ServiceNow Security Best Practices

Security is crucial in ServiceNow to protect data and processes from unauthorized access. As a ServiceNow developer, following best practices for secure coding, user roles, and permissions is essential to minimize vulnerabilities.

This guide highlights key security practices to ensure safe and compliant development on the platform.

Authentication & Authorization

Access Control List (ACL)

Using Access Control Lists (ACLs) in ServiceNow is important because they ensure proper data security and restrict access to sensitive information.

Once a user has successfully authenticated, access to parts of the instance interface, functions, and the data within it are controlled with Access Control Lists (ACLs) and Role-Based Access Control (RBAC).

ACLs use the account ID and associated groups to determine what access should be granted to an object, e.g., read, write, delete, create, etc.

• RBAC rules are ACLs assigned to roles defined within the instance. These might cater to different types of users or various job roles. User accounts and groups are assigned to roles, and permissions are applied to those roles.
• To provide an extra level of protection, customers may want to limit concurrent sessions for the same account or role.

If we use GlideRecord in the scripted rest API, users without the necessary roles could still access the API, indicating that table access control rules were not being evaluated.

By default, server-side scripts do not evaluate access control rules at the table level if we use GlideRecord. The solution is to use the GlideRecordSecure instead of GlideRecord.

Modifying the API script to use GlideRecordSecure ensures that access control is enforced, preventing unauthorized access. 

For more details, please refer here.

Learn more on ACL: Access Control List & Understanding ServiceNow ACL

Leverage Scoped Applications:

Isolate your application’s data and resources within a defined scope. This ensures that users and scripts have limited access to resources outside their assigned scope, preventing sensitive data exposure.

Learn more: Application Scope

When using Scoped Applications remember to release using CI/CD pipeline, refer to this article for more info: ServiceNow CICD Pipeline usage guide

Data Security & Privacy

Mask Sensitive Data:

When displaying sensitive data (such as credit card numbers or personal identifiers), ensure that it is masked or obfuscated. Display only necessary parts (e.g., last four digits) to reduce exposure.

The Sensitive Data Handler detects and masks sensitive data when the requester of an Agent Chat or Virtual Agent conversation inputs them.

Learn more: Sensitive Data Handler

Avoid Hardcoding Secrets:

Never hardcode passwords, API keys, or any sensitive credentials directly in your scripts.

Use ServiceNow’s Credential Management to securely store and access sensitive information.

Hardcoding passwords or sensitive credentials in scripts is risky because it exposes them to unauthorized access, making systems vulnerable to breaches. It also prevents easy password rotation and increases the risk of using outdated or compromised credentials.

Learn more: Credential Management in RPA Hub

Ensure Data Integrity:

Implement validation rules, data policies, and business rules to ensure that data entered into the system is accurate and consistent.

Learn more: Business Rules, Data Policy

Secure Coding Practices

Validate User Inputs:

Always validate and sanitize user inputs to avoid injection attacks (e.g., SQL or script injections). Implement validation on both the client-side and server-side.

Learn More: Input validation, Validation, sanitization, and encoding & Input Validation Best Practices

Avoid Dangerous Functions:

Avoid using insecure or outdated functions like eval(), which executes arbitrary code.

Instead, use safer methods to handle dynamic data, like JSON.parse() and JSON.stringify().

Learn More: JSON.parse(), JSON.stringify()

Make Code Optimized and Easy to Read:

When writing code, remember that others may work with it in the future. Whenever possible, ensure your code is easy to read and understand.

• Comment Your Code
• Use White Space
• Write Simple Statements
• Create Small, Modular Components
• Construct Reusable Functions
• Verify Values Exist Before Using Them
• Avoid Complex GlideRecord Queries
• Use GlideAggregate for Simple Record Counting
• Avoid Dot-Walking to the sys_id of a Reference Field
• Experiment in a Sandbox

For in depth examples and to learn more: Scripting Technical Best Practices

Client Scripting Technical Best Practices:

A Client Script is JavaScript code which runs on the client, rather than the server. Well-designed Client Scripts can reduce the amount of time it takes to complete a form and improve the user experience. However, improperly implemented Client Scripts can significantly slow down form load times.

• Use Client Scripts to Validate Data inputs from the users
• Set Client Script Order
• Restrict List Editing
• Use newValue, oldValue and isLoading variables to optimize scripts executions
• Minimize Server Lookups
• Use setValue()'s displayValue Parameter with Reference Fields
• Avoid Global Client Scripts
• Avoid DOM Manipulation

For in depth examples and to learn more: Client Scripting Technical Best Practices

Debugging Best Practices:

Debugging can provide information to help you understand system processes.

There are a number of different debugging features you can use within a ServiceNow instance.

• Use gs.info(), gs.debug(), and gs.error(): Log messages in server-side scripts to capture key information and troubleshoot issues. For client scripts, use console.log() to log values and actions.
• Check System Logs: Regularly review System Logs in ServiceNow (System Logs > All) for errors, warnings, and messages related to the script execution.
• Use the JavaScript Debugger: For client scripts, use the browser’s Developer Tools (F12) to set breakpoints and step through the code to inspect variables and trace the flow.
• Test with Different User Roles
• Isolate Problems: Simplify or comment out parts of the script to isolate issues. Focus on one area of the script at a time.
• Clear Cache and Sessions: Sometimes, caching issues can affect debugging. Clear the Cache (System Diagnostics > Cache) or use Incognito Mode for client-side testing.
• Debugging with Breakpoints: In Script Includes and Business Rules, set breakpoints to pause the execution and inspect variables in the ServiceNow Debugger.

For in depth examples and to learn more: Debugging Best Practices

Application & API Security

Secure REST APIs:

Use OAuth 2.0 authentication for your REST APIs instead of basic authentication. Ensure input validation is in place to prevent common vulnerabilities.

Learn More: How to enforce strict REST API security

Peer Code Reviews:

Implement regular code reviews to ensure security concerns are identified early. Code reviews help catch potential vulnerabilities and improve the overall quality of the codebase.

Other resources: 

• https://www.reco.ai/hub/servicenow-security-best-practices