What’s ServiceNow’s Vulnerability Management app, and how do I use it?

by Charlie Sackman, Service Catalyst

ServiceNow’s recently released Vulnerability Management application can be a massively powerful tool for organizations to evaluate and remediate vulnerabilities on the configuration items(CIs) within their network, but it  it can be hard for some organizations to get their head(s) around the big picture. It works in conjunction with – and is dependent upon – Qualys, a highly effective vulnerability detection tool. In fact, step one of setting up Vulnerability Management in ServiceNow is setting up Qualys in your environment. However, for the purposes of this blog post, I will be focusing on the ServiceNow side, the “step two”, so to say.

I think the best way to approach an introduction to Vulnerability Management is to first talk about the “important” tables – aka, the tables that you, a member of the Vulnerability team, will be touching the most. There are of course many other tables installed when the app is installed, but they are not as necessary when trying to understand Vul Mgmt as a whole. The “important” tables include:

  • Vulnerability Library (actually more than one table if we’re being unambiguous)
    • These are the “threats” (usually with “solutions”); examples include Meltdown/Spectre – related vulnerabilities
  • Vulnerable Item
    • This is a specific Vulnerability found on a specific CI. A single CI could thus (and often does) have many Vulnerable Items associated with it.
  • Vulnerability Group
    • This is a group of Vulnerable Items. Vulnerability Groups drive the remediation process; they are the tool for allowing Vulnerable Items to be “packaged” and sent to Change Management for remediation.
  • Vulnerability Group Rule
    • These are rules that allow ServiceNow to both automatically create Vulnerability Groups as well as insert newly-found Vulnerable Items into already existing Vulnerability Groups. I will be writing another blog post on the peculiarities of Vulnerability Group Rules sometime soon.

And here is a rather conceptual model of the above-mentioned tables and processes:

There is obviously much more to get into than just this (specifically Vulnerability Group Rules, which will require another Blog post). However, when you get down to it, the Vulnerability Management application is designed to facilitate the creation of Changes necessary to remediate whatever is vulnerable. Or put another way, Vulnerability Management is an elaborate Change-creation process, and you should treat it as such when designing your implementation.