Exploring Application Vulnerability Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Application Vulnerability Response

    Application Vulnerability Response (AVR) is a module within ServiceNow's Vulnerability Response application designed to manage vulnerabilities found in custom software applications throughout their development lifecycle. AVR imports vulnerability data from various internal and external sources, such as the Common Weakness Enumeration (CWE) database and third-party security scanners, then correlates this data with application information stored in the Configuration Management Database (CMDB). When a match is found, AVR creates an Application Vulnerable Item (AVIT) to track and manage the vulnerability.

    Show full answer Show less

    Key Features

    • Third-Party Scanner Integration: AVR integrates with supported third-party scanners to import diverse vulnerability data types including Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Interactive Application Security Testing (IAST), Software Composition Analysis (SCA), and penetration testing results.
    • Automated Data Correlation and Item Creation: Uses CI Lookup Rules to automatically associate vulnerabilities with relevant Configuration Items in the CMDB, creating AVITs for efficient tracking.
    • Assignment and Prioritization: Supports assignment rules to automate AVIT ownership and risk calculators to prioritize vulnerabilities based on business impact, severity, and custom criteria.
    • Remediation Management: Employs remediation target rules to define expected timeframes for vulnerability fixes, facilitating monitoring and compliance.
    • Comprehensive Reporting: Provides insights into security posture, remediation trends, and critical vulnerabilities by application or business unit.
    • User Role Support: Defines granular user groups such as App-Sec Manager, Application Security Champion, and Developer to align with organizational workflows and responsibilities.
    • State Management: Implements a state model to track the lifecycle of AVITs from detection through remediation.

    Types of Vulnerability Data Supported

    • DAST: Identifies vulnerabilities by scanning running applications and monitoring responses to simulated attacks.
    • SAST: Analyzes source code at rest to detect weaknesses without executing the application.
    • IAST: Combines automated tests and human observation to detect vulnerabilities during application runtime.
    • SCA: Detects vulnerabilities in open source components used within applications (supported from Vulnerability Response v19.0 onwards).
    • Penetration Testing: Supports manual pen testing data to help assess and remediate application weaknesses.
    • Software Bill of Materials (SBOM): Enables uploading SBOM data to identify vulnerabilities in open source components.

    Practical Use Cases

    • Relate vulnerability scan results to existing or newly identified applications in the CMDB.
    • Store scan results even when applications are managed outside of ServiceNow or lack prior CMDB records.
    • Create manual CIs for source code repositories to support SAST vulnerability tracking.

    Integration and Data Flow

    AVR uses a shared API to import various scan data and manual test results, while SBOM data uses a separate API. Imported vulnerabilities are linked to application releases represented as Configuration Items in a dedicated scanned applications table, which supports relationship mapping and service graphing within the CMDB.

    Application Vulnerable Items (AVITs)

    An AVIT represents a specific vulnerability tied to an application as defined in the CMDB. AVITs are maintained based on the latest scan results and remain associated with their last observed scan even if the vulnerability is no longer detected. Removal of an application from the CMDB automatically closes related AVITs.

    User Roles and Collaboration

    AVR supports collaboration through designated user groups and roles tailored for application security management, enabling teams to share responsibilities across strategic and operational tasks.

    Benefit to ServiceNow Customers

    By leveraging AVR, ServiceNow customers can systematically detect, prioritize, and remediate application vulnerabilities, enhancing their software security posture. Integration with existing CMDB data and third-party tools streamlines vulnerability management workflows, while customizable rules and reporting provide actionable insights to security and development teams.

    Application vulnerabilities are vulnerabilities on your custom software applications that are scanned throughout the application’s development life cycle.

    Overview of Application Vulnerability Response and available versions

    Application Vulnerability Response (AVR) is the part of the Vulnerability Response application that processes application vulnerabilities.

    Table 1. Available versions
    Release version Release Notes

    Vulnerability Response v23.0

    Vulnerability Response v22.0

    Vulnerability Response v21.0

    Vulnerability Response v20.0

    Vulnerability Response v19.0

    Vulnerability Response v18.2

    		 Application Vulnerability Response release notes

    For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

    How it works

    Vulnerability data is imported from internal and external sources, such as the Common Weakness Enumeration (CWE) or third-party integrations. After data is imported, it is compared to application data in your Configuration Management Database (CMDB) and processed in the Application Vulnerability Response application. If a match exists between imported application vulnerability data and data in your CMDB, an application vulnerable item (AVIT) is created.

    The Application Vulnerability Response includes the following key features:
    • Integrate with supported third-party scanners to import vulnerability data.
    • Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
    • Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the CWE or third-party libraries.
    • Starting with version 18.0 of Vulnerability Response, you can monitor and remediate AVITs in the Vulnerability Manager Workspace and IT Remediation Workspace respectively. For more information, see Vulnerability Manager Workspace and IT Remediation Workspace.
    • Correlate Application Vulnerability Response data using calculators and libraries to help you perform the following tasks.
      • Create application vulnerable items automatically using CI Lookup Rules. During import, third-party vulnerabilities are associated to a CWE to create an AVIT.
      • Create assignment rules to automate application vulnerable item assignments.
      • Use calculator groups to determine business impact, specify varying conditions using filters, apply simple calculations, or use a script.
      • Create remediation target rules that define the expected time frame for remediating application vulnerable items so you can monitor upcoming remediation activities.
    • Relate a single third-party vulnerability to multiple CWE entries and find the primary CWE for a vulnerability to help you determine risk. For more information on the Primary CWE, see Application Vulnerability fields.
    • Use CWE records that are downloaded from the CWE database or imported from third-party integrations for reference to help you decide if you must escalate a vulnerability. Each CWE record also includes an associated knowledge article that describes the weakness.

    Use Application Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution.

    Application Vulnerability Response flow

    Types of imported vulnerability data

    Application Vulnerability Response supports the following types of imported application vulnerability data.
    Note:
    Prior to v19.0, SAST, SCA, IAST, and penetration testing data was not ingested and may account for differences between what is shown within Veracode, Fortify, and Invicti and what appears in Application Vulnerability Response.
    Dynamic Application Security Testing (DAST)
    DAST scans find vulnerabilities application by sending input to your applications and monitoring its responses while they are running. This approach might imitate an outside attack. During dynamic scanning, a running service (URL) is scanned for vulnerabilities. Vulnerability results include a URL location of a discovered vulnerability.
    Static Application Security Testing (SAST)
    SAST scans review the source code of applications at rest and help you find vulnerabilities in the way you've written your code. The SAST scan takes place on non-compiled source code and so it exists independently of any application service. Returned results include a file and line number location of a discovered vulnerability.
    Interactive Application Security Testing (IAST)
    IAST scans detect software vulnerabilities by interacting with the program while it is running. Human observation, automated tests, and sensors are used in combination to interact with the application to locate vulnerabilities.
    Software Composition Analysis (SCA)
    Starting with v19.0 of Vulnerability Response, you can ingest Software Composition Analysis (SCA) vulnerabilities. SCA vulnerability data to helps you identify weaknesses in the open source software being used in your software applications.
    Penetration testing
    You configure penetration test assessment requests in Application Vulnerability Response to help you understand where your application weaknesses are and what you can do to fix them.
    Software Bill of Materials
    Upload Software Bill of Materials (SBOM) data to identify vulnerabilities in your open source components. See Exploring Software Bill of Materials for more information.

    Use cases

    Some of the following DAST use cases are supported:
    • Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
    • Relate DAST scan results to an existing application when there is a record in the CMDB from Discovery or a third-party integration.
    • Relate DAST scan result to a newly inserted scanned application when a new Application has not previously been identified and/or stored in the CMDB.
    • Store DAST scan results for a CMDB when you manage your applications in a product other than ServiceNow®.
    • Store DAST scan results for a CMDB if you have previously customized for some other purpose.
    • Create an application for Source code repository manually.
    Some of the supported SAST use cases are supported:
    • Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
    • Create a CI for Source code repository manually.
    • Store SAST scan results that are without a related Application Service.

    Third-party integrations

    The third-party integrations supported by Application Vulnerability Response are available as a separate applications in the ServiceNow Store. See Integrating Application Vulnerability Response with other applications for more information.

    Key features

    CI lookup rules
    Automatically search application data for matches in the Configuration Management Database (CMDB).
    Assignment rules
    Automatically assign application vulnerabilities based on user groups, user group fields, and scripts.
    Risk Calculators
    Automatically prioritize and rate the impact of AVITs using calculators, based on any criteria, by using condition filters.
    Severity mapping
    Automatically calculate initial values for fields on application vulnerable items. Vulnerability entries have both source severity and normalized severity (based on severity mapping). Severity is tied to the Common Weakness Enumeration (CWE).
    Remediation target rules
    Define the expected time frame for remediating an application vulnerable item.
    Reporting
    Quickly gain insight into your security posture, remediation trends and top 10 Applications or Business Units with the most critical AVITs.

    The common point for both types of scans is the application release. An application release, which defines a Name string, is the tie-in point to group scanned vulnerability results on the scanner side. This way AVR knows which application release the results belong to when importing scan results through the integration.

    A Configuration Item [cmdb_ci] child table, Scanned Applications [sn_vul_app_scanned_application], was created in the Vulnerability Response application and scope. This table stores the Application Release abstraction and provides service graphing though its CMDB relationships. They can be viewed from the All > Application Vulnerability Response > Administration > Applications module. The list view for Scanned Applications contains the Department and Support Group added during setup.

    Application Vulnerable Items (AVITs)

    For application vulnerabilities, AVR relates a vulnerability to an application to create the application vulnerable item (AVIT) record. Because of the multiple definitions of what constitutes an application in the CMDB, Application Vulnerability Response limits applications to scanned applications. Scanned applications are the applications scanned in your environment identified by AVR as Name and ID. AVITs are based on the latest scan summary until confirmed Fixed by the scanner. If an AVIT is no longer found, it remains tied to the scan summary where it was last seen.

    Application vulnerable items can be viewed from the All > Application Vulnerability Response > Vulnerabilities > Vulnerable Items module.

    If an application is removed from the CMDB, any associated AVITs are closed.

    For information on AVIT form fields, see Application Vulnerable Item fields.

    User groups and roles in Application Vulnerability Response

    Often a team works together to create, manage, and oversee the management of application vulnerabilities. There are strategic roles, as well as operational roles, among the team members. In most organizations, you may participate in more than one role and often share roles with others. Application Vulnerability Response uses three user groups containing granular roles: App-Sec Manager, Application Security Champion, and Developer. See Application Vulnerability Response user groups and roles for more information on these groups and roles.

    Application Vulnerability Response states

    Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVITs) and helps you to determine when and how to remediate your AVITs.

    An application vulnerable item has several possible states, see Application Vulnerable Item (AVI) states for more information.

    Vulnerability Response applications and CSDM tables

    The Vulnerability Response, Application Vulnerability Response, third-party vulnerability integrations and Software Bill of Materials applications manage (contribute data to) CSDM tables. These applications also use data from CSDM tables that other applications generate. Several ServiceNow products, therefore, benefit from and add value to these Security Operations applications. See Vulnerability Response applications and CSDM tables for more information.