Exploring exposure assessment

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring exposure assessment

    Exposure assessment in ServiceNow leverages the Common Platform Enumeration (CPE) framework, part of the Common Vulnerabilities and Exposures (CVE) system, to evaluate the vulnerability exposure of your assets. It uses a software discovery model and a matching algorithm to map relevant CPEs to discovered software, enabling the identification of potential vulnerabilities. This capability helps identify exposures that traditional vulnerability scanners might miss, including zero-day vulnerabilities, providing early warnings to improve your vulnerability management program’s maturity.

    Show full answer Show less

    Prerequisites

    • Vulnerability Crisis Management plugin 1.0
    • Vulnerability Response 20.0 and associated integrations (NVD, CISA)
    • Software Asset Management Foundation or Professional plugin installed
    • Software Discovery Models and Software Installations data must be populated in your instance

    Ensure that the Software Asset Management Foundation application is installed and active in your instance, as it is required for managing asset and software license data used in exposure assessments.

    Use Cases

    • Assess by CVE: Understand the impact and exposure of systems affected by specific CVEs using SAM and Discovery data. Useful for identifying affected systems beyond what scanners detect, facilitating prompt remediation by creating and assigning Vulnerability Incident Tasks (VITs).
    • Assess by Software: Evaluate impact based on software installations when CVEs are unavailable. This supports proactive action on zero-day or critical vulnerabilities before scanner signatures exist.
    • Assess by Publisher: Analyze vulnerabilities by vendor to understand the risk and exposure from CVEs published by that vendor within a timeframe, aiding in vendor risk management and prioritizing remediation.

    Compatibility and System Requirements

    The Vulnerability Response application is available on the ServiceNow Store and depends on the ITSM Software Asset Management (SAM) application for managing asset data. The Exposure Assessment application requires one of these SAM plugins:

    • Software Asset Management Foundation plugin (com.snc.sams)
    • Software Asset Management Professional plugin (com.snc.pa.samp)
    • Software Asset Management plugin (com.snc.softwareassetmanagement)

    Verify the SAM Foundation plugin is installed by checking System Applications. The assessment process depends on accurate asset and software installation data collected via discovery.

    Matching Algorithm for Software Discovery Models

    The SAM Professional application allows manual normalization of discovered software to improve matching accuracy. The matching algorithm uses multiple fields such as vendor, product, version, and publisher details (both discovered and normalized) to associate software discovery models with CPEs. This normalization is crucial for reconciling partially normalized or unmatched software data.

    Configuration and Scheduled Jobs

    • A system property (snvulanalyst.enableexposureforcisa) can be enabled to automatically process CISA-exploited vulnerabilities for exposure assessment.
    • Scheduled jobs run periodically or on-demand to:
      • Check potential vulnerability exposures by processing updated CVEs, software, and installations
      • Insert CISA CVEs into the exposure configuration
      • Calculate exposure for CVEs and software listed in the Exposure Configuration table

    Key Terms and Important Details

    • Confidence score: Indicates reliability of recommendations, aiding risk prioritization.
    • Software installation count: Reflects the number of software assets impacted, including active and inactive installations by default. Starting from Vulnerability Response v22.0, a system property (snvul.filterinactiveswinstalls) controls whether inactive software installations are included in exposure counts, with the default filtering inactive installations out.
    • Updating the software installation counts after changing filtering settings requires running specific scheduled jobs to refresh the data.

    Exposure assessment enhances your ability to detect and act on vulnerabilities beyond traditional scanning methods, helping ServiceNow customers proactively manage risk, prioritize remediation, and improve overall security posture.

    Exposure assessment uses the Common Platform Enumeration (CPE) framework, which is a part of the Common Vulnerabilities and Exposures (CVEs) system, to evaluate the vulnerability exposure of your assets to vulnerability software. This assessment is performed using a software discovery model.

    By employing a matching algorithm, the relevant CPEs are associated and mapped to the software discovery model, enabling the identification of potential exposures.

    You can use the exposure assessment by CVE or software to identify exposure to potential vulnerabilities for the following scenarios:
    • Vulnerabilities that may not be identified by traditional scanners
    • Zero-day vulnerabilities before the scanner provide the signature for vulnerability detection
    Exposure assessment provides an early warning to remediate these vulnerabilities, and improve the maturity of the vulnerability management program.
    Prerequisites for exposure assessment
    Table 1. Available versions
    Application Version

    Vulnerability Crisis Management plugin

    		 1.0
    Vulnerability Response 20.0
    Vulnerability Response with NVD 1.3
    Vulnerability Response Integration with CISA 1.2
    Vulnerability Response Integration with NVD
    Note:
    For more information, see Understanding the NVD integrations.
    		 1.3
    Software Asset Management Software Asset Management Foundation plugin or Software Asset Management Professional plugin

    Use cases

    For examples of how Vulnerability Analysts organization would use the Vulnerability Exposure Assessment workspace, see these use cases.
    Assessment type Use
    Assess by CVE Assess vulnerabilities by CVE to gain a full understanding of the impact and exposure of the affected systems using Software Asset Management (SAM) and Discovery data. Take prompt remediation actions by creating manual VITs and assigning them to remediation owners. Assessing by CVEs is beneficial because scanners may not detect all the affected systems, whereas Discovery typically identifies most of the software on the attack surface.
    Assess by Software

    Assess the impact by software when CVE is unavailable to identify the number of CIs where the software is installed. By assessing by software, you can proactively act on zero-day or critical vulnerabilities by creating a manual VIT and assigning it to the remediation owner before they’re officially published or before scanners identify them.
    Assess by Publisher Assess vulnerabilities by a software vendor to understand the impact and exposure of affected systems for the CVEs published by the vendor within a time frame. Assessing by publisher helps you evaluate the vendor risk and critical vulnerabilities, enabling proactive remediation.

    Compatibility and system requirements

    The Vulnerability Response application is available on the ServiceNow Store. The ITSM Software Asset Management application (com.snc.asset_management) is required for the Exposure Assessment module. This application manages all your assets and software licenses, and the SAM Foundation version of this application is part of the Vulnerability Response application that you download from the ServiceNow Store.
    Important:
    The Exposure Assessment application works with the following plugins:
    • Software Asset Management Foundation plugin (com.snc.sams)
    • Software Asset Management Professional (com.snc.pa.samp)
    • Software Asset Management plugin (com.snc.software_asset_management)

    To verify the SAM Foundation application is installed on your instance, navigate to System Applications > All Available Applications > All and search for com.snc.asset_management. If the application isn’t installed, select Install. As the Vulnerability Exposure Assessment application requires access to the asset data on your ServiceNow AI Platform® instance, the asset management applications must have data to reference. The Software Discovery Models table (cmdb_sam_sw_discovery_model) and the Software installations (cmdb_sam_sw_install) require data.

    Matching algorithm fields for software discovery models

    The Software Asset Management Professional application enables you to edit a software discovery model to manually normalize discovered software that hasn’t been fully normalized (partially normalized, publisher normalized, or match not found) on the Software Discovery Models form so that it can be reconciled. Starting with version 20.0 of Vulnerability Response supports normalized discovery model that comes from Software Asset Management Professional. The following fields are used for the matching algorithm for software discovery models.
    CPE (Software model) SAM Foundations SAM Professional
    Vendor Primary Key Primary Key
    Product Display Name Display Name
    Version Discovered Publisher Discovered Publisher
    Edition Discovered Product Discovered Product
    Discovered Version Discovered Version
    Normalized Publisher
    Normalized Product
    Normalized Version
    Note:
    The SAM Professional application isn’t part of the core Vulnerability Response product from the ServiceNow Store and requires a separate subscription.

    System property

    To process the CISA-exploited vulnerabilities automatically for exposure assessment, set the system property sn_vul_analyst.enable_exposure_for_cisa to true. The default value is false.

    Scheduled jobs

    Following are the scheduled jobs.

    Scheduled job name Description
    Check potential vulnerability exposure Processes the delta CVEs, software, and installations to get the exposure.
    Note:
    This scheduled job runs every 12 hours. It runs for a longer period than the other scheduled jobs.
    Insert CISA exploited CVE to exposure config On-demand. Inserts the CISA CVEs into the Exposure Configuration table to calculate the exposure.
    Run exposure assessment for configured CVEs On-demand. Calculates the exposure for all the CVE records in the Exposure Configuration table.
    Run software exposure On-demand. Calculates the exposure for all the software records in the Exposure Configuration table.

    Key terms

    The Software installation count field provides the total number of software installs, regardless of their active or inactive status on the discovery model. Starting with v22.0 of Vulnerability Response, a new system property, sn_vul.filter_inactive_sw_installs, has been introduced to determine whether inactive software installations should be filtered out for exposure assessment. By default, the property is enabled in the base system. When the filter is enabled, only active installations are displayed.

    The Discovery model field specifically shows the count of active software installations, as the inactive ones are filtered out based on the default active=true filter on the Software Discovery Model table. The count in this field should match the filtered count displayed in the Software installation count field. The count in the Software installation field persists even if you update the system property. To obtain the updated count, you must run the scheduled jobs Run exposure assessment for configured CVEs and Run software exposure that updates the count.