Penetration testing

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Penetration testing

    Penetration testing within Application Vulnerability Response allows application owners to evaluate the security of their applications through manual testing conducted by an ethical hacking team. This process helps identify vulnerabilities by simulating real-world attacks, enabling proactive security management.

    Show full answer Show less

    Roles Required

    Two key roles are involved in penetration testing:

    • App-Sec Manager: Security managers and application owners who handle penetration test assessment requests. They possess roles such as managing requests, reading application data, and CMDB access.
    • Ethical Hacker: Members of the ethical hacking team who execute penetration tests, manage findings, and update test requests with granular permissions for assignments, configurations, and state updates.

    These roles ensure proper governance and execution of penetration testing activities within your organization.

    Penetration Testing Process

    • Requesting an Assessment: Application owners can submit new or copy existing penetration test requests via the platform interface starting with version 19.0. Prior versions use the ITSM service catalog for requests.
    • Review and Scoping: The ethical hacking team reviews requests and scopes the assessment, adding it to their backlog.
    • Environment Preparation: The team requests an appropriate testing environment from the application owner, who must confirm its readiness.
    • Testing and Reporting: Ethical hackers perform the manual penetration tests, creating Application Vulnerable Items (AVIs) to document findings. They also set remediation target dates defining SLAs, although remediation target rules do not apply to penetration test findings.
    • Fixing and Validation: Application teams address the AVIs, and the ethical hacking team manually validates and closes fixed vulnerabilities.

    Additional Details

    • The ethical hacking team can maintain a library of reusable Application Vulnerability Entries (AVEs) to streamline reporting.
    • Penetration test findings are tracked through Application Vulnerability Management reports available on the PA dashboard.
    • From version 19.0, manual penetration findings from the Veracode Vulnerability Integration are independent and not linked to Application Vulnerability Response requests.

    Practical Benefits for ServiceNow Customers

    This penetration testing capability in Application Vulnerability Response empowers your security managers and ethical hackers to collaborate efficiently, ensuring manual security assessments are formally requested, tracked, and resolved within your ServiceNow environment. It provides a structured lifecycle from request to remediation validation, improving your application security posture and compliance management.

    Penetration testing in Application Vulnerability Response enables application owners to assess the security posture of their application. It is the manual testing of an application by the ethical hacking team.

    Roles required

    Penetration testing requires the following roles:

    App-Sec Manager: Contains security managers and application owners who manage the penetration testing assessment requests. It contains the following granular roles:

    • sn_vul.app_manage_pen_test_request
    • sn_vul.app_read_all
    • cmdb_read

    Ethical Hacker: Contains members of the ethical hacking team who perform penetration testing of applications. It includes the following granular roles:

    • sn_vul.app_update_assignment_group
    • sn_vul.app_update_assigned_to
    • sn_vul.app_manage_manual_avits
    • sn_vul.app_manage_pen_test_request_config
    • itil
    • sn_vul.app_read_all
    • sn_vul.app_manage_pen_test_request
    • sn_vul.app_update_state

    For more information about these roles, see Application Vulnerability Response user groups and roles.

    Starting with v19.0 of Vulnerability Response, if you are using the Veracode Vulnerability Integration, the penetration assessment tests in the Veracode Vulnerability Integration are manual findings from Veracode. They are not linked to any penetration test assessment requests you configure in Application Vulnerability Response. For more information about penetration test assessments from Veracode, see the Veracode Vulnerability Integration.

    Life cycle of penetration testing

    As an application owner, you can request the ethical hacking team for a penetration test assessment of your application. The ethical hacking team acts on this request and creates penetration test findings. These findings are manually-created Application Vulnerable Items (AVIs).

    The penetration testing workflow covers the penetration testing life cycle from raising the testing request to resolving the findings of the ethical hacking team.

    Requesting a penetration test assessment

    Starting with v19.0, you can create new requests or copy existing requests at All > Penetration Test Assessment Requests > All.

    Prior to v19.0, as the application owner, you can request a penetration test assessment for your application using the ITSM service catalog.

    Reviewing the penetration test assessment request

    The ethical hacking team reviews and assesses the application and the scope of the penetration test assessment request, and adds it to the existing backlog.

    Preparing an environment

    The ethical hacking team then sends a request to the application owner to provide an environment for them to start testing. Once the environment is ready, the application owner informs the ethical hacking team.

    For more information about configuring test requests, see Configure penetration testing.

    Testing and reporting the penetration test findings

    The ethical hacking team tests the application and reports the findings to the application owner. The ethical hacking team also defines the Service Level Agreements (SLAs) for the penetration test findings using the remediation target date. These findings are the manually-created AVIs. The application owner in turn reviews the AVIs created by the ethical hacking team. They plan the fixes and assign them to the application team.
    Note:
    Remediation target rules do not apply to the penetration test findings.

    The ethical hacking team can create a library of Application Vulnerability Entries (AVEs) and reuse them while reporting the AVIs. They can also track the status of the penetration test findings.

    Fixing and validating the penetration test findings

    After the penetration test findings are fixed and resolved by the application team, the fixes are validated manually and closed by the ethical hacking team.

    Application Vulnerability Management reports

    Use the reports available on the Application Vulnerability Management PA dashboard to track the penetration test findings.

    Figure 1. Penetration testing life cycle
    Penetration testing life cycle.