Query on Instance hardening

Suggy
Giga Sage

There are several system properties where ServiceNow says 'Security risk - HIGH'

and also gives us recommendations.

Ex -

Use the glide.ui.escape_html_list_field property to force HTML escapes for HTML fields in a list view.

Security risk rating8.8
Security risk HIGH

Link - https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/security-center/refe...

 

My question is - if its such a high risk, why does even ServiceNow allow us to turn off/modify such properties? Who wants to take risk knowingly? Why cant ServiceNow make such properties as READ ONLY?

 

6 REPLIES 6

Suggy
Giga Sage

Anyone

Hi @Suggy 

That is depending on  customer use case that's why not enable default. 

https://youtu.be/5uwGxhSGLfw?si=hV6dYUMnsBDSuJSe

@SK Chand Basha when the security score is risk is high or very high, then ServiceNow should have not allowed to edit such properties. For low/medium risk one, it can make sense to give flexibility for us to take a call is what I strongly feel.

 

When you say "That is depending on  customer use case" - why would a customer take a risk of not enabling something when ServiceNow calls it HIGH risk 🙂

Sohail Khilji
Kilo Patron
Kilo Patron

Hi @Suggy ,

 

Good question !

 

ServiceNow allows the modification of high-risk security properties to maintain flexibility compatibility with customer needs and control for administrators even though this carries some security risks.

 

While it might seem like a good idea to make certain properties read-only for security doing so could limit the platform’s flexibility and usability for many customers.

Instead ServiceNow provides visibility into these risks and encourages best practices while giving customers the power to make informed decisions based on their specific requirements.

 

As an admin it's important to fully understand the security implications of altering these properties and ensure that any changes are made in a controlled and informed manner ideally after assessing the security posture of the entire system.


☑️ Please mark responses as HELPFUL or ACCEPT SOLUTION to assist future users in finding the right solution....

LinkedIn - Lets Connect