Identify applications in Application Vulnerability Response automatically

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identify Applications in Application Vulnerability Response Automatically

    The Application Vulnerability Response automatically identifies applications by utilizing data imported from third-party integrations. It leverages CI Lookup Rules to match application data with records in the Configuration Management Database (CMDB) for effective remediation of vulnerabilities.

    Show full answer Show less

    Key Features

    • The system performs lookups on the Scanned Application table using sourceappid and appname from prior imports.
    • If a match is found, application details are populated in the Application and App release fields of the application vulnerable item record.
    • If no match exists, a placeholder record is created with the Application name and ID.
    • CI Lookup Rules are shipped with the Veracode Vulnerability Integration and are evaluated based on their Order value.
    • Deactivation of rules is recommended instead of removal to maintain existing configurations.
    • Performance considerations must be taken into account when constructing custom CI Lookup Rules.

    Key Outcomes

    By effectively utilizing the Application Vulnerability Response, customers can streamline the identification of vulnerable applications, leading to improved remediation processes and reduced risks associated with application vulnerabilities. Careful management of CI Lookup Rules will enhance performance and prevent issues related to duplicate or orphaned records in the CMDB.

    When data is imported from a third-party integration, Application Vulnerability Response automatically uses application data to search for matches in the Configuration Management Database (CMDB). It does this using CI Lookup Rules. These rules identify applications for the application vulnerable item (AVI) record to aid in remediation.

    As applications are imported, a lookup is performed on the Scanned Application [sn_vul_app_scanned _application] table using source_app_id and app_name to find matches to applications from prior imports. When an application ID match is found, its values are used in the Application and App release fields in the application vulnerable item record.

    If a match is not found, or the application ID field is empty, the rules use the other application information to attempt to correctly identify the application. If a match is still not found, a placeholder scanned application record is created with only Application name and Application ID fields.

    The Source Application Id and Application Name lookup rules are shipped with the Veracode Vulnerability Integration, by default.

    Note:
    Default CI lookup rules for Application Vulnerability Response are available only for the Veracode Vulnerability Integration.
    When attempting a match, the lookup rules are evaluated by lowest Order value first. They stop when a rule returns a single CI as a match.
    Note:
    If a rule is created in such a way that it returns more than one CI, only the first match is used.

    To make it easier to find matching issues, when a match is found, the CI lookup rule used to find it is added to the CI matching rule field for Scanned Applications. Click the Update Personalized List gear gear icon icon at the top of the Scanned Application list view to add it to the view.

    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.
    CI lookup rules can be domain separated and are source-specific. If supported, each source could have multiple deployments. For example, the Veracode Vulnerability Integration, can have multiple deployments of the Veracode Vulnerability Integration. Each deployment has its own set of CI Lookup Rules.
    Note:
    CI lookup rules are shared by all deployments of the vulnerability integration. If a rule is deleted or modified, the deletion or changes affect all deployments of the vulnerability integration.

    Importing vulnerability data can be taxing on an instance and performance issues with resources can occur if rules are not carefully constructed. The logic used to iterate through and perform matching within the CMDB can result in lengthy processing times. To avoid any potential degradation of resources or performance complications, test any custom-written CI Lookup Rules or modifications to pre-defined CI Lookup Rules. See Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules for more information on preventing duplicate orphan records, deleting data, and cleaning up data.