ServiceNow’s customers may identify in their risk assessment a malicious change of code stored in Cloud instance run against customer local infrastructure, such as a MID Server.
In defense in depth strategy, access controls and session management capabilities may not be seen as sufficient, and the addition of integrity control could be an essential element.
To this end, ServiceNow offers the Code Signing feature in the ServiceNow Vault bundle.
With Code Signing, the customer can add a digital signature to protect a code or component and block its execution if the code is modified in production.
The concept of “Circle of Trust (COT)” is introduced, which creates secure communication between non-production and production instances to ensure that only authorized users can access the Code Signing feature.
Multiple security measures help to prevent malicious actors from disabling or misusing Code Signing in the case a production instance is compromised. As part of the defense-in-depth strategy, the Circle of Trust (COT) uses the following components:
- Restrictive controls that prevent even the most powerful administrator are established in the production instance to help protect Code Signing processes and configuration.
- Trusted non-production environments are required to work together with production instances to establish the Circle of Trust relationship. At least one non-production environment is required, but multiple trusted instances may be configured to collaborate with the production instance.
The Circle of Trust requires an initial trust relationship between non-production and production instances that prevents any unauthorized user with any authorization level from accessing unapproved activities.
As an example, an attacker gains access to data sources or to a specific set of records and makes a malicious change to a structured query language (SQL) statement in the customer production instance. The MID Server will find the data source request and execute the malicious SQL change. Executing malicious code can be detrimental (sometimes fatal) to the MID Server and must be avoided at all costs.
By using the CoT, system administrators can mitigate vulnerabilities resulting from such a scenario. As shown in the figure above, the Code Signing feature working in conjunction with the CoT would prevent such breach from occurring.
- The administrator updates the data source in the sub-production instance and signs the integration records.
- The updated data is pushed from the sub-production instance to the production instance.
- At this point, the attacker tries to update the production instance with malicious statements.
- The MID Server finds the malicious data source request.
- However, the MID Server does not execute the request because no digital signature was not found.
- As a result, a message is sent back to the customer’s production instance informing the customer there is a problem with the digital signature and further investigation is needed.
Code Signing provides a critical mechanism to enforce only trusted code is deployed and frees organizations from the burden of building gatekeeper components in their deployment pipelines.
2 Comments
