Application vulnerabilities are vulnerabilities on your custom software applications that are scanned throughout the application’s development life cycle.

Overview of Application Vulnerability Response and available versions

Application Vulnerability Response (AVR) is the part of the Vulnerability Response application that processes application vulnerabilities.

Table 1. Available versions
Release version Release Notes

Vulnerability Response v23.0

Vulnerability Response v22.0

Vulnerability Response v21.0

Vulnerability Response v20.0

Vulnerability Response v19.0

Vulnerability Response v18.2

 Application Vulnerability Response release notes

For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

How it works

Vulnerability data is imported from internal and external sources, such as the Common Weakness Enumeration (CWE) or third-party integrations. After data is imported, it is compared to application data in your Configuration Management Database (CMDB) and processed in the Application Vulnerability Response application. If a match exists between imported application vulnerability data and data in your CMDB, an application vulnerable item (AVIT) is created.

The Application Vulnerability Response includes the following key features:
  • Integrate with supported third-party scanners to import vulnerability data.
  • Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
  • Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the CWE or third-party libraries.
  • Starting with version 18.0 of Vulnerability Response, you can monitor and remediate AVITs in the Vulnerability Manager Workspace and IT Remediation Workspace respectively. For more information, see Vulnerability Manager Workspace and IT Remediation Workspace.
  • Correlate Application Vulnerability Response data using calculators and libraries to help you perform the following tasks.
    • Create application vulnerable items automatically using CI Lookup Rules. During import, third-party vulnerabilities are associated to a CWE to create an AVIT.
    • Create assignment rules to automate application vulnerable item assignments.
    • Use calculator groups to determine business impact, specify varying conditions using filters, apply simple calculations, or use a script.
    • Create remediation target rules that define the expected time frame for remediating application vulnerable items so you can monitor upcoming remediation activities.
  • Relate a single third-party vulnerability to multiple CWE entries and find the primary CWE for a vulnerability to help you determine risk. For more information on the Primary CWE, see Application Vulnerability fields.
  • Use CWE records that are downloaded from the CWE database or imported from third-party integrations for reference to help you decide if you must escalate a vulnerability. Each CWE record also includes an associated knowledge article that describes the weakness.

Use Application Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution.

Application Vulnerability Response flow

Types of imported vulnerability data

Application Vulnerability Response supports the following types of imported application vulnerability data.
Note: Prior to v19.0, SAST, SCA, IAST, and penetration testing data was not ingested and may account for differences between what is shown within Veracode, Fortify, and Invicti and what appears in Application Vulnerability Response.
Dynamic Application Security Testing (DAST)
DAST scans find vulnerabilities application by sending input to your applications and monitoring its responses while they are running. This approach might imitate an outside attack. During dynamic scanning, a running service (URL) is scanned for vulnerabilities. Vulnerability results include a URL location of a discovered vulnerability.
Static Application Security Testing (SAST)
SAST scans review the source code of applications at rest and help you find vulnerabilities in the way you've written your code. The SAST scan takes place on non-compiled source code and so it exists independently of any application service. Returned results include a file and line number location of a discovered vulnerability.
Interactive Application Security Testing (IAST)
IAST scans detect software vulnerabilities by interacting with the program while it is running. Human observation, automated tests, and sensors are used in combination to interact with the application to locate vulnerabilities.
Software Composition Analysis (SCA)
Starting with v19.0 of Vulnerability Response, you can ingest Software Composition Analysis (SCA) vulnerabilities. SCA vulnerability data to helps you identify weaknesses in the open source software being used in your software applications.
Penetration testing
You configure penetration test assessment requests in Application Vulnerability Response to help you understand where your application weaknesses are and what you can do to fix them.
Software Bill of Materials
Upload Software Bill of Materials (SBOM) data to identify vulnerabilities in your open source components. See Exploring Software Bill of Materials for more information.

Use cases

Some of the following DAST use cases are supported:
  • Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
  • Relate DAST scan results to an existing application when there is a record in the CMDB from Discovery or a third-party integration.
  • Relate DAST scan result to a newly inserted scanned application when a new Application has not previously been identified and/or stored in the CMDB.
  • Store DAST scan results for a CMDB when you manage your applications in a product other than ServiceNow®.
  • Store DAST scan results for a CMDB if you have previously customized for some other purpose.
  • Create an application for Source code repository manually.
Some of the supported SAST use cases are supported:
  • Relate each vulnerability from scan results to some kind of cmdb_ci (child class).
  • Create a CI for Source code repository manually.
  • Store SAST scan results that are without a related Application Service.

Third-party integrations

The third-party integrations supported by Application Vulnerability Response are available as a separate applications in the ServiceNow Store. See Integrating Application Vulnerability Response with other applications for more information.

Key features

CI lookup rules
Automatically search application data for matches in the Configuration Management Database (CMDB).
Assignment rules
Automatically assign application vulnerabilities based on user groups, user group fields, and scripts.
Risk Calculators
Automatically prioritize and rate the impact of AVITs using calculators, based on any criteria, by using condition filters.
Severity mapping
Automatically calculate initial values for fields on application vulnerable items. Vulnerability entries have both source severity and normalized severity (based on severity mapping). Severity is tied to the Common Weakness Enumeration (CWE).
Remediation target rules
Define the expected time frame for remediating an application vulnerable item.
Reporting
Quickly gain insight into your security posture, remediation trends and top 10 Applications or Business Units with the most critical AVITs.

The common point for both types of scans is the application release. An application release, which defines a Name string, is the tie-in point to group scanned vulnerability results on the scanner side. This way AVR knows which application release the results belong to when importing scan results through the integration.

A Configuration Item [cmdb_ci] child table, Scanned Applications [sn_vul_app_scanned_application], was created in the Vulnerability Response application and scope. This table stores the Application Release abstraction and provides service graphing though its CMDB relationships. They can be viewed from the All > Application Vulnerability Response > Administration > Applications module. The list view for Scanned Applications contains the Department and Support Group added during setup.

Application Vulnerable Items (AVITs)

For application vulnerabilities, AVR relates a vulnerability to an application to create the application vulnerable item (AVIT) record. Because of the multiple definitions of what constitutes an application in the CMDB, Application Vulnerability Response limits applications to scanned applications. Scanned applications are the applications scanned in your environment identified by AVR as Name and ID. AVITs are based on the latest scan summary until confirmed Fixed by the scanner. If an AVIT is no longer found, it remains tied to the scan summary where it was last seen.

Application vulnerable items can be viewed from the All > Application Vulnerability Response > Vulnerabilities > Vulnerable Items module.

If an application is removed from the CMDB, any associated AVITs are closed.

For information on AVIT form fields, see Application Vulnerable Item fields.

User groups and roles in Application Vulnerability Response

Often a team works together to create, manage, and oversee the management of application vulnerabilities. There are strategic roles, as well as operational roles, among the team members. In most organizations, you may participate in more than one role and often share roles with others. Application Vulnerability Response uses three user groups containing granular roles: App-Sec Manager, Application Security Champion, and Developer. See Application Vulnerability Response user groups and roles for more information on these groups and roles.

Application Vulnerability Response states

Application Vulnerability Response offers a state model for the status of your application vulnerable items (AVITs) and helps you to determine when and how to remediate your AVITs.

An application vulnerable item has several possible states, see Application Vulnerable Item (AVI) states for more information.