Application Vulnerability Response product view

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerability Response product view

    The Application Vulnerability Response (AVR) product consolidates vulnerabilities detected by application security tools into a unified dashboard, enabling ServiceNow customers to monitor and improve the security posture of all applications in their environment. AVR supports risk reduction through structured remediation workflows.

    Show full answer Show less

    Key Features

    • Integration with Application Security Tools: AVR ingests vulnerabilities from scanners like Veracode and Fortify to provide a centralized view.
    • Alignment with CSDM 4.0 Framework: Starting with AVR v19.0, product lookups and data models align with the Common Service Data Model (CSDM) 4.0, enhancing consistency and integration with the CMDB.
    • Updated Terminology and Tables: Key tables and fields have been renamed (e.g., from "CI lookup rules" to "Lookup rules") to reflect this alignment.
    • Product Model-Based Lookup: Vulnerability ingestion now uses Product Model tables (Software Model and Application Model) rather than the older Scanned Applications table, improving accuracy in application identification.
    • System Property Configuration: The system property snvul.useproductmodel controls whether lookup is based on the Product Model (true) or the legacy Configuration Item model (false), allowing customers to choose based on their environment and upgrade status.
    • Configurable Lookup Rules: Lookup rules can be defined to specify whether to use Configuration Item or Product Model approaches, supporting flexible integration strategies.
    • Discovered Applications Table: Displays ingested applications from scanners; when using Product Model lookup, corresponding product models are shown.

    Key Outcomes

    • Customers gain a single-pane view of application vulnerabilities across their environment, improving visibility and prioritization.
    • Alignment with CSDM 4.0 ensures compatibility with ServiceNow best practices and future enhancements in CMDB and security workflows.
    • Flexible configuration options enable smooth transition from older CI-based lookups to modern Product Model-based lookups without disruption.
    • Proper configuration avoids duplicate records and ensures accurate mapping between vulnerabilities and application assets.

    Practical Considerations for ServiceNow Customers

    • Install the latest versions of required applications including Security Support, Common Vulnerability Response, Security Integration Framework, and scanner integrations.
    • Set the system property snvul.useproductmodel to true to leverage the modern Product Model-based lookup aligned with CSDM 4.0, especially recommended for new users.
    • Review and update Lookup Rules accordingly to specify the correct lookup target, matching your chosen model approach.
    • Use the Discovered Applications table to monitor ingested applications and confirm correct product model associations.
    • Verify configurations carefully to prevent duplicates and ensure accurate vulnerability tracking and remediation.

    The Application Vulnerability Response (AVR) product ingests the weaknesses and vulnerabilities detected by your application security testing tools and provides a single pane of glass to understand the security posture of all the applications in your environment.

    AVR enables you to reduce the risks with the remediation workflows. The objective of this product view is to help you understand how AVR key entities work with the core CSDM framework.

    Updated terminology

    Starting with AVR v19.0, the following key table and column names have been updated. As a result, you will see references to both the older and newer names in the documentation.

    Table 1. Updated list of terms, table, and field names for AVR
    Prior to AVR v19.0 Starting from AVR v19.0
    CI lookup rules Lookup rules
    CI lookup rule form Lookup rule form
    CI matching rule Matching rule
    Search on table Search on CI table
    Search on field Search on CI field
    Application release Discovered applications
    Application release table Discovered applications table
    Business criticality Source business criticality

    Prerequisites

    Install the latest versions of the following applications:
    • Security Support Common
    • Vulnerability Response
    • Security Integration Framework
    • Security Support Orchestration
    • Scanner integrations such as Veracode and Fortify

    AVR and CSDM 4.0

    Prior to AVR v19.0, when application vulnerabilities were ingested, the application for which the vulnerabilities were ingested were looked up using the CI lookup rules, against the Scanned Applications (sn_vul_app_scanned_application). If the application name record was not there, an entry would be made.

    Starting from AVR v19.0, to align with the CSDM 4.0 framework, the Product Model tables are used instead of the Scanned Applications table. If the application has the version, the lookup is against the Software Model table. If there is no version, the lookup is against the Application Model table. Both Application Model and Software Model are child tables of the Product Model table, that is the foundation table in CMDB. The following screenshot explains the Product Model.

    System property

    To use the CSDM 4.0 product model-based lookup process, set the system property sn_vul.use_product_model to true.

    Table 2. System property considerations
    System property name System property value Lookup target value Considerations
    sn_vul.use_product_model true Select the value Product model New users should select the value Product model to use the CSDM 4.0 framework's Product model lookup rules.
    false Select the value Configuration item Existing users can continue using the CI lookup process and the existing CI lookup rules.
    Note:
    To set the lookup target value, navigate to the Lookup Rulepage>[AVR integration lookup rule] >Lookup target field.

    Lookup rules in AVR

    In the CSDM 4.0 framework, product model-based lookup rules are used instead of CI lookup rules to create entries into the respective product model classes. Similarly for scripts, you can define the lookup rules within the framework of the CSDM 4.0 model.

    Starting from AVR v19.0, while creating a lookup rule, you must define whether you want to use the configuration item or product model approach using the Lookup target field. For more information, see Create a CI lookup rule.

    Discovered applications

    Navigate to All > Discovered Applications. The Discovered Applications table displays the applications ingested from the scanners. If the system property sn_vul.use_product_model is set to true, you can see the corresponding product models for the applications.

    AVR considerations

    Presence of duplicate CI or product model records

    Verify that the system property sn_vul.use_product_model has been correctly configured for the lookup process. Ensure that you select either Configuration item or Product model as the Lookup target while configuring the Lookup rule form.