Calculate risk in Application Vulnerability Response automatically

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Calculate risk in Application Vulnerability Response automatically

    Application Vulnerability Response (AVR) automates the calculation of initial risk values for Application Vulnerable Items (AVIs) to help prioritize remediation efforts. Risk scores are derived using vulnerability calculators that evaluate conditions in order and apply the first matching rule. This automation ensures consistent and dynamic risk assessment based on vulnerability data and contextual criteria.

    Show full answer Show less

    Key Features

    • Application Vulnerability Calculators: The base system includes two calculators:
      • Basic Risk Calculator: Enabled by default, sets risk based on normalized vulnerability severity.
      • Advanced Risk Calculator: Inactive by default, calculates risk using multiple factors including vulnerability severity, OWASP Top 10, and SANS Top 25. It can be customized with weighted criteria to reflect organizational priorities.
    • Customizability: Customers can create or modify calculators and rules to prioritize AVIs based on business impact, CI class, AVI age, or other criteria using condition filters.
    • Calculator Rules: Each calculator contains ordered rules with conditions to determine when each applies. Rules can be template-based or scripted, with scripted rules generally having a higher performance impact.
    • Risk Score and Notes Updates: Risk scores update automatically when AVIs are created or when related CIs or vulnerabilities change. Since version 23.0, risk score updates append details about the calculator and rule used to the Notes section. This behavior can be optionally logged in Work notes starting with version 25.0.3 via a system property.
    • Risk Score Weights and Ratings: Risk scores are mapped to risk ratings based on defined weight ranges. Since version 18.0, risk rating types and weights are configurable via the avrriskrating table, allowing customers to extend or modify rating scales and associated styles.
    • Automatic Recalculation: Risk scores recalculate automatically when key conditions change, such as when a CI becomes internet-facing or when vulnerabilities are linked to known exploit vulnerabilities (KEVs).

    Practical Benefits for ServiceNow Customers

    • Automates and standardizes risk scoring of application vulnerabilities, enabling faster and more accurate prioritization of remediation tasks.
    • Provides flexibility to tailor risk calculations to specific organizational needs and risk models through customizable calculators and rules.
    • Improves transparency and auditability by documenting risk score calculations and changes within AVI notes and optionally in work notes.
    • Supports dynamic risk assessment by recalculating risk scores when relevant asset or vulnerability attributes change, ensuring risk data stays current.
    • Enables easy management and extension of risk rating scales to align with evolving security policies and business requirements.

    Application vulnerability calculators automate calculating initial risk values for the fields on application vulnerable items (AVIs). Risk calculations offer insight into prioritizing remediation. The condition for each calculator is evaluated in order, and the first matching calculator is used.

    Application Vulnerability Calculators

    The Application Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the application vulnerable item.
    • Basic Risk Calculator
    • Advanced Risk Calculator

    Application vulnerability calculators can be built to prioritize and rate the impact of AVIs based on any criteria by using condition filters. Whether it’s the business impact of the vulnerability, the class of the configuration item (CI), or the age of the AVI, you can create additional vulnerability calculators to set other fields on AVIs. Or you can customize the existing vulnerability calculators. A calculator can be written to reflect any set of priorities. See Filtering within Application Vulnerability Management for more information.

    AVIs contain the Risk Score value derived from the risk calculators.
    Note:
    An AVI displays Source Severity but not normalized severity. Normalized severity is used by the calculators to get the Risk Score value but isn’t shown on AVIs.

    Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator rule is used.

    All enabled vulnerability calculators set the selected fields each time that an AVI is created, when an associated CI or vulnerability changes.

    The Basic Risk calculator calculates Risk Score for AVIs using the normalized vulnerability severity.
    Note:
    Only one calculator per target field (Risk Score) can be active at a time.

    The Basic Risk is enabled by default. The Advanced Risk Calculator is inactive by default.

    Application vulnerability calculator rules

    The base system Basic Risk Calculator calculator contains calculator rules that assign each level of severity (None to Critical) a value (0-100) for Risk Score based on severity. Unknown Severity is automatically assigned a risk score of 100. These values can be adjusted and, like Advanced Risk Calculator, new calculator rules or new risk rules can be created.
    Note:
    Starting with v23.0 of Application Vulnerability Response, whenever the risk score is updated on an AVIT, the Notes section is updated with the following details:
    • Calculator group name
    • Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the Work notes section. Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
    The base system Advanced Risk Calculator calculator contains a specialized vulnerability calculator rule called Default Risk Rule. It calculates Risk Score based on multiple values:
    • Vulnerability severity
    • OWASP top 10
    • SANS top 25
    You can customize the criteria for the default risk rule. For more information, see Define fields and weights for the risk rule.

    You can adjust the values to use in the Default Risk Rule and how much weight to give each of these values. Weights are used to adjust how much each element counts when setting the Risk Score.

    Each rule has an Order setting however, the first one to match the conditions updates the Risk score field in the AVI. Non-scripted calculator rules typically create less of a performance impact than scripted calculator rules.

    Vulnerability Risk Score Weights

    All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
    Value (Risk Rating) Weight (Risk Score)
    1 90–100
    2 70–89
    3 40–69
    4 1–39
    5 0
    Starting with the 18.0 version of Vulnerability Response,
    • The risk rating types are shipped in the base table as avr_risk_rating. These types are passed as part of the business rule on each table where the risk rating is calculated.
    • The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
    • Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
    • Modify the script to query the records in the base table.
    You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight in the filter navigator.
    In addition, the risk score is automatically recalculated in the following scenarios:
    • When a configuration item (CI) changes from non-internet facing to internet facing.
    • When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).