Managing state mapping for deferrals and false positives in Application Vulnerability Response
Summarize
Summary of Managing state mapping for deferrals and false positives in Application Vulnerability Response
This feature in Application Vulnerability Response (AVR) Release Zurich allows ServiceNow customers to control how source states from vulnerability scanners like Veracode and Fortify are mapped to target states within their ServiceNow instance. This capability enhances triaging of imported Application Vulnerable Items (AVIs) by aligning scanner states with ServiceNow workflows for exceptions and false positives, starting with Vulnerability Response version 20.0.
Show less
Managing Deferrals and Exceptions
When using Fortify or Veracode integrations, certain source states such as Will Not Fix, Remediation Deferred, Risk Accepted, and Risk Mitigated are typically mapped to a Deferred target state with specific substates like Risk Accepted or Mitigating Control in Place.
On the integration configuration pages, the Manage exceptions in ServiceNow option controls whether these deferred AVIs are triaged through the ServiceNow Exception Management workflow:
- Checked (default): AVIs marked as Deferred require an exception request and are triaged within the exception workflow. The source states are mapped to a Target triage state within the Open state, enabling workflow actions such as the Request Exception UI.
- Unchecked: The original source states are preserved and mapped directly to Deferred target states without triggering the exception workflow. The exception request UI is disabled since the AVI is already in Deferred status.
Managing False Positives
Similarly, source states like False Positive or Potential False Positive from Veracode are mapped to a Closed target state with a False Positive substate by default.
The Manage false positives in ServiceNow option on integration configuration pages governs how false positive AVIs are handled:
- Checked (default): False positive AVIs require a false positive request and are managed via the Exception Management workflow, with source states mapped to a Target triage state in Open. The False Positive UI action is available on AVI records.
- Unchecked: Source states are preserved and mapped directly to Closed target states with a False Positive reason, bypassing the false positive workflow. The False Positive UI action is not available since the AVI is already closed.
Practical Benefits for ServiceNow Customers
- Enables flexible triage of AVIs based on scanner source states to fit your organization's processes.
- Provides control over whether exceptions and false positives are actively managed through workflows or preserved as-is.
- Improves clarity and governance by aligning scanner states with ServiceNow target states and workflows.
- Supports role-based access, requiring the App-Sec Manager role to manage these settings.
You can manage how the Source states on application vulnerable items (AVIs) imported by the Veracode Vulnerability Integration and Fortify Vulnerability Integration are mapped in your instance after import.
Starting with v20.0 of Vulnerability Response, you have more options for triaging your imported AVIs with ServiceNow workflows.
- Manage exceptions in ServiceNow
- Manage false positives in ServiceNow
Use case for Exception management
AVIs are imported from these integrations with Source states. Upon import, these state are mapped to Target and Target reason states in your instance, because in some cases there are no exact matches between the source states of your scanner and the states used by your instance.
For example, source states such as Will Not Fix, Remediation Deferred, Risk Accepted, and Risk Mitigated from the Fortify Vulnerability Integration are mapped to the Deferred state with a substate of Risk Accepted or Mitigating Control in Place in your instance.
You have the following options on the configuration pages for these integrations:
| Option | Check box selected | Description |
|---|---|---|
| Manage exceptions in ServiceNow | Y (by default) | If you leave this option selected, you must request exceptions from AVI records. Imported AVIs marked for the Deferred state are triaged with the ServiceNow Exception Management workflow. AVIs with Source states that normally are mapped to a Deferred state are mapped to the Target triage state in the Open state. |
| N | If you deactivate the check box, you preserve the Source states imported from your scanner. These AVIs are mapped to the Target state as Deferred, and to a Target reason state in your instance. They are not triaged by the exception workflow, because they are not mapped to the Target triage state and Target triage reason states. The Request Exception UI action is not available on the AVI record, because the record already in the Deferred Target state. |
Use case for False positive
For false positives from the Veracode Vulnerability Integration as an aexample, source states such as False Positive or Potential False Positive are mapped to the Closed Target state with a substate of False Positive.
| Option | Check box selected | Description |
|---|---|---|
| Manage false positives in ServiceNow | Y (by default) | If you leave this option selected, you must request a False Positive from AVI records. Imported AVIs marked for the False Positive or Potential False Positive states are triaged with the ServiceNow Exception Management workflow. AVIs with Source states that normally are mapped to a Closed Target state are mapped to a Target triage state in Open. The False Positive UI action is available on the AVI record. |
| N | If you deactivate the check box, you preserve the Source states imported from your scanner. These AVIs are mapped to the Target state as Closed and a Target reason state in False Positive in your instance. They are not triaged by the false positive workflow. The False Positive UI action is not available on the AVI record, because the record is already in the Closed Target state. |