ServiceNow published a guide for its customers related to Access Control List (ACL) incorrect configurations after an AppOmni security report found that 70% of the instances they tested had issues.
In a report released Wednesday, AppOmni explained that common incorrect configurations come from a “combination of customer -managed ServiceNow ACL configurations and excessive granting of permissions to guest users.”
A ServiceNow spokesperson said ZDNet this is a “known” issue that occurs when end users do not apply recommended configuration and management controls to their SaaS platforms.
“ServiceNow regularly publishes security configuration and best practice guides to help our customers. We recommend that customers constantly monitor their security settings and user permissions to ensure their instances are configured as intended, with an emphasis on permission levels for external users, ”the spokesperson said. sabi.
AppOmni said many major SaaS platforms have this issue because of how complex they are and noted that incorrect configurations can occur in the initial stages of implementing a SaaS platform, when users or settings change, or as part a regular rhythm of SaaS updates that may affect current configurations.
AppOmni CEO Brendan O’Connor said securing SaaS is more complex than just checking a few settings or enabling strong authentication for users.
“SaaS platforms have become business operating systems because they are very flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to interact externally, such as integration with email and text message or host a support portal for your customers, ”O’Connor said.
“SaaS adoption increased during the pandemic but unfortunately, investments in people, processes, and technology to secure and monitor SaaS did not continue. In AppOmni’s experience, those are significant data exposure like this is more common than customers realize. ”
Many companies use Role-Based Access Control (RBAC) as a way to provide permissions for users to access resources on a SaaS platform and the challenge, according to AppOmni, is ensuring the right level of access when organizations update or customize SaaS applications or onboard. new user.
AppOmni Offensive Security Researcher Aaron Costello said that ServiceNow’s external interfaces exposed to the public could allow a malicious actor to extract data from records.
“The high level of flexibility in modern SaaS platforms has made misconfiguration one of the biggest security risks currently facing businesses,” said Brian Soby, CTO of AppOmni.
“Our goal is to shed light on common misconfigurations and other potential risks across SaaS platforms to ensure users ensure their posture and system configuration match their business objective.”