. For inactive rules, Evaluate remediation targets clears the remediation fields on the AVI.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open AVIs except those in the Closed, Deferred or Resolved state.
    Note:

    If the scheduled job, Evaluate remediation targets is running, you cannot initiate a reapply process. However, if a reapply process is already running, and the scheduled job is triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.