Manual ingestion of vulnerabilities for Application Vulnerability Response

  • Release version: Washingtondc
  • Updated April 29, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manual Ingestion of Vulnerabilities for Application Vulnerability Response

    The Manual Ingestion of Vulnerabilities feature in ServiceNow allows security professionals and application testers to document penetration test findings within the Penetration Testing Workspace. Users can manually import findings from external sources using templates in Excel or CSV format, ensuring all vulnerabilities are available for management and review.

    Show full answer Show less

    Key Features

    • Penetration Testing Forms: Accessible within the Penetration Testing Workspace for documenting vulnerabilities.
    • File Uploads: Each upload creates a new penetration test form associated with the respective application, consolidating findings under a single entry.
    • Mandatory Fields: Key fields, including Application Name, Risk Rating, and others, must be completed in the template to avoid processing errors.
    • Template Accessibility: Templates for uploading findings can be accessed via All > Manual AVIT Ingestion > Upload File UI.

    Key Outcomes

    By following the outlined process, users can effectively manage vulnerabilities identified during application penetration tests, ensuring that all necessary data is accurately captured and processed. Adhering to the mandatory fields in the template will facilitate smooth ingestion of vulnerability findings, enhancing overall security management within the ServiceNow platform.

    Security professionals and application testers can create and manage the application penetration test findings within the Penetration Testing Workspace.

    The Penetration testing forms are available in the Penetration Testing Workspace to document the vulnerabilities identified in the core business applications.

    The security professionals and application testers can manually import findings from external sources and platforms using the provided templates in Excel or CSV format. All the vulnerability findings are made available in the Penetration Testing Workspace.

    To access and download the template for uploading to Penetration testing workspace, navigate to All > Manual AVIT Ingestion > Upload File UI.

    A new penetration test form is created for every file upload for the respective application. All the vulnerability findings within that upload are associated to the same penetration test form. The Application Name must match with the records in of the tables:
    • Application Table
    • Business Application Table
    • Scanned Application Table
    The Application Name is a mandatory field present in the template for identifying the vulnerabilities present within an application, associated to a penetration test form. Any record missing the Application Name will not be processed and skipped during vulnerability creation.
    Note:
    Mandatory fields in the template are necessary for processing the penetration test findings. It is necessary to ensure all the fields in the template are intact to prevent any issues during the processing of penetration test findings.
    Table 1. Mandatory fields required as part of template for penetration test finding creation
    Column Name Mandatory Description Available Options/ Max characters in strings
    Risk rating Mandatory Severity of the application vulnerable item

    Critical

    High

    Medium

    Low

    None (Default)
    Requested by Mandatory Requested by 151
    CWE category Mandatory(Fill only one column) CWE ID 255
    Vulnerability ID Mandatory(Fill only one column) Vulnerability ID 255
    Application Mandatory Application Name 255
    Purpose of application Mandatory Purpose of application 4000
    Types of sensitive data Mandatory List types of sensitive data accessible from applications 40
    List of compliance programs Mandatory List of compliance programs 4000
    Technology stack details Mandatory Technology stack details 4000
    Application team Mandatory Application team Name; group responsible for developing and maintaining software applications 100
    URLs to test Mandatory URLs to test 4000
    Steps to reproduce Mandatory Steps to reproduce 1000
    Technical details Mandatory Technical details 1000
    Assigned to Mandatory Assigned to (individual responsible for conducting penetration tests and generating security findings) 151
    Assignment group Mandatory Assignment group (group responsible for conducting penetration tests and generating security findings) 151