Pen Testing on ServiceNow Instance

Aman22
Mega Contributor

Hi,

We are trying to find out more on Penetration testing on our ServiceNow Instance and have the following questions

- Do we have to use third party tools to do Penetration testing? if so are there are recommendations from anyone who has used those?

- What are the Pros and Cons of doing that?

 

Thanks

Aman

4 REPLIES 4

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there,

You might want to post this in the 'Platform and Cloud Security' forum for better insight from others that have gone through this type of simulated testing / assessment exercise:

  • https://community.servicenow.com/community?id=community_topic&sys_id=54495e2ddbd897c068c1fb651f9619ce

As with all Penetration Tests, you'd ideally have a defined scope - whether you take it on yourself or with a third-party or with whatever tools you have in your toolbox - e.g. will you be performing whitebox testing vs blackbox testing, etc...

Either way you go - would create a HI Support Ticket to kick that off and follow the defined process ServiceNow has for handling these requests.

 

Kieran Anson
Kilo Patron

Hi Aman,

It'll depend on whether you're leveraging a third party or not. When ever I've done a deployment where a client has wanted to complete a pentest, they've used a pentesting company with their own methods.

You can only pentest a sub-production clone of your instance and ServiceNow must be informed via the HI Support request form "Schedule a Penetration Test".

Customer Instance Security Testing | Policy and Procedure

Minimum Instance Configuration

Aman22
Mega Contributor

Thanks @Kieran Anson 

Dhruv Gupta1
Kilo Sage
Kilo Sage
Hi Aman, Pentesting is fun. So if you are looking for tools that totally depends on your team and environment. But when I became Google Hall of Famer I prefer to use Burpsuite and Acunetix. I also prefer some of the network based frameworks like Bloodyhound and Empire to do the access escalation. Some tips while you pentest on servicenow - If you are going blackbox just do it on a pdi or sub production instance - If you are doing whitebox then get in touch with HI team they can provide you with all the details like the compliance information or the various controls they have and based on that your security team can decide and create certain checklist of attacks. I further recommend OWASP Top 10 as a checklist of attacks.