While ServiceNow's Product Security Team works tirelessly testing and validating the security controls within ServiceNow's Platform, you may wish to, or have a requirement, to test your company's instance or specific instance customizations. The Customer Penetration Testing Program has been around for several years and is the only approved way to perform security testing against your ServiceNow instance.
A penetration test, commonly referred to as a "pentest," is an active approach that seeks to validate security controls or defenses. Security testing methodologies vary between companies, but at minimum it typically involves running a dynamic web application scanning tool and manually poking around in the application tampering with parameters. There are plenty of scanning tools out there, though without exception, they all produce false positives or inaccurate results. Whether it is your internal security team or a third-party company performing the assessment, customers are responsible for validating findings before submitting them to ServiceNow. ServiceNow does not review scan reports from these tools. We will be more than happy to review any findings that have been clearly documented and have steps to reproduce.
How the Customer Penetration Testing process works:
- Customer logs into the HI Customer Support Portal, in the side navigation click the link Self-Service > Service Requests > Schedule a Penetration Test
- The security team receives the request and validates the customer has met the testing prerequisites outlined in here.
- ServiceNow Security will update the customer with a testing URL.
- Customer performs the security assessment and provides the validated results.
- ServiceNow security analyses any reported findings and responds within 10 days.
For details on prerequsities, authorization, testing, changes, and configuration, see customer penetration testing. You will need to login to HI to view the details. Meeting the Instance Hardening prerequisites and scheduling the assessment can take up to a few weeks so it is best to plan accordingly.
Why should I go through the testing process?
First, if you follow the approved process, we won't mistake your testing activities are a malicious attack. Additionally, a ServiceNow instance is very customizable and we've found that customers may be unaware of newer security features disabled on an instance. The friendly Security Engineers at ServiceNow will help you to ensure your instance is sufficiently hardened prior to testing.
Our approach has proven to reduce the number of findings that can easily be fixed by configuration settings and saves time for everyone involved.
Finally, as you may have noticed this article is all about Customer Penetration Testing, not anonymous or unauthorized penetration testing. If you are a security researcher that is interested in ServiceNow or would like to report a bug, please contact us at prodsec@servicenow.com.
