Query on Instance hardening

Suggy
Giga Sage

‎11-11-2024 12:27 AM - edited ‎11-11-2024 03:08 AM

There are several system properties where ServiceNow says 'Security risk - HIGH'

and also gives us recommendations.

Ex -

Use the glide.ui.escape_html_list_field property to force HTML escapes for HTML fields in a list view.

Security risk rating8.8
Security risk HIGH

Link - https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/security-center/refe...

 

My question is - if its such a high risk, why does even ServiceNow allow us to turn off/modify such properties? Who wants to take risk knowingly? Why cant ServiceNow make such properties as READ ONLY?

 

Labels:
0 Helpfuls
  • 698 Views
6 REPLIES 6

Suggy
Giga Sage
In response to Sohail Khilji

‎11-18-2024 03:07 AM

@Sohail Khilji Thaniks for replying. I have implemented instance hardening for several customers and majority of them when asked - what do you prefer for this security property/setting, they just tell me do what is recommended by ServiceNow. Hardly customers really look into all those security system properties.

 

Also my point was - when the security score is risk is high or very high, then ServiceNow should have not allowed to edit such properties. For low/medium risk one, it can make sense to give flexibility for us to take a call is what I strongly feel.

0 Helpfuls

Sohail Khilji
Kilo Patron
Kilo Patron
In response to Suggy

‎11-18-2024 04:38 AM

Hi @Suggy 

 

In order to avoid over customization properties are provided this will allow you to just play with properties rather customizing or over doing changes.


☑️ Please mark responses as HELPFUL or ACCEPT SOLUTION to assist future users in finding the right solution....

LinkedIn - Lets Connect

0 Helpfuls