Use

Australia Security Management

Release

australia

ft:locale

en-US

ft:publication_title

Australia Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Remediating Application Vulnerability Response vulnerabilities

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Remediating Application Vulnerability Response vulnerabilities

The Application Vulnerability Response (AVR) system enables organizations to effectively monitor and remediate application vulnerabilities. The process involves reviewing the status of application vulnerable items (AVITs) and culminates in their closure. This guide outlines the steps for efficiently managing the remediation process within your AVR instance.

Show full answer Show less

Key Features

Manual Remediation Process: The remediation of AVITs is performed manually, starting with logging into the AVR instance.
Validation of Rules: Ensure that your CI Lookup and Assignment rules are functioning correctly to manage AVITs effectively.
Remediation Target Tracking: Confirm that your remediation target rules are accurate to monitor AVIT statuses effectively.
Dashboards and Reports: Use dashboards to track AVIT aging and monitor key metrics, with specific views for App-Sec Managers and Security Champions.
Performance Analytics: Available for users in specific roles, allowing for targeted monitoring and reporting on application vulnerabilities.
Risk Assessment: Regularly review and update the risk levels for AVITs as necessary.
Integration with Veracode: Access detailed information on AVITs sourced from Veracode, including HTTP request/response details and recommended solutions.

Key Outcomes

By following this process, ServiceNow customers can expect to streamline their vulnerability management efforts. Effective validation and monitoring lead to timely remediation of AVITs, ultimately enhancing the security posture of their applications. Regular updates and integration with third-party tools like Veracode provide comprehensive insights into vulnerabilities and remediation strategies.

Monitoring remediation is a process that begins with reviewing status and ends with closing application vulnerable items (AVITs). Application Vulnerability Response offers tools and procedures to make that process more productive and efficient.

Application Vulnerability Response remediation process

Application vulnerable item remediation is done manually.

An overview of the process:

Log in to your Application Vulnerability Response instance.
Validate that your rules (CI Lookup, Assignment) for application vulnerable items are working as expected. For information on revising CI Lookup Rules, see Identify applications in Application Vulnerability Response automatically. For information on Assignment rules, see Assign application vulnerable items in Application Vulnerability Response automatically.
Validate that your remediation targets are correct. See Automate remediation target tracking in Application Vulnerability Response for information on how remediation target rules work and how to revise them. View the remediation target status of an application vulnerable item.
Note:
Remediation target rules belong to AVITs. These rules are run when the AVIT is imported.
Review the dashboards or reports. For example, view dashboards that show AVITs aging by states.
Note:

When the Performance Analytics for Vulnerability Response application (com.snc.vulnerability.analytics) is activated, users with certain roles can view data of interest to the members of the App-Sec Manager and Security Champion groups.

For App-Sec Managers, Performance Analytics for Vulnerability Response contains the Application Vulnerability Response Overview, which can help you monitor areas of concern. See Analytics and Reporting Solutions for Application Vulnerability Response and Application Vulnerability Management [PA] dashboard.

Starting with version 13.0 of the Vulnerability Response application: For Security Champions, Performance Analytics for Vulnerability Response contains the My Application Vulnerabilities dashboard, which can help you monitor your areas of concern. See My Application Vulnerabilities dashboard.

Starting with version 13.0 of the Vulnerability Response application: To limit the amount of data gathered for reports or related lists, see Define service classifications for Vulnerability Response reporting and related lists.
Review the state of AVITs, in order of priority, searching for what has changed.
Revise the risk for the AVITs, as needed. See Create an application vulnerability calculator for more information.
Reassign the AVIT to an assignment group for remediation, if needed.
Rescans are triggered automatically by the third-party import schedule.
After rescan, if the state is Fixed, AVITs are automatically closed during import.
After the scan, if the state is not Fixed, the AVIT is reopened.

Get more details from Veracode

Select Get More Details on application vulnerable items (AVITs) that have Veracode as the Source on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table or from the list views in the Vulnerability Response Workspaces to view the following Veracode data.

HTTP Source request and Source response details for Dynamic Application Security Testing (DAST) scans are displayed on the HTTP Request/Response related list.
Solution recommendations from Veracode are displayed on the Findings related list.
HTTP Source request, Source response, and recommendations are displayed on the Details tab In the Vulnerability Response Vulnerability Response workspaces.
The Description column is supported on the Application Vulnerable Item [sn_vul_app_vulnerable_item] table.