Exploring Application Vulnerability Response
Summarize
Summary of Exploring Application Vulnerability Response
Application Vulnerability Response (AVR) is a component of the ServiceNow Vulnerability Response application designed to process and manage vulnerabilities in custom software applications throughout their development lifecycle. AVR imports vulnerability data from internal and external sources, including the Common Weakness Enumeration (CWE) and third-party scanners, then correlates this data with application information in your Configuration Management Database (CMDB) to identify and track application vulnerable items (AVITs).
Show less
AVR supports multiple versions, with key compatibility information available to ensure proper integration within your ServiceNow environment.
How It Works
- Imports vulnerability data from supported scanners and external sources.
- Matches vulnerabilities to applications in your CMDB to create AVIT records.
- Enables prioritization, remediation, and management of AVITs within the Vulnerability Manager and IT Remediation Workspaces.
- Automates AVIT creation through CI Lookup Rules and assignment via configurable rules.
- Uses calculators and libraries to assess business impact, risk, and remediation timing.
- Supports tracking of vulnerabilities from import through investigation to resolution.
Types of Supported Vulnerability Data
- Dynamic Application Security Testing (DAST): Scans running applications for vulnerabilities by simulating attacks.
- Static Application Security Testing (SAST): Analyzes source code for coding vulnerabilities.
- Interactive Application Security Testing (IAST): Combines automated tests and sensors during runtime to detect vulnerabilities.
- Software Composition Analysis (SCA): Identifies weaknesses in open-source components starting with version 19.0.
- Penetration Testing: Manual assessment configuration to understand and remediate application weaknesses.
- Software Bill of Materials (SBOM): Upload and analyze open-source component data to detect vulnerabilities.
Use Cases
- Relate scan vulnerabilities to existing or newly discovered applications in the CMDB.
- Store scan results for applications managed outside ServiceNow or with customized CMDB entries.
- Manually create source code repository configuration items for vulnerability tracking.
Key Features
- Shared APIs: Import data from multiple scanning types and manual penetration tests.
- CI Lookup Rules: Automatically associate vulnerabilities with CMDB application data.
- Assignment Rules: Automate AVIT assignment based on groups and scripts.
- Risk Calculators: Prioritize and score AVITs based on configurable criteria and severity mapping tied to CWE.
- Remediation Target Rules: Define timelines for vulnerability remediation and track progress.
- Reporting: Gain insights into security posture, remediation trends, and critical application vulnerabilities.
Application Vulnerable Items (AVITs)
AVITs represent vulnerabilities tied to scanned applications identified in the CMDB. These items track the lifecycle of each vulnerability from detection to resolution. If an application is removed from the CMDB, associated AVITs are automatically closed. AVIT details include the latest scan information and are accessible within the Application Vulnerability Response modules.
User Roles and Collaboration
AVR supports collaboration across teams by defining user groups and roles such as App-Sec Manager, Application Security Champion, and Developer. These roles facilitate strategic and operational management of application vulnerabilities, allowing shared responsibilities and streamlined workflows.
Integration with ServiceNow Ecosystem
AVR integrates closely with other Vulnerability Response applications and leverages Common Service Data Model (CSDM) tables to enrich data consistency and usability across ServiceNow products. Third-party vulnerability integrations are available via separate applications from the ServiceNow Store, enabling extended functionality and scanner support.
Application vulnerabilities are vulnerabilities on your custom software applications that are scanned throughout the application’s development life cycle.
Overview of Application Vulnerability Response and available versions
Application Vulnerability Response (AVR) is the part of the Vulnerability Response application that processes application vulnerabilities.
| Release version | Release Notes |
|---|---|
|
Vulnerability Response v23.0 Vulnerability Response v22.0 Vulnerability Response v21.0 Vulnerability Response v20.0 Vulnerability Response v19.0 Vulnerability Response v18.2 |
Application Vulnerability Response release notes For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes |
How it works
Vulnerability data is imported from internal and external sources, such as the Common Weakness Enumeration (CWE) or third-party integrations. After data is imported, it is compared to application data in your Configuration Management Database (CMDB) and processed in the Application Vulnerability Response application. If a match exists between imported application vulnerability data and data in your CMDB, an application vulnerable item (AVIT) is created.
- Integrate with supported third-party scanners to import vulnerability data.
- Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
- Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the CWE or third-party libraries.
- Starting with version 18.0 of Vulnerability Response, you can monitor and remediate AVITs in the Vulnerability Manager Workspace and IT Remediation Workspace respectively. For more information, see Vulnerability Manager Workspace and IT Remediation Workspace.
- Correlate Application Vulnerability Response data using calculators and libraries to help you perform the following tasks.
- Create application vulnerable items automatically using CI Lookup Rules. During import, third-party vulnerabilities are associated to a CWE to create an AVIT.
- Create assignment rules to automate application vulnerable item assignments.
- Use calculator groups to determine business impact, specify varying conditions using filters, apply simple calculations, or use a script.
- Create remediation target rules that define the expected time frame for remediating application vulnerable items so you can monitor upcoming remediation activities.
- Relate a single third-party vulnerability to multiple CWE entries and find the primary CWE for a vulnerability to help you determine risk. For more information on the Primary CWE, see Application Vulnerability fields.
- Use CWE records that are downloaded from the CWE database or imported from third-party integrations for reference to help you decide if you must escalate a vulnerability. Each CWE record also includes an associated knowledge article that describes the weakness.
Use Application Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution.
Types of imported vulnerability data
- Dynamic Application Security Testing (DAST)
- DAST scans find vulnerabilities application by sending input to your applications and monitoring its responses while they are running. This approach might imitate an outside attack. During dynamic scanning, a running service (URL) is scanned for vulnerabilities. Vulnerability results include a URL location of a discovered vulnerability.
- Static Application Security Testing (SAST)
- SAST scans review the source code of applications at rest and help you find vulnerabilities in the way you've written your code. The SAST scan takes place on non-compiled source code and so it exists independently of any application service. Returned results include a file and line number location of a discovered vulnerability.
- Interactive Application Security Testing (IAST)
- IAST scans detect software vulnerabilities by interacting with the program while it is running. Human observation, automated tests, and sensors are used in combination to interact with the application to locate vulnerabilities.
- Software Composition Analysis (SCA)
- Starting with v19.0 of Vulnerability Response, you can ingest Software Composition Analysis (SCA) vulnerabilities. SCA vulnerability data to helps you identify weaknesses in the open source software being used in your software applications.
- Penetration testing
- You configure penetration test assessment requests in Application Vulnerability Response to help you understand where your application weaknesses are and what you can do to fix them.
- Software Bill of Materials
- Upload Software Bill of Materials (SBOM) data to identify vulnerabilities in your open source components. See Exploring Software Bill of Materials for more information.
Use cases
- Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
- Relate DAST scan results to an existing application when there is a record in the CMDB from Discovery or a third-party integration.
- Relate DAST scan result to a newly inserted scanned application when a new Application has not previously been identified and/or stored in the CMDB.
- Store DAST scan results for a CMDB when you manage your applications in a product other than ServiceNow®.
- Store DAST scan results for a CMDB if you have previously customized for some other purpose.
- Create an application for Source code repository manually.
- Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
- Create a CI for Source code repository manually.
- Store SAST scan results that are without a related Application Service.
Third-party integrations
The third-party integrations supported by Application Vulnerability Response are available as a separate applications in the ServiceNow Store. See Integrating Application Vulnerability Response with other applications for more information.
Key features
- A shared API imports DAST, SAST, IAST, and SCA data and manual pen testing results. See Penetration testing.
- A separate API is used to import SBOM data. For more information, see Exploring Software Bill of Materials and Veracode Vulnerability Integration.
- CI lookup rules
- Automatically search application data for matches in the Configuration Management Database (CMDB).
- Assignment rules
- Automatically assign application vulnerabilities based on user groups, user group fields, and scripts.
- Risk Calculators
- Automatically prioritize and rate the impact of AVITs using calculators, based on any criteria, by using condition filters.
- Severity mapping
- Automatically calculate initial values for fields on application vulnerable items. Vulnerability entries have both source severity and normalized severity (based on severity mapping). Severity is tied to the Common Weakness Enumeration (CWE).
- Remediation target rules
- Define the expected time frame for remediating an application vulnerable item.
- Reporting
- Quickly gain insight into your security posture, remediation trends and top 10 Applications or Business Units with the most critical AVITs.
The common point for both types of scans is the application release. An application release, which defines a Name string, is the tie-in point to group scanned vulnerability results on the scanner side. This way AVR knows which application release the results belong to when importing scan results through the integration.
A Configuration Item [cmdb_ci] child table, Scanned Applications [sn_vul_app_scanned_application], was created in the Vulnerability Response application and scope. This table stores the Application Release abstraction and provides service graphing though its CMDB relationships. They can be viewed from the module. The list view for Scanned Applications contains the Department and Support Group added during setup.
Application Vulnerable Items (AVITs)
For application vulnerabilities, AVR relates a vulnerability to an application to create the application vulnerable item (AVIT) record. Because of the multiple definitions of what constitutes an application in the CMDB, Application Vulnerability Response limits applications to scanned applications. Scanned applications are the applications scanned in your environment identified by AVR as Name and ID. AVITs are based on the latest scan summary until confirmed Fixed by the scanner. If an AVIT is no longer found, it remains tied to the scan summary where it was last seen.
Application vulnerable items can be viewed from the module.
If an application is removed from the CMDB, any associated AVITs are closed.
For information on AVIT form fields, see Application Vulnerable Item fields.
User groups and roles in Application Vulnerability Response
Often a team works together to create, manage, and oversee the management of application vulnerabilities. There are strategic roles, as well as operational roles, among the team members. In most organizations, you may participate in more than one role and often share roles with others. Application Vulnerability Response uses three user groups containing granular roles: App-Sec Manager, Application Security Champion, and Developer. See Application Vulnerability Response user groups and roles for more information on these groups and roles.
Application Vulnerability Response states
Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVITs) and helps you to determine when and how to remediate your AVITs.
An application vulnerable item has several possible states, see Application Vulnerable Item (AVI) states for more information.
Vulnerability Response applications and CSDM tables
The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.