Application Vulnerability Response release notes
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Application Vulnerability Response release notes
The ServiceNow® Application Vulnerability Response application integrates security and IT teams to accelerate remediation of critical application vulnerabilities. The Zurich release introduces enhancements that improve vulnerability management workflows, third-party integrations, remediation task handling, and penetration testing visibility. This enables ServiceNow customers to prioritize, track, and remediate application vulnerabilities more efficiently within a unified platform.
Show less
Key Features
- Penetration Test Workspace: Monitor penetration test requests, findings, and team progress with dashboards highlighting critical items, remediation status, and assignments.
- Vulnerability Manager Workspace Enhancements: Reevaluate risk scores, assignments, remediation dates, exceptions, and associated remediation tasks for application vulnerable items (AVITs).
- Third-Party Scanner Integration: Import vulnerability data from supported scanners, including on-demand Tenable Web Application Scanning integration and GitHub Secret Scanning with generic secret support.
- Manual Remediation Task Creation: Users with appropriate roles can manually create remediation tasks from selected AVITs in both Vulnerability Manager and IT Remediation Workspaces, grouping records by chosen criteria.
- Improved Vulnerability Assessment Workflows: Filter configuration items included in assessments, automatically roll down priority updates to related items, and populate business application context for AVITs sourced from SBOM assessments.
- Compensatory Controls Automation: Newly ingested vulnerable items linked to remediation tasks with approved compensating controls inherit the reduced risk rating automatically.
- Penetration Test Assessment Enhancements: Support for additional assessment types such as Emergency Release, Bug Bounty Program, Release Approvals, One-off Reviews, and Executive Interest; enhanced release approval states and justification notes.
- Change Request Creation: Roles with appropriate permissions can create change requests from remediation tasks for AVITs associated with configuration items, facilitating streamlined vulnerability investigation.
- SBOM Workspace Enhancements: Bulk deletion of BOM entities with automatic closure of related AVITs helps maintain accurate vulnerability records.
- UI and Usability Improvements: Coral theme as default with dark mode option for portals and mobile; configurable maximum rows in related lists; refined state management improves accuracy and reduces manual remediation effort.
Key Outcomes
- Faster and more consistent prioritization and remediation of application vulnerabilities through automation and improved workflows.
- Enhanced visibility into penetration testing activities, enabling better resource allocation and tracking of critical security tests.
- Streamlined integration with third-party security tools and manual data ingestion, consolidating vulnerability information into a central workspace.
- Improved collaboration across security, development, and IT teams via manual remediation task creation and change request workflows.
- Reduced manual effort and increased accuracy in tracking vulnerability remediation states and compensatory controls.
- Greater flexibility and control in configuring assessment scopes, data presentation, and user interface experience.
Activation and Upgrade Considerations
Application Vulnerability Response is available via the ServiceNow Store. Customers planning to upgrade to Unified Security Exposure Management (USEM) should consult the USEM release notes for migration details. For those not upgrading to USEM, installing versions below v30.x is recommended along with compatible third-party integrations. Compatibility details and release schema changes are documented in the ServiceNow Knowledge Base.
The ServiceNow® Application Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Application Vulnerability Response was enhanced and updated in the Zurich release.
Application Vulnerability Response highlights for the Zurich release
- If you are currently using Application Vulnerability Response and you want to upgrade to Unified Security Exposure Management (USEM), see Unified Security Exposure Management release notes for more information about USEM and the Unified Security Exposure Management migration.
- Monitor your penetration test requests and findings, as well as your team's overall progress in the Penetration Test Workspace.
- Reevaluate the risk score, assignments, remediation target date, exceptions, and remediation task for a specific set of application vulnerable items in the Vulnerability Manager Workspace.
- Integrate with supported third-party scanners to import vulnerability data.
- Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
- Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the Common Weakness Enumeration (CWE) or third-party libraries.
- With the sn_vul.app_sec_manager role, create application remediation tasks manually in the Vulnerability Manager Workspace.
See Application Vulnerability Response for more information.
Important:
Application Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.
Important information for upgrading Application Vulnerability Response to Zurich
- If you are currently using Application Vulnerability Response, and you do not intend to upgrade to Unified Security Exposure Management (USEM), install a version below v30.x of Application Vulnerability Response and for upgrades to supported third-party integration applications.
- For information about the new features of Vulnerability Response, see the Vulnerability Response release notes.
- For more information about the released versions of the Application Vulnerability Response application as well as the third-party and ServiceNow applications that are compatible with the Zurich release, see the Vulnerability Response Compatibility Matrix and Release Schema Changes [KB0856498] article in the Now Support Knowledge Base.
New in the Zurich release
- Enhanced Compensatory controls
- When new vulnerable items are ingested and associated with a remediation task that already has an approved compensating control, the reduced risk rating is now automatically inherited by those new vulnerable items.
- Improved vulnerability assessment workflows
-
- CI filtering for vulnerability assessments: You can now filter which configuration items are included in a vulnerability assessment using a condition builder.
- Business Application population on AVITs: AVITs created from SBOM assessment results now include Business Application information, helping you understand application impact and prioritize remediation.
- Priority roll‑down from vulnerability assessments: Updates to the priority of a vulnerability assessment now automatically roll down to associated VITs and AVITs, ensuring consistent prioritization based on the highest severity.
- Remediation task rule execution mode
- You can now choose how remediation task rules are evaluated during ingestion. The new Match First execution mode evaluates rules sequentially and applies only the first matching rule, assigning each finding to exactly one remediation task. The default Match All mode continues to evaluate all applicable rules.
- GitHub Application Vulnerability Integration – Generic secrets support
- The GitHub Secret Scanning Integration now imports generic secrets in addition to standard secrets from your GitHub repositories. A new Manage generic secrets in ServiceNow configuration option lets you control whether generic secrets are ingested. Imported secrets are mapped to Application Vulnerable Items (AVIs) with the scan type Secret, while generic secrets are mapped with the scan type Generic Secret.
- Enhancements to Application Vulnerability Response
- The Unassign workflow is supported for application vulnerable items (AVITs) and remediation tasks (AVULs).
- Streamline application vulnerability assignments with the Unassign UI action from the more actions menu on an AVIT.
- Reassign incorrectly assigned AVITs, clarify ownership for reassessment, and maintain accurate triage records in workspace views.
- You have the option to send unassign requests for approval prior to clearing the Assigned to and Assignment group fields on records.
- SBOM document upload via Github Action
- Upload valid Software Bill of Material (SBOM) documents to ServiceNow platform with the help of GitHub Action.
- Create application remediation tasks manually in the Vulnerability Manager Workspace
- With the sn_vul.app_sec_manager role, you can create application remediation tasks manually by selecting some or all the records in the Application vulnerable items’ lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
- Create application remediation tasks manually in the IT Remediation Workspace
- With the sn_vul.app_security_champion role, you can create application remediation tasks manually by selecting desired records in the Application vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
- Tenable Web Application Scanning Vulnerability Response Integration
- The Tenable.was integration now supports on‑demand execution of both application and vulnerability imports, allowing you to quickly ingest web applications, findings, and scan metadata into ServiceNow. Imported data automatically populates Discovered Applications, Vulnerability Entries, Scan Summaries, and AVITs, with full visibility through integration run tracking.
- Manual Ingestion of Vulnerabilities for Application Vulnerability Integration
- Import AVITs from external sources via a standardised template (e.g., CSV, Excel) and manage Penetration test findings lifecycle. Now, you can ingest vulnerability data, including details such as affected application, vulnerability description, severity, remediation recommendations, including other necessary details. This enhancement allows you to simplifies the process of consolidating vulnerability data from diverse sources into a centralised Penetration test workspace.
- Penetration Test Workspace
-
Monitor your penetration test requests and findings as well as your team's overall progress in the Penetration Test Workspace. Prioritize tests that need your attention, track findings, and view assignments with the following data visualizations on the dashboard:
- Important items.
- Penetration test requests that are critical and by state.
- Reported findings.
- Overall remediation progress based on assignment.
- Enhancements to Penetration Test Assessment Requests
- Along with Full Penetration, Focused, and Re-test, the following assessment types are included for Penetration Test Assessment Requests forms in the Penetration Test Workspace:
- Emergency Release - Supports emergency releases that are required for rapid software updates to address critical issues like security vulnerabilities.
- Bug Bounty Program - Rewards ethical hackers to find and report security vulnerabilities.
- Release Approvals - Ensure that all necessary checks are completed before deploying new software.
- One-off reviews - Assess specific projects outside regular development and release cycles to evaluate performance and implement improvements.
- Executive Interest - Report on senior management's engagement and support for critical projects within the organization.
Enhancements to the Release Approval and Release Notes fields help you ensure quality and security for your pen test findings.
The following states have been added to the Release approval field:- Not Applicable (Default).
- Approved.
- Denied.
You can add details to justify your release approvals in the Release notes field.
- Associate CWEs for manual AVIT creation from Penetration Test Assessment Requests
- On the Penetration test findings tab on Penetration Test Assessment Requests, you have the option to associate Common Weakness Enumerations (CWE)s or Common Vulnerabilities and Exposures (CVE)s in the Vulnerability field for manually created AVITs.
- Create change requests in Application Vulnerability Response
- Users with the sn_vul.app_sec_manager and sn_vul.app_sec_champion roles as well as users with the sn_vul.app_developer role who have the ITIL role can create change requests from remediation tasks in the Application Vulnerability Response application. Create change requests to expedite your investigation for application vulnerabilities (AVIT)s that require manual intervention.
- Create change requests with prepopulated information for scanned applications that are classified as configuration items (CI)s.
- The change request workflow in Application Vulnerability Response is similar to the workflow supported in Vulnerability Response. For more information about the Vulnerability Response change request workflow, see Change management for Vulnerability Response.
Note:Change requests are supported for Application Vulnerability Response only if the discovered application is associated with a configuration item (CI). You must set Product model to False in the Use Product Model [sn_vul.use_product_model] system property to associate a discovered application with a CI. - Enhancements to the Software Bill of Materials Workspace
-
- You can delete multiple BOM entity records and their related components with bulk edit from the Software Bill of Materials SBOM SBOM Workspace.
- Any Application Vulnerable Items (AVIT)s that are associated with deleted BOM entities automatically transition to Closed.
- View risk score details of a vulnerable items in the Work notes section
- Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
UI changes
- Coral theme
- Coral is now the default theme for new portal, web, and mobile experiences with Next Experience or Core UI enabled. This theme provides a fresh look and feel, featuring brand-neutral illustrations to enhance your user experience. A dark theme option is available for web and mobile experiences.
Changed in this release
- Configure maximum rows in related lists
- To improve readability and performance, you can now limit the number of rows shown in related lists on forms by setting the system property sn_vul_cmn.related_list.set_max_row.
- Improved state management for remediation tasks and vulnerable items
- State management logic for roll down of state from remediation tasks (RTs) to findings and roll up of state from findings to RTs has been refined across all modules. Updates improve accuracy by handling mixed item states (a combination of Deferred and Closed), supporting closure of tasks in sub-states like In-Review, and reopening tasks based on the Assigned To field. The update also improves handling of False Positive state transitions based on scanner results as source of truth. These enhancements reduce manual effort, clarify task ownership, and streamline remediation workflows.
Activation information
Install Vulnerability Response and third-party integrations by requesting them from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.