The ServiceNow® Application Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Application Vulnerability Response is included as part of the ServiceNow® Vulnerability Response application. Application Vulnerability Response was enhanced and updated in the Yokohama release.

Application Vulnerability Response highlights for the Yokohama release

  • Monitor your penetration test requests and findings, as well as your team's overall progress in the Penetration Test Workspace.
  • Reevaluate the risk score, assignments, remediation target date, exceptions, and remediation task for a specific set of application vulnerable items in the Vulnerability Manager Workspace.
  • Integrate with supported third-party scanners to import vulnerability data.
  • Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
  • Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the Common Weakness Enumeration (CWE) or third-party libraries.
  • With the sn_vul.app_sec_manager role, create application remediation tasks manually in the Vulnerability Manager Workspace.
  • With the sn_vul.app_security_champion role, create application remediation tasks manually in the IT Remediation Workspace.

See Application Vulnerability Response for more information.

Important: Application Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Important information for upgrading Application Vulnerability Response to Yokohama

New in the Yokohama release

Create application remediation tasks manually in the Vulnerability Manager Workspace
With the sn_vul.app_sec_manager role, you can create application remediation tasks manually by selecting some or all the records in the Application vulnerable items’ lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
Create application remediation tasks manually in the IT Remediation Workspace
With the sn_vul.app_security_champion role, you can create application remediation tasks manually by selecting desired records in the Application vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
Manual ingestion of Vulnerabilities for Application Vulnerability Response
Import AVITs from external sources via a standardised template (e.g., CSV, Excel) and manage Penetration test findings lifecycle. Now, you can ingest vulnerability data, including details such as affected application, vulnerability description, severity, remediation recommendations, including other necessary details. This enhancement allows you to simplifies the process of consolidating vulnerability data from diverse sources into a centralised Penetration test workspace.
Penetration Test Workspace

Monitor your penetration test requests and findings as well as your team's overall progress in the Penetration Test Workspace. Prioritize tests that need your attention, track findings, and view assignments with the following data visualizations on the dashboard:

  • Important items.
  • Penetration test requests that are critical and by state.
  • Reported findings.
  • Overall remediation progress based on assignment.
Enhancements to Penetration Test Assessment Requests
Along with Full Penetration, Focused, and Re-test, the following assessment types are included for Penetration Test Assessment Requests forms in the Penetration Test Workspace:
  • Emergency Release - Supports emergency releases that are required for rapid software updates to address critical issues like security vulnerabilities.
  • Bug Bounty Program - Rewards ethical hackers to find and report security vulnerabilities.
  • Release Approvals - Ensure that all necessary checks are completed before deploying new software.
  • One-off reviews - Assess specific projects outside regular development and release cycles to evaluate performance and implement improvements.
  • Executive Interest - Report on senior management's engagement and support for critical projects within the organization.

Enhancements to the Release Approval and Release Notes fields help you ensure quality and security for your pen test findings.

The following states have been added to the Release approval field:
  • Not Applicable (Default).
  • Approved.
  • Denied.

You can add details to justify your release approvals in the Release notes field.

Associate CWEs for manual AVIT creation from Penetration Test Assessment Requests
On the Penetration test findings tab on Penetration Test Assessment Requests, you have the option to associate Common Weakness Enumerations (CWE)s or Common Vulnerabilities and Exposures (CVE)s in the Vulnerability field for manually created AVITs.
Create change requests in Application Vulnerability Response
Users with the sn_vul.app_sec_manager and sn_vul.app_sec_champion roles as well as users with the sn_vul.app_developer role who have the ITIL role can create change requests from remediation tasks in the Application Vulnerability Response application. Create change requests to expedite your investigation for application vulnerabilities (AVIT)s that require manual intervention.
  • Create change requests with prepopulated information for scanned applications that are classified as configuration items (CI)s.
  • The change request workflow in Application Vulnerability Response is similar to the workflow supported in Vulnerability Response. For more information about the Vulnerability Response change request workflow, see Change management for Vulnerability Response.
Note: Change requests are supported for Application Vulnerability Response only if the discovered application is associated with a configuration item (CI). You must set Product model to False in the Use Product Model [sn_vul.use_product_model] system property to associate a discovered application with a CI.
Enhancements to the Software Bill of Materials Workspace
  • You can delete multiple BOM entity records and their related components with bulk edit from the Software Bill of Materials SBOM SBOM Workspace.
  • Any Application Vulnerable Items (AVIT)s that are associated with deleted BOM entities automatically transition to Closed.
View risk score details of a vulnerable items in the Work notes section
Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.

Activation information

Install Application Vulnerability Response by requesting it from the ServiceNow Store. Application Vulnerability Response is included as a part of the Vulnerability Response application. The Software Bill of Materials applications require a separate subscription. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.