In our previous blog post, we introduced useful resources for those considering ServiceNow as a DX platform, providing insights into evaluating ServiceNow from the perspectives of security and privacy. This time, we will focus on those who are already using ServiceNow - administrators and developers. We have carefully selected practical security resources to help you configure your instances for enhanced safety, and to support your daily operations, while ensuring high security during custom application development and external cloud integrations.

Resources for ServiceNow Administrators

As a ServiceNow administrator, product documentation and user communities are useful sources of information to resolve specific queries or problems. However, if you are relatively new to administrating ServiceNow, it might be challenging to locate specific security-related information within these vast resources. Let's first understand the overall picture and key points of ServiceNow's security settings that administrators should know. Then, investigate the purpose and impact of individual security settings to identify opportunities for security enhancement. For inherently complex features that play crucial roles in security, such as Access Control Lists (ACL) and encryption, we recommend learning through videos or other similar methods.

• ServiceNow Security Best Practices Guide

This guide is designed to help you operate your instances more securely. It gives you a comprehensive understanding of where the opportunities to improve the security of your instance lie and also highlights particularly important security settings. This is the first resource administrators should utilize when considering security matters.

• Instance Security Hardening Settings

Each ServiceNow instance has over 2000 configuration items (properties), but you can investigate the security enabled and the functional impacts created as trade-offs by about 100 of these settings that are related to security. As evaluating all configuration items can be time-consuming, we recommend first scanning the instance's configuration values with Instance Security Center or Security Center, then identifying items that do not conform to ServiceNow's recommended settings before proceeding with this.

• Administrator-oriented Content in Now Learning

This is a training resource for administrators. Especially for complex functionalities such as the ServiceNow key management framework and encryption options, it assists in understanding by providing explanations and video tutorials from the ground up.

Resources for Developers

ServiceNow developers can enhance their development skills and gain insights and advice from other developers through developer-oriented training courses on Now Learning, developer communities, and other platforms. While access control can mostly be handled by simple configurations, fulfilling user-requested functional and security requirements may occasionally require coding access control scripts based on the attributes of users accessing resources, and validating input values received from users. Below, we introduce resources that can be utilized in such situations.

ServiceNow Developer Portal

The Developer Portal is the best reference site for ServiceNow developers, offering API documentation, step-up guides, and more. This page explains access control for resources in custom applications by unauthenticated users and other applications.

ServiceNow Secure Coding Guide for Instance Developers

This resource is accessible only to ServiceNow customers. It provides an overview of the application security-related GlideScriptable classes and methods offered by ServiceNow, supporting coding with security in mind. This guide is organized by security topic and attack vector and provides commentary on code examples and the impact on security/functionality. This enables developers to understand security risks and learn ways to code more securely.

Summary

ServiceNow plays a crucial role not only as a DX platform but also in protecting data security and privacy. In this blog post, we have introduced security resources that administrators and developers of organizations already using ServiceNow can utilize. By leveraging these resources, you can efficiently master ServiceNow's security, implement more robust security measures, and mitigate risks.