Vancouver |
- Veracode and Fortify Vulnerability Integrations
- Two options enable you to manage how the Source states on application vulnerable items (AVIs) are mapped in your instance after import from the Veracode and Fortify integrations. The following options
are found on the configuration pages for these integrations and are activated by default:
- Manage exceptions in ServiceNow triages application vulnerable items (AVI) with the ServiceNow Exception management workflow. AVIs transition to Open, and you request
exceptions from AVI records. Deactivate the option if you want to preserve the Source states on AVIs imported from Fortify and Veracode.
- Manage false positives in ServiceNow triages false positives with the ServiceNow False positive workflow. AVIs transition to Open, and you request false positives from AVI
records. Deactivate this option if you want to preserve the Source states on AVIs imported from Fortify and Veracode.
- Remediation task rules in Application Vulnerability Response
- Starting with v20.0, use remediation task rules to help you define how application vulnerable items (AVIs) are automatically grouped and assigned.
- Gather AVIs based on their vulnerabilities with the default Vulnerability rule that is included in the base system. Use this rule as a template to help you create your own rules.
- Create filters with the condition builder so that application vulnerable items are matched automatically to existing remediation tasks (AVULs). If a match is not found, a new task is created.
- Enable group-by conditions so that not all the AVIs that share data are assigned to the same remediation task.
- Exception Management in Application Vulnerability Response
- Starting with v20, manage application vulnerable items that you can't remediate immediately with enhancements to exception rules.
- Create exception rules to automatically defer existing and new application vulnerable items (AVI)s for a specific period.
- Submit a request for an extension to an exception rule if you find that records created by the rule's Deferred until date are not resolved.
- Defer remediation with the Awaiting Implementation state for AVIs. Let your team know that your research and work on a task is complete but a fix isn't available.
- Enhancements to penetration testing assessment requests
- Starting with v19.0, create penetration test assessment requests directly from the list of existing requests. New fields on the request form help you to more accurately scope your test requirements for sprints:
- You can enter the application size and the type of tests that you want. These details help you to determine the scope and effort required for the tests.
- The Vendor/Joint Venture Information and Business Impact tabs permit you to enter more detailed information about the third-party vendors, potential financial damage, and
non-compliance.
- Viewing the dashboards in Vulnerability Manager Workspace
Starting with version 19.0 of Application Vulnerability Response, the Application Vulnerability Management and My Application Vulnerabilities dashboards are available in the Next Experience UI from Vulnerability Manager Workspace. - Request an extension for a deferred container vulnerable item
- Starting with version v19.0.4 of Application Vulnerability Response, you can request an extension for a deferred container vulnerable item before the due date.
- Extension of deferred extension rule
- Starting with version v19.0.4 of Application Vulnerability Response, you can request an extension for a deferred exception rule before the due date.
- Extension of deferred remediation task
- Starting with version v19.0.4 of Application Vulnerability Response, you can request an extension for a deferred remediation task before the due date.
- Accessing only application vulnerable items assigned to you and your group with the exception approver role
- For the exception approver role, sn_vul.app_exception_approver, the granular role, sn_vul.app_read_all, has been removed so that you can access the application vulnerable items and remediation tasks assigned to you and your
group only.
- Adding work notes for a deferred application vulnerable item
Starting from 20.0 of Vulnerability Response, you can add relevant information in the Work Notes field for a deferred application vulnerable item also. - Quick start tests for Vulnerability Response
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response works as expected. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations. |
Washington DC |
- Closed application vulnerable items in the SBOM Workspace reopen automatically
- A Closed application vulnerable item (AVIT) for a component with an associated vulnerability is reopened automatically and visible in the SBOM Workspace if the following conditions are met:
- The Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property is activated. This system property is activated by default.
- The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
- The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False
Positive. AVITs with these substates are not reopened by the system property.
Deactivate the system property only if you do not want Closed AVITs to reopen automatically.
- Updating application vulnerable items in bulk in the Vulnerability Manager Workspace
- Perform the following tasks on one or more application vulnerable items (AVITs) simultaneously using the bulk edit feature in the Vulnerability Manager Workspace:
- View list of vulnerable items in the Vulnerability Manager Workspace
- View the list of active vulnerable items in the Vulnerability Manager Workspace using the active records count next to the View by drop-down in the Host vulnerabilities tab on the Home page.
- Open active AVITs list in classic UI from the Vulnerability Manager Workspace
- Navigate to the Classic UI's active AVITs list using the View Classic link in the Application Vulnerabilities tab on the home page of the Vulnerability Manager Workspace.
- Refresh a remediation task in the Vulnerability Manager and IT Remediation Workspaces
- Refresh a remediation task (AVUL#) in the Vulnerability Manager and IT Remediation Workspaces to inspected if there are any additional records that belong to a remediation task.
- Enhancements to the Software Bill of Materials applications
- Upload SBOM files for the CycloneDX and SPDX standards starting with version 3.0 of SBOM Core and 3.2 of SBOM Response.
- XML and JSON formats are supported for CycloneDX up to and including version 1.4.
- JSON format is supported for SPDX up to and including version 2.3.
Performance enhancements in the SBOM Workspace for the BOM Entities and Components pages. You might experience faster load times for the Home and Components modules in the SBOM Workspace.
- GitHub Application Vulnerability Integration version 1.1
- Import application information from your GitHub repositories with the GitHub Repos Integration. Imported data is stored in the Discovered Applications [sn_vul_app_release] table. The GitHub CodeScan and Dependabot integrations require current application data that is imported by the GitHub Repos Integration.
Enhancements to the (OAuth) authentication credentials on the GitHub Configuration page.
- Enhancements to the Veracode Vulnerability Integration version 4.2
- Select Get More Details on Veracode application vulnerable items (AVITs) on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following data imported from Veracode:
- HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
- Solution recommendations from Veracode are displayed on the Findings related list.
- HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response workspaces.
- The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.
- Enhancements to Application Vulnerability Response AVIT Vulnerability Integrations
- View details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Fortify version 2.3, Invicti version 1.1, and Veracode version 4.2 Application Vulnerable Item (AVIT) Integrations.
- Create auto-close rules for stale AVITs
- Automate the closure of stale AVITs via Auto-close rules based on your required filter conditions.
- Analyzing the vulnerability landscape in the Vulnerability Manager Workspace
- Get the overall summary of the active application vulnerabilities through visual representation of risk ratings, remediation progress, assignment groups workloads, and records in remediation tasks on the Home
page of the Vulnerability Manager Workspace.
- Acquiring the summary of a set of application vulnerabilities using filters
- Get the summary of a set of active application vulnerabilities by filtering those vulnerabilities on the Home page of the Vulnerability Manager Workspace.
- Define Vulnerability Response email notifications
- When links are clicked in an email notification, records open in Vulnerability Manager Workspace or IT Remediation Workspace based on the user's role.
- Invicti Vulnerability Integration
- Import Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST) data with the Invicti Vulnerability Integration. This data enables you to determine the impact and priority of flaws in your custom software applications. Use the following Invicti integrations to enrich your
vulnerability data:
- Invicti Application List Application - Import applications that are scanned by Invicti.
- Invicti Scan List Integration - Import data about the date and time a scan was run.
- Invicti Application Vulnerable Item Integration - Import Invicti vulnerable item data.
- Import Software Bill of Materials (SBOM) files with Veracode
- Upload SBOM files in CycloneDx JSON format with a dedicated Veracode API. Identify the components you are using in your software projects and information about their releases, versions, and associated vulnerabilities. The integration generates SBOMs in
CycloneDx JSON format and uploads them into your instance for parsing. The Software Bill of Materials applications are required. For more information, see Exploring Software Bill of Materials.
- Software Bill of Materials
- The following enhancements were made to supported applications for the Software Bill of Materials (SBOM) product:
- Added PURL validation for the OSV.dev integration. Invalid PURLs are ignored during file processing.
- If available, OSV.dev fixed version information is displayed on a related list on the AVIT record.
- SBOM application vulnerable items (AVITs) show component information in enhanced SBOM workspace views.
- Disabled Remediation Task rules for SBOM AVITs in the SBOM Workspace. You can edit rules for SBOM AVITs in the Vulnerability Manager Workspace in Vulnerability Response.
- Expanded SBOM Workspace access enables you to view the SBOM inventory with the SBOM Core application.
- Reapplying CI Lookup rules in Application Vulnerability Response
- Reapply your configuration item (CI) lookup rules to update existing CIs for scanned applications and product models.
- Create remediation tasks manually
- Create remediation tasks (AVULs) manually for application vulnerable items (AVITs) from remediation task records on the Group Configuration tab.
- Notifications on false positive and exception requests
- Receive notifications and reminders on false positive and exception requests change approval records by setting approval expiry and reminder dates on the approval rules.
- Quick start tests for Application Vulnerability Response
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Application Vulnerability Response works as expected. If you customized Application Vulnerability Response, copy the quick start tests and configure them for your customizations.
|
Xanadu |
- Customize the calculation of Age and Age closed parameters of a application vulnerable item
- Starting with v24.0.6 of Vulnerability Response, the Age and Age Closed durations of am Application Vulnerable item can be configured to be calculated from the date in the Created, Opened, or First Found fields.
- Open the search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI
- Starting with v24.0.6 of Vulnerability Response, automatically open your search results in the Vulnerability Manager Workspace or IT Remediation Workspace rather than the Classic UI, by adjusting the application scope in the unified navigation bar to Vulnerability Manager Workspace or IT Remediation Workspace respectively. These application scopes are available to you based on your assigned role.
- Vulnerability Manager Workspace access to the sn_vul.app_read_all role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.app_read_all role, you can view the application vulnerable items in the Vulnerability Manager Workspace.
- IT Remediation Workspace access to the sn_vul.app_read_assigned role
- Starting with v24.0.6 of Vulnerability Response, as a user with the sn_vul.app_read_assigned role, you can view the application vulnerable items assigned to you and your assignment groups in the IT Remediation Workspace and remediate them.
- Navigate to the List page in the Vulnerability Manager Workspace or IT Remediation Workspace by selecting the links from the All menu
- Starting with v24.0.6 of Vulnerability Response, when you enable the 'sn_vul_cmn_ws.navigate_to_workspace' system property, selecting predefined filter links in the Application Vulnerability Response module from the 'All' menu will automatically
open these links in the List page in the Vulnerability Manager Workspace or IT Remediation Workspace based on your role.
- Hide the record count on the lists in the Vulnerability Manager Workspace and IT Remediation Workspace
- Starting with v24.0.6 of Vulnerability Response, you can hide the record count on the lists in the List page in the Vulnerability Manager Workspace and IT Remediation Workspace, by adding the table names to the glide.ui.list.seismic.omit.count system property.
- Enable automatic refresh for the Home page dashboard in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, when creating and editing filters in the Application Vulnerabilities tab on the Home page of the Vulnerability Manager Workspace, you can configure the widgets to refresh automatically. Otherwise, you can manually refresh the widgets by selecting the Refresh button on the Application Vulnerabilities
tab.
- Re-evaluating remediation properties for all records in the Vulnerability Manager Workspace
- Starting with v24.0.6 of Vulnerability Response, you can evaluate the remediation properties for all the Application Vulnerable Items from the Application Vulnerable Items list by selecting the All items in the
Record selection field of the Re-evaluate remediation properties modal in the Vulnerability Manager Workspace.
- New Properties module
- Starting with v24.0.6 of Application Vulnerability Response, a new Properties module has been added to the navigation menu under the Administration section. This module enables direct modification
of the values, offering a user-friendly method to manage and update system properties directly from the interface.
- View, classify, and assign software license information you upload with your SBOM files
- Use the License administration module in the SBOM Workspace to help you determine your over-all license compliance and risk exposure to the open-source and vendor-supplied software components you use in your application development.
- View all the licenses that are used in your organization in the License administration module.
- Classify existing licenses as: "Permitted", "Restricted", "Banned", or "Unclassified", and create new licenses.
- For unassigned or missing licenses, you can manually assign licenses to components used by your applications.
- Closed application vulnerable items in the SBOM Workspace reopen automatically
- A Closed application vulnerable item (AVIT) for a component with an associated vulnerability is reopened automatically and visible in the SBOM Workspace if the following conditions are met:
- The Reopen AVITs if detected (sn_sbom_resp.reopen_avits_if_detected) system property is activated. This system property is activated by default.
- The AVIT with the associated vulnerability is detected again by a third-party integration's vulnerability scans or the component with the vulnerability is part of a subsequent SBOM upload.
- The substate of the Closed AVIT is not one of the following: Mitigation Control in Place, Not Affected, or False Positive. AVITs
with these substates are not reopened by the system property.
Deactivate the system property only if you do not want Closed AVITs to reopen automatically.
- Reevaluate the remediation properties for application vulnerable items in the Vulnerability Manager Workspace
- Select the application vulnerable items conditionally for reevaluating the following remediation properties in the Vulnerability Manager Workspace:
- Assignments
- Remediation tasks
- Remediation target date
- Exceptions (Vulnerability Response v24.0.6)
- Risk score
- Software Bill of Materials enhancements for CycloneDX SBOM files
- The following enhancements were made to support SBOM files in CycloneDX format:
Import additional information in CycloneDX SBOM files with the (sn_sbom_core.collect_properties) property. This property is deactivated by default. Activate the property to import information that is generally not supported. Any
information imported from these properties is uploaded to the SBOM Component Property [sn_sbom_comp_property] table for the following:
- Uploaded SBOM files
- Metadata
- Individual vulnerabilities
- Components
View imported component data for declared and concluded licenses for SBOM files in versions 1.4 and later of CycloneDX in two new license fields: SBOM parsing support is enhanced for the following CycloneDX versions and component types:
- Version 1.5: Platform, Data, Device driver, Machine Learning model
- Version 1.6: Cryptographic
- Enhancements to SBOM Response for PaCE
- The Policy as Code Engine (PaCE) application is available for SBOM Response.
- Determine if components are stale or abandoned with the Run PaCE policies for SBOM Response scheduled job. The scheduled job is deactivated by default.
- View components that are identified as stale or abandoned as Non-compliant in the PaCE interface that is available in the SBOM Workspace.
- Upload SBOM files to the ServiceNow AI Platform® from your GitHub repositories
- Determine if SBOM files generated in your CI/CD (continuous integration and continuous delivery/deployment) pipelines have been successfully queued in your ServiceNow AI Platform instance.
- Protect your environments from potentially harmful components during software development cycles with GitHub Actions that you initiate from your GitHub environment.
- Obtain any required GitHub Actions for SBOM upload in the GitHub Marketplace.
- Enhancements to Bill of Materials records for the Veracode Vulnerability Integration
- Veracode is mapped to the Source field for records in the Bill of Materials [sn_sbom_doc] table for the Veracode
SBOM files that you upload.
- Remediation Task Rules for Container Vulnerability Response
- Define and group container vulnerable items automatically based on the remediation task rules.
- GitHub Secrets Scanning
- Ingest secrets detected in your organization’s code along with the application security testing results, enabling ease of accessibility for developers to mitigate these results.
- Enhanced processing performance of scheduled job
- The Rollup application vulnerable item values to vulnerability and group scheduled job is enhanced to create background jobs with multithreading capabilities. This upgrade involves segmenting the job
into several smaller child jobs, which are executed either in parallel or concurrently. This modification enables processing of multiple records simultaneously, thus significantly speeding up the overall task.
- Quick Start Tests for Application Vulnerability Response
-
After upgrades and deployments of new applications or integrations, run quick start tests to verify that Application Vulnerability Response works as expected. If you customized Application Vulnerability Response, copy the quick start tests and configure them for your customizations.
- Set the Veracode integration to update SCA findings
- You can select the scan that takes precedence for the final updates for SCA findings data imported from Veracode. On the Veracode configuration page, ‘Default’ is the set value until you change it. You must select the
Include SCA findings check box and choose one from the list:
- Agent – the agent scan results make the final updates to SCA finding
- Upload – the upload scan results make the final updates to SCA finding
- Default – the last scan processed, either the agent or upload scan, makes the final updates to SCA findings
Note: If you do not select the Include SCA findings check box on the configuration page, the scan you selected from the list is not used, and the last scan that is processed makes the final updates.
- Add and delete support for applications in Veracode imported from the ServiceNow AI Platform
- Set the value for the [sn-vul-veracode.app-mark-unseen-apps-inactive] system property to ‘true’ to prevent errors if the Platform requests applications already deleted by Veracode. If this property is set to ‘true’
(activated), the successful import of the Application List Integration marks any unseen applications in the Platform as ‘inactive’.
- Application Penetration testing enhancements
- New workspace that permits you to use the penetration testing workflow in the Next Experience UI. Alignment of penetration testing for mobile application security with the recognized standards of the Mobile Application
Security Verification Standard (MASVS) via a questionnaire in the penetration testing workflow.
|
Yokohama |
- Enhancements to Application Vulnerability Response
- The Unassign workflow is supported for application vulnerable items (AVITs) and remediation tasks (AVULs).
- Streamline application vulnerability assignments with the Unassign UI action from the more actions menu on an AVIT.
- Reassign incorrectly assigned AVITs, clarify ownership for reassessment, and maintain accurate triage records in workspace views.
- You have the option to send unassign requests for approval prior to clearing the Assigned to and Assignment group fields on records.
- SBOM document upload via Github Action
- Upload valid Software Bill of Material (SBOM) documents to ServiceNow platform with the help of GitHub Action.
- Create application remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vul.app_sec_manager role, you can create application remediation tasks manually by selecting some or all the records in the Application vulnerable items’ lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
- Create application remediation tasks manually in the IT Remediation Workspace
- With the sn_vul.app_security_champion role, you can create application remediation tasks manually by selecting desired records in the Application vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
- Manual Ingestion of vulnerabilities for application vulnerability response
- Import AVITs from external sources via a standardised template (e.g., CSV, Excel) and manage Penetration test findings lifecycle. Now, you can ingest vulnerability data, including details such as affected application,
vulnerability description, severity, remediation recommendations, including other necessary details. This enhancement allows you to simplifies the process of consolidating vulnerability data from diverse sources into a
centralised Penetration test workspace.
- Penetration Test Workspace
-
Monitor your penetration test requests and findings as well as your team's overall progress in the Penetration Test Workspace. Prioritize tests that need your attention, track findings, and view assignments with the
following data visualizations on the dashboard:
- Important items.
- Penetration test requests that are critical and by state.
- Reported findings.
- Overall remediation progress based on assignment.
- Enhancements to Penetration Test Assessment Requests
- Along with Full Penetration, Focused, and Re-test, the following assessment types are included for Penetration Test Assessment Requests forms in the Penetration Test Workspace:
- Emergency Release - Supports emergency releases that are required for rapid software updates to address critical issues like security vulnerabilities.
- Bug Bounty Program - Rewards ethical hackers to find and report security vulnerabilities.
- Release Approvals - Ensure that all necessary checks are completed before deploying new software.
- One-off reviews - Assess specific projects outside regular development and release cycles to evaluate performance and implement improvements.
- Executive Interest - Report on senior management's engagement and support for critical projects within the organization.
Enhancements to the Release Approval and Release Notes fields help you ensure quality and security for your pen test findings. The following states have been added to the Release approval field:
- Not Applicable (Default).
- Approved.
- Denied.
You can add details to justify your release approvals in the Release notes field.
- Associate CWEs for manual AVIT creation from Penetration Test Assessment Requests
- On the Penetration test findings tab on Penetration Test Assessment Requests, you have the option to associate Common Weakness Enumerations (CWE)s or Common Vulnerabilities and Exposures (CVE)s in the
Vulnerability field for manually created AVITs.
- Create change requests in Application Vulnerability Response
- Users with the sn_vul.app_sec_manager and sn_vul.app_sec_champion roles as well as users with the sn_vul.app_developer role who have the ITIL role can create change requests from remediation tasks in the Application Vulnerability Response application. Create change requests to expedite your investigation for application vulnerabilities (AVIT)s that require manual intervention.
- Create change requests with prepopulated information for scanned applications that are classified as configuration items (CI)s.
- The change request workflow in Application Vulnerability Response is similar to the workflow supported in Vulnerability Response. For more information about the Vulnerability Response change request workflow, see Change management for Vulnerability Response.
Note: Change requests are supported for Application Vulnerability Response only if the discovered application is associated with a configuration item (CI). You must set Product model to False in the Use
Product Model [sn_vul.use_product_model] system property to associate a discovered application with a CI.
- Enhancements to the Software Bill of Materials Workspace
-
- You can delete multiple BOM entity records and their related components with bulk edit from the Software Bill of Materials
SBOM SBOM Workspace.
- Any Application Vulnerable Items (AVIT)s that are associated with deleted BOM entities automatically transition to Closed.
- View risk score details of a vulnerable items in the Work notes section
- Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the
risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
|