Key Features

• Access Control Enhancements: Archive table ACL checks, scoped ACL enforcement for playbooks, and access checks for dashboard creation/deletion ensure that data and functionalities are properly secured.
• Session and Privilege Management: Active session lifespan limits for integrations, guests, and UI sessions, along with proactive invalidation of inactive sessions and strict elevate privilege enforcement, help reduce session-related risks.
• Authentication and Authorization: Application scope restrictions, certificate revocation verification, and OAuth parameter restrictions improve authentication security. Captcha requirements for guest access and validation of impersonation in HR applications enhance authorization controls.
• Data and Content Security: Limitations on attachment sizes in GraphQL training/prediction, MIME type validation for attachments, and safe content security policies for SVG files protect against data misuse and injection attacks.
• Device and Application Security: Enforcement of device encryption and passcode requirements, clearing pasteboard on mobile backgrounding, and enabling the hardened Java security manager boost endpoint security.
• Audit and Logging Improvements: MID audit log activation and session audit event logging provide enhanced monitoring capabilities.
• Other Controls: Disallowing target cloning, secure referrer policies, anti-CSRF token validation timing, restricted knowledge base access, and restrictions on HR case updates from personal emails further tighten security boundaries.

Key Outcomes

By implementing these settings, ServiceNow customers can expect improved protection against unauthorized access, better session hygiene, enhanced data integrity, and strengthened compliance with security best practices. These updates reduce vulnerabilities related to session management, privilege escalation, data exposure, and endpoint security, supporting a robust and secure ServiceNow environment.