Exception Management in Application Vulnerability Response

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management in Application Vulnerability Response

    Exception Management in Application Vulnerability Response (AVR) allows your organization to formally request, review, approve, or reject exceptions when an application vulnerable item (AVI) cannot be remediated according to established vulnerability management policies. This process acknowledges and accepts the risk of deferring remediation when patches or fixes are unavailable or immediate remediation is not possible.

    Show full answer Show less

    Starting with version 21.0, you can configure approval time frames and automated email notifications related to exceptions and false positives, helping to maintain timely decision-making and compliance.

    Key Features

    • Exception Requests: Developers can request exceptions to defer remediation of AVIs for specified periods when immediate fixes are not feasible.
    • Exception Rules (v20+): Automate deferral of AVIs based on predefined conditions to minimize SLA breaches and reduce manual processing.
    • Extension Requests: Submit requests to extend the deferral period of exception rules up to one year, subject to two-level approval by separate groups, ensuring controlled risk management.
    • Approval Workflow: Exception requests undergo risk assessment and approval by application security analysts, potentially involving a two-level approval process for enhanced governance.
    • Status Tracking: Monitor exception requests and their progress via the State Change Approvals tab within the AVI record.
    • Expiry and Reversion: Expired exceptions cause AVIs to revert to Open status unless an extension is approved.
    • Integration and Configuration: Exceptions can be requested via the ServiceNow AVR module or integrated GRC Policy and Compliance Management. Approval flows are configurable using Flow Designer (enabled by default in new deployments).
    • Deferral State Management (v20+): AVIs and remediation tasks can be manually transitioned to an "Awaiting Implementation" state to indicate deferred remediation.
    • Role Management: Administrators can add exception approvers to ensure appropriate users can request and approve exceptions.

    Practical Benefits for ServiceNow Customers

    • Enables structured handling of vulnerabilities that cannot be immediately remediated, ensuring risk acceptance is documented and managed.
    • Automates deferrals and approvals to reduce manual workload and avoid SLA violations.
    • Provides configurable workflows and notifications to keep stakeholders informed and maintain governance.
    • Supports compliance by integrating with broader policy and compliance frameworks within ServiceNow.
    • Offers visibility and control over exception statuses, expiration, and extensions to maintain security posture awareness.

    When your organization can't comply with a published vulnerability management or security policy, standard, or guideline, you can request an exception. Exception management entails requesting, reviewing, approving, or rejecting exceptions to an application vulnerable item (AVI) that cannot be remediated according to the policy.

    Some vulnerabilities might not have an existing patch, fix, or solution. When an exception is approved, it also means that you're accepting a risk because you're acknowledging and agreeing to the consequences of not remediating the vulnerability.
    Note:

    Starting from v21.0 of Application Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the application vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the application vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.

    Life cycle of an exception

    Definition of an exception
    An exception is a request to defer the remediation of an AVI for a specified period. For example, as a developer, you can request an exception if a patch is not available for a machine.
    Requesting an exception
    As the developer, you can ask for an exemption for an AVI using the exception management process. After the application security analyst approves this request, the AVI moves to Deferred state.
    Exception rules
    Starting with v20, you can create exception rules to automatically defer existing and new application vulnerable items (AVI)s for a specific period if they match the conditions of the rule. Using exception rules to automatically defer AVIs minimizes the risk of missing service level agreements. The rules can help you manage multiple items, because you are eliminating manual intervention. See Create an Exception rule.
    Requesting an extension for an exception rule
    Starting with v20, you can submit a request for an extension to the Deferred until date of an exception rule. You might request an extension to a rule if you find that a large number of records created by the rule are not being resolved by its Deferred until date, the date when the remediation task stops accepting new AVIs. The extension updates the exception rule so it automatically extends the deferral date on your existing rule. You can enter dates up to one year from the current date, and you must include a reason for the extension. An extension request requires two-level approval from separate approval groups.
    Approving an exception request
    AVIs that can't be remediated immediately are reviewed by application security analysts, assessed for risk, and approved for deferral until they can be remediated. Approving an exception request can be a two-level flow. If only the first-level approver is present, the exception can be requested and approved. However, if there's no first-level approver, an exception can't be requested. See Add an exception approver for Application Vulnerability Response for more information.
    Note:
    After an exception request for an AVI is approved, you can perform the following actions:
    • Reopen
    • Get more details
    Tracking an exception request
    After raising the exception, you can track its status by using the State Change Approvals tab of the AVI.
    Expiry of an exception request and requesting an extension to an exception rule
    When an exception request for a particular AVI expires, the impacted AVI reverts to its Open state.

    However, starting with v20, you can submit a request to extend the Deferred until date on the exception rule.