Manual ingestion of vulnerabilities for Application Vulnerability Response

  • Release version: Yokohama
  • Updated April 29, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manual ingestion of vulnerabilities for Application Vulnerability Response

    This feature enables security professionals and application testers to manually create and manage application penetration test findings within the Penetration Testing Workspace in ServiceNow. Users can import vulnerability findings from external sources via Excel or CSV templates, ensuring all findings are centrally available and associated with specific penetration test forms for each application.

    Show full answer Show less

    Key Features

    • Penetration Testing Workspace: Central location for documenting and managing vulnerabilities found in core business applications.
    • Manual Import: Upload vulnerability findings using pre-defined Excel or CSV templates through the Manual AVIT Ingestion Upload File UI.
    • Automated Form Creation: Each file upload generates a new penetration test form linked to the respective application.
    • Application Name Matching: The Application Name field in the template must match records in the Application, Business Application, or Scanned Application tables for processing.
    • Mandatory Fields: Specific fields in the template are required to successfully create penetration test findings, ensuring data integrity and proper processing.

    Practical Details for ServiceNow Customers

    • Templates must include all mandatory fields such as Risk Rating, Requested By, CWE Category, Vulnerability ID, Application Name, Purpose of Application, Types of Sensitive Data, Compliance Programs, Technology Stack Details, Application Team, URLs to Test, Steps to Reproduce, Technical Details, Assigned To, and Assignment Group.
    • Missing mandatory fields, especially the Application Name, will cause records to be skipped during ingestion.
    • Ensuring template completeness and accuracy is critical to prevent errors in vulnerability creation and association.
    • This manual ingestion process supplements automated vulnerability imports, providing flexibility to incorporate findings from various external tools or manual tests.

    Security professionals and application testers can create and manage the application penetration test findings within the Penetration Testing Workspace.

    The Penetration testing forms are available in the Penetration Testing Workspace to document the vulnerabilities identified in the core business applications.

    The security professionals and application testers can manually import findings from external sources and platforms using the provided templates in Excel or CSV format. All the vulnerability findings are made available in the Penetration Testing Workspace.

    To access and download the template for uploading to Penetration testing workspace, navigate to All > Manual AVIT Ingestion > Upload File UI.

    A new penetration test form is created for every file upload for the respective application. All the vulnerability findings within that upload are associated to the same penetration test form. The Application Name must match with the records in of the tables:
    • Application Table
    • Business Application Table
    • Scanned Application Table
    The Application Name is a mandatory field present in the template for identifying the vulnerabilities present within an application, associated to a penetration test form. Any record missing the Application Name will not be processed and skipped during vulnerability creation.
    Note:
    Mandatory fields in the template are necessary for processing the penetration test findings. It is necessary to ensure all the fields in the template are intact to prevent any issues during the processing of penetration test findings.
    Table 1. Mandatory fields required as part of template for penetration test finding creation
    Column Name Mandatory Description Available Options/ Max characters in strings
    Risk rating Mandatory Severity of the application vulnerable item

    Critical

    High

    Medium

    Low

    None (Default)
    Requested by Mandatory Requested by 151
    CWE category Mandatory(Fill only one column) CWE ID 255
    Vulnerability ID Mandatory(Fill only one column) Vulnerability ID 255
    Application Mandatory Application Name 255
    Purpose of application Mandatory Purpose of application 4000
    Types of sensitive data Mandatory List types of sensitive data accessible from applications 40
    List of compliance programs Mandatory List of compliance programs 4000
    Technology stack details Mandatory Technology stack details 4000
    Application team Mandatory Application team Name; group responsible for developing and maintaining software applications 100
    URLs to test Mandatory URLs to test 4000
    Steps to reproduce Mandatory Steps to reproduce 1000
    Technical details Mandatory Technical details 1000
    Assigned to Mandatory Assigned to (individual responsible for conducting penetration tests and generating security findings) 151
    Assignment group Mandatory Assignment group (group responsible for conducting penetration tests and generating security findings) 151