Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Software exposure assessment using Software Asset Management (SAM)

Log in to subscribe to topics and get notified when content changes.

Software exposure assessment using Software Asset Management (SAM)

As a vulnerability manager, use the ServiceNow® Exposure Assessment application to determine your total installed software count for a specific software package on your assets. When used with the ITSM Software Asset Management application, evaluate your exposure, create vulnerable items, and manage remediation for the vulnerable software you discover.


As a Vulnerability manager, you can determine your exposure to vulnerable software by providing the vulnerable software information (publisher, product, edition and version) without using the Common Vulnerabilities and Exposures (CVE) database. Assess cases of a zero-day (current day) vulnerabilities to software for the following cases:
  • When products do not yet have CVE data.
  • When there is a lag between the time a vulnerability becomes publicly known and the CVE data with the vulnerability is updated in the NVD.
  • When you learn about the vulnerability in-between the scheduled scans of your vulnerability scanner.

With the Exposure Assessment application, if you know the publisher and product for the vulnerable software, using the records that list the installed software in your network created by the SAM application, you can assess your exposure to potentially malicious software packages on-demand.

Knowing the scale of your exposure to this type of vulnerability permits you to proactively respond by implementing a red alert and uninstalling the software, or informing your security operations center (SOC) to look for a specific patch. You can create vulnerable items and assign tasks to the remediation specialist for further investigation remediation. View a vulnerability group (VG) list to verify that the vulnerable items you want are created and associated correctly to the VG.

The Exposure Assessment application for the Vulnerability Response application is compatible with the Madrid v9.0, New York v9.0, and Orlando family releases.