service now vulnerability response helps you view and respond to all vulnerabilities across all it assets from a single pane of glass now you can view application vulnerabilities from dast sast SCA and penetration testing findings from tools like veric code sneak fortify and check marks vulnerability manager Carla Jackson logs into her service now instance to the vulnerability manager workspace this unified work space brings together all of Carla's working concerns for her organization's vulnerabilities into one space infrastructure containers application and configuration compliance it's all here in one location here we see an overview of application vulnerabilities over time vulnerable items in remediation efforts and any active remediation efforts if applicable in the vulnerable items tab we can see all of the related application vulnerable items we can also see application vulnerabilities from Dynamic application security test findings for example the application zero online banking has had a recent increase in critical vulnerabilities let's look at the imported data from the application vulnerability scanner note that service now displays important contextual data from the scanner like location and findings details service now also performs automated calculations to determine risk score risk rating assignment group and Remediation Target based on configurable rules these calculations can take full advantage of other service now data like cmdb and business services information the scan application can be mapped to its related services in the cmdb providing information about the service context to be used by service now calculators and rules for instance here we can see that the zero online banking scan application is used by the rewards processing service after seeing the data that we have imported from the scanner let's talk about how we can configure various rules to prioritize and assign the work that needs to be performed this is where we will use the same common features as vulnerability response to make work happen assignment rules allow you to automate assignment Based on data from the scanner findings and business contacts in service now these rules will set the assignment on the application vulnerable items data type when it's imported from the scanner in our case the vulnerabilities for the zero online banking application are automatically assigned to the support group from the scann application CI team Angels next remediation Target rules allow you to automatically determine when findings are due these rules can be configured to populate remediation Target dates according to your internal policies and allow you to notify stakeholders as the remediation Target approaches in our case the application vulnerable item has been given the shortest remediation time frame of 15 days because the risk rating was one critical if internal policy changes the remediation Target can be reduced and automatically recalculated for all applicable vulnerable items vulnerability calculators are a powerful way to prioritize your findings based on risk considering multiple sources of data these rules can be used to automatic ly calculate the risk score for an application vulnerable item and you can configure them to use information from the scanner findings third party sources like oasp and business context from service now like service criticality additional criteria can be added as well these calculations can be used to prioritize when the work is performed normalized severity Maps allow service now to rationalize prioritization across many tools into a single Consolidated View these are used to normalize the severity field on the vulnerability when it's imported this is important when importing vulnerabilities from different sources like sneak and veric code so that we can normalize their severity values with ours for example this allows service now to normalize the Vera code provided severity value of five for Vera code 18 cwe 78 to the common service now value one critical finally it's easy to bring data into service Now application a vulnerability response from your tool of choice take for example the integration configuration where the veric code vulnerability integration is set up in this module you can populate your API ID and API key to set up the integration quickly and easily you can select which finding types and severities to include as well as whether exceptions and false positives should be handled in service now and updated back to verac code we offer outof box easy to configure Integrations with many tools like sneak check marks and fortify on demand allowing customers to get a full picture of sast dast SCA and penetration test findings from any tool set service now continues to enhance and develop new Integrations with technology Partners our Integrations can also be used as a gold standard design for customers and implementation Partners to develop their own Integrations with their tool of choice application vulnerability response provides a single place to track all of your application vulnerabilities incl including those from your own software bill of materials or esom repository simply upload your applications esom to service now and automated rules will generate application vulnerable items for vulnerable components service now acts as a hub for your application and sbom information allowing you to explore dependencies and track findings from your es bombs alongside findings from scanner tools like sneak SCA now that we've shown how application vulnerability response works you can see how service now can act as the single platform for application security by unifying data from all your scanning tools into a single pane of glass you can gain visibility into your application security posture from every attack surface and drive remediation workflows with real business context making reporting easier and making workflows more efficient thanks for watching