Major Security Misconfiguration Impacting ServiceNow Instances Discovered

AppOmni Research Indicates That Nearly 70% of Instances Tested Are Leaking Data Through Improper Customer ACL Configurations

San Francisco — March 9, 2022 AppOmni, the leading provider of SaaS Security, has discovered a common ServiceNow Access Control List (ACL) misconfiguration present in nearly 70% of ServiceNow instances tested through AppOmni research. This security issue is defined as a “misconfiguration” resulting from a combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.

These types of misconfigurations are common across major SaaS platforms due to the complexity that inevitably comes with high levels of SaaS functionality, flexibility, and extensibility. Misconfigurations can happen during the initial implementation phase of a SaaS platform, when users or settings change, or as part of the regular cadence of SaaS updates that can impact current configurations. To help organizations quickly discover and take action to correct this misconfiguration, AppOmni has developed the SaaS Security Analyzer, a free web application that will determine if a specific ServiceNow instance has this ACL misconfiguration.

“Securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users,” said Brendan O’Connor, CEO and co-founder of AppOmni. “SaaS platforms have become business operating systems because they are so flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to communicate externally, such as to integrate with emails and text messages or host a support portal for your customers. SaaS adoption skyrocketed during the pandemic. Unfortunately, investments in people, processes, and technology to secure and monitor SaaS have not kept up. In AppOmni’s experience, significant data exposures like this are far more common than customers realize.”

Organizations have long used Role-Based Access Control (RBAC) to grant permissions for users to access resources on a SaaS platform. One important aspect of RBAC is the ability to allow public access to information within your “database,” which could be a forum, online shop, customer support site, or knowledge base. The challenge is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users. 

AppOmni Offensive Security Researcher Aaron Costello discovered ServiceNow external interfaces exposed to the public that a malicious actor could use to extract data from records. Analysis of ServiceNow instances showed that nearly 70% of those analyzed by AO Labs are leaking sensitive information, including Personal Identifiable Information (PII), to unauthenticated users. More information, including remediation steps, is available in a new AO Labs Technical Paper.

“The AO Labs team is committed to helping organizations build and maintain secure SaaS environments,” said Brian Soby, CTO and co-founder of AppOmni. “The high degree of flexibility in modern SaaS platforms has made misconfiguration one of the largest security risks businesses currently face. Our goal is to shed light on common misconfigurations and other potential risks in SaaS platforms so users can ensure their system posture and configuration matches their business intent. We encourage all ServiceNow users to take advantage of the SaaS Security Analyzer and learn more about how this misconfiguration may impact them.”

Request a free, confidential evaluation of your ServiceNow instance with the SaaS Security Analyzer.

About AppOmni

AppOmni is the leading provider of enterprise level SaaS Security. Its patented technology and Developer Platform make it easy for security and IT teams to protect and monitor their entire SaaS environment, across all standard and custom SaaS applications. AppOmni deeply scans APIs, security controls, and configuration settings to evaluate the current state of SaaS deployments and compare against best practices and business intent. The result is unprecedented visibility, management, and security of SaaS solutions, enabling organizations to establish rules for data access, data sharing, and 3rd party applications that will be continuously and automatically validated. AppOmni was founded by top security practitioners from leading SaaS providers and is trusted by many of the world’s largest enterprises across technology, healthcare, banking, and security. AppOmni was named a 2021 SINET16 Innovator, one of Dark Reading’s “11 Cybersecurity Vendors to Watch in 2021,” and is a 2022 CyberTech 100 company. The company is backed by Salesforce Ventures, ServiceNow Ventures, Scale Venture Partners, Thoma Bravo, and other top investors.

Media Contact

For AppOmni:

Jesse Butts
Head of Content and Communications, AppOmni
[email protected]

Lexie Harkness
Gregory FCA on behalf of AppOmni
[email protected]

Featured SN misconfig 2022


More Press Releases