Manual ingestion of vulnerabilities for Application Vulnerability Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manual ingestion of vulnerabilities for Application Vulnerability Response

    ServiceNow’s Application Vulnerability Response enables security professionals and application testers to manually ingest and manage application penetration test findings within the Penetration Testing Workspace. This functionality supports importing vulnerability data from external sources using Excel or CSV templates, consolidating the findings for core business applications into a single workspace for streamlined tracking and response.

    Show full answer Show less

    Key Features

    • Manual Ingestion of Findings: Import penetration test findings via downloadable Excel or CSV templates through the Manual AVIT Ingestion interface.
    • Penetration Testing Workspace: Newly uploaded files create a distinct penetration test form per application, associating all findings from that file to the form for organized management.
    • Application Name Matching: The Application Name field in the template must correspond to records in the Application, Business Application, or Scanned Application tables to properly associate vulnerabilities.
    • Mandatory Template Fields: Specific fields are required for processing to ensure completeness and accuracy of vulnerability data ingestion.

    Practical Use and Requirements

    • To upload findings, navigate to All > Manual AVIT Ingestion > Upload File UI and download the import template.
    • Ensure the Application Name field matches existing application records; otherwise, those entries will be skipped.
    • Complete all mandatory fields in the template to avoid processing errors. These fields include Risk Rating, Requested By, CWE Category or Vulnerability ID, Application Name, Purpose, Sensitive Data Types, Compliance Programs, Technology Stack, Application Team, URLs to Test, Steps to Reproduce, Technical Details, Assigned To, and Assignment Group.

    Key Outcomes

    By following this process, customers can effectively consolidate and document penetration test findings from various external tools into the ServiceNow Application Vulnerability Response solution. This enables comprehensive vulnerability tracking, assignment, and remediation within a centralized workspace, improving visibility and coordination for security teams.

    Security professionals and application testers can create and manage the application penetration test findings within the Penetration Testing Workspace.

    The Penetration testing forms are available in the Penetration Testing Workspace to document the vulnerabilities identified in the core business applications.

    The security professionals and application testers can manually import findings from external sources and platforms using the provided templates in Excel or CSV format. All the vulnerability findings are made available in the Penetration Testing Workspace.

    To access and download the template for uploading to Penetration testing workspace, navigate to All > Manual AVIT Ingestion > Upload File UI.

    A new penetration test form is created for every file upload for the respective application. All the vulnerability findings within that upload are associated to the same penetration test form. The Application Name must match with the records in of the tables:
    • Application Table
    • Business Application Table
    • Scanned Application Table
    The Application Name is a mandatory field present in the template for identifying the vulnerabilities present within an application, associated to a penetration test form. Any record missing the Application Name will not be processed and skipped during vulnerability creation.
    Note:
    Mandatory fields in the template are necessary for processing the penetration test findings. It is necessary to ensure all the fields in the template are intact to prevent any issues during the processing of penetration test findings.
    Table 1. Mandatory fields required as part of template for penetration test finding creation
    Column Name Mandatory Description Available Options/ Max characters in strings
    Risk rating Mandatory Severity of the application vulnerable item

    Critical

    High

    Medium

    Low

    None (Default)
    Requested by Mandatory Requested by 151
    CWE category Mandatory(Fill only one column) CWE ID 255
    Vulnerability ID Mandatory(Fill only one column) Vulnerability ID 255
    Application Mandatory Application Name 255
    Purpose of application Mandatory Purpose of application 4000
    Types of sensitive data Mandatory List types of sensitive data accessible from applications 40
    List of compliance programs Mandatory List of compliance programs 4000
    Technology stack details Mandatory Technology stack details 4000
    Application team Mandatory Application team Name; group responsible for developing and maintaining software applications 100
    URLs to test Mandatory URLs to test 4000
    Steps to reproduce Mandatory Steps to reproduce 1000
    Technical details Mandatory Technical details 1000
    Assigned to Mandatory Assigned to (individual responsible for conducting penetration tests and generating security findings) 151
    Assignment group Mandatory Assignment group (group responsible for conducting penetration tests and generating security findings) 151