Penetration Testing, Compliance & Cybersecurity Review query

VikasY
Kilo Contributor

Q1: I read the article on HiPortal around what ServiceNow doesn't allow to do in penetration testing like no network layer testing, no DDoS etc. However, we may hire someone externally to do the pen testing on one of our sub prod instances, but would like to know what layers we can test in terms of PEN Testing?

Q2: Are there any restrictions on running vulnerability scans on prod or uat instances?

Q3: MID Servers etc. that are on prem - ServiceNow shouldn't have any problem with running pen testing on those servers, right?

Q4: ServiceNow probably does their own pen testing and/or vulnerability scans - how can we request a copy for our security team to review?

5 REPLIES 5

ianleu
Kilo Explorer

Q1: You can test the session layer (layer 5) to the application layer (layer 7) according to my understanding.

 

Q2: You can't run pentests on any SNOW prod systems of whatever kind.

 

Q3: It on your local network, so I can't imagine but you would have to confirm with the SecOps team.

 

Q4: I can't imagine any company that will give you pen tests details. Most malicious groups would pay a lot for that information. The best I can imagine is getting a certification of some kind but I do not know if SNOW offers these and Vulnerability Management is anyway an ongoing process for most of the time - it's rarely the case that the process get's "completed".

 

We run regular pentests with all our solutions so feel free to contact me directly if you require any more assistance.

VikasY
Kilo Contributor

hmmm.. maybe a Hi Ticket is a better option to grab this information. I was told you can request results via ServiceNow Core. Also for my Q2: I understand we can't do pen testing with prod, but I was more curious around vulnerability scanning instead.

janerampl
Kilo Contributor

How many of you really care about your cybersecurity? I'm not just talking about an antivirus on your computer, but about something more serious than this

janerampl
Kilo Contributor

I have good advice for you on this situation. There is a way to check security like Red Teaming. I guess you've heard about this. These operations have much broader goals than Penetration Testing, which often aim to access the network. Red teaming includes evasion and persistence, privilege escalation, and exfiltration. We used this method in our California company and were very surprised by the results. Penetration testing finds less risk and gives a narrow picture. This is because penetration testing is a small part of Red Teaming. It is only the first part of a chain of cyber-murders. Red Teaming is a powerful technique for checking your organization's security vulnerabilities. To get the most out of a Red Team exercise, you will need to prepare carefully. In particular, you will need to have pretty mature cybersecurity measures.