ServiceNow has published guidance for its customers related to Access Control List (ACL) misconfigurations after an AppOmni security report found that 70% of the instances they tested had the issue.
In a report released on Wednesday, AppOmni explained that the common misconfigurations come from a “combination of customer-managed ServiceNow ACL configurations and overprovisioning of permissions to guest users.”
A ServiceNow spokesperson told ZDNet that this is a “well-known” issue that happens when end users do not apply recommended configuration and governance controls to their SaaS platforms.
“ServiceNow regularly publishes security configuration and best practice guidance to help our customers. We recommend that customers continuously monitor their security settings and user permissions to ensure that their instances are configured as intended, with an emphasis on permission levels for external users,” the spokesperson said.
AppOmni said many major SaaS platforms have this issue because of how complex they are and noted that misconfigurations can happen during the initial implementation phase of a SaaS platform when users or settings change or as part of the regular cadence of SaaS updates that can impact current configurations.
AppOmni CEO Brendan O’Connor said securing SaaS is a lot more complicated than just checking a handful of settings or enabling strong authentication for users.
“SaaS platforms have become business operating systems because they are so flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to communicate externally, such as to integrate with emails and text messages or host a support portal for your customers,” O’Connor said.
“SaaS adoption skyrocketed during the pandemic, but unfortunately, investments in people, processes, and technology to secure and monitor SaaS has not kept up. In AppOmni’s experience, significant data exposures like this are far more common than customers realize.”
Many companies use Role-Based Access Control (RBAC) as a way to grant permissions for users to access resources on a SaaS platform, and the challenge, according to AppOmni, is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users.
AppOmni Offensive Security Researcher Aaron Costello said ServiceNow external interfaces exposed to the public could allow a malicious actor to extract data from records.
“The high degree of flexibility in modern SaaS platforms has made misconfiguration one of the largest security risks businesses currently face,” said Brian Soby, CTO of AppOmni.
“Our goal is to shed light on common misconfigurations and other potential risks in SaaS platforms so users can ensure their system posture and configuration matches their business intent.”