AppOmni has discovered a common ServiceNow Access Control List (ACL)
misconfiguration present in nearly 70% of ServiceNow instances tested through
AppOmni research. This security issue is defined as a "misconfiguration"
resulting from a combination of customer-managed ServiceNow ACL configurations
and overprovisioning of permissions to guest users.
These
types of misconfigurations are common across major SaaS platforms due to the
complexity that inevitably comes with high levels of SaaS functionality,
flexibility, and extensibility. Misconfigurations can happen during the initial
implementation phase of a SaaS platform, when users or settings change, or as
part of the regular cadence of SaaS updates that can impact current
configurations. To help organizations quickly discover and take action to
correct this misconfiguration, AppOmni has developed the SaaS Security
Analyzer, a free web application that will determine if a specific ServiceNow
instance has this ACL misconfiguration.
"Securing
SaaS is a lot more complicated than just checking a handful of settings or
enabling strong authentication for users," said Brendan O'Connor, CEO and
co-founder of AppOmni. "SaaS platforms have become business operating systems
because they are so flexible and powerful. There are many valid reasons for
workloads and applications running on a SaaS platform to communicate
externally, such as to integrate with emails and text messages or host a
support portal for your customers. SaaS adoption skyrocketed during the
pandemic but unfortunately, investments in people, processes, and technology to
secure and monitor SaaS has not kept up. In AppOmni's experience, significant
data exposures like this are far more common than customers realize."
Organizations
have long used Role-Based Access Control (RBAC) to grant permissions for users
to access resources on a SaaS platform. One important aspect of RBAC is the
ability to allow public access to information within your "database," which
could be a forum, online shop, customer support site, or knowledge base. The
challenge is ensuring the right level of access when organizations update or
customize SaaS applications or onboard new users.
AppOmni
Offensive Security Researcher Aaron Costello discovered ServiceNow external
interfaces exposed to the public that a malicious actor could use to extract
data from records. Analysis of ServiceNow instances showed that nearly 70% of
those tested by AO Labs are leaking sensitive information, including Personal
Identifiable Information (PII), to unauthenticated users. More information,
including remediation steps, is available in a new AO Labs Technical Paper.
"The
AO Labs team is committed to helping organizations build and maintain secure
SaaS environments," said Brian Soby, CTO and co-founder of AppOmni. "The high
degree of flexibility in modern SaaS platforms has made misconfiguration one of
the largest security risks businesses currently face. Our goal is to shed light
on common misconfigurations and other potential risks in SaaS platforms so
users can ensure their system posture and configuration matches their business
intent. We encourage all ServiceNow users to take advantage of the SaaS
Security Analyzer and learn more about how this misconfiguration may impact
them."
Request
a free, confidential evaluation of your ServiceNow instance with the SaaS
Security Analyzer.