Potential Data Exposure in ServiceNow: Challenges for Citizen Developers and Security Teams

In a rapidly evolving digital landscape, data security has become a paramount concern within the AppSec community. As organizations embrace digital transformation and the shift towards cloud-based solutions, the onus is on them to protect sensitive data. However, the recent ServiceNow data exposure highlights an alarming concern: what happens when developers build apps and automations with risky default settings? The first step is to even identify or realize you have a problem, which likely cannot happen within the native platform. The crux of the issue therefore lies in the fact that rectifying this issue isn’t as straightforward as a one-size-fits-all solution. Rather, security teams and platform administrators are tasked with addressing the problem on a per-application basis, creating a precarious position.

The Data Exposure Problem

In simple terms, data exposure refers to the unauthorized access to sensitive information due to misconfigured security settings or application vulnerabilities. In this case, the potential exposure extends to the personal and business-critical data within affected ServiceNow applications, making it a serious concern for organizations that rely on the platform for their operations. It becomes an even larger problem for organizations that rely on any type of SaaS tool or service provider as a development platform; where business users of all technical backgrounds are able to quickly and easily build powerful business applications and automations. 

Applications built by citizen developers, when misconfigured, can be easy targets for malicious users to exfiltrate exposed data. This data could include personally identifiable information (PII), financial records, or other confidential business data. Think about all the data that ServiceNow processes; IT tickets, help desk requests, orchestrations and automations of all kinds; it adds up very quickly. The security risks associated with such exposure are enormous, ranging from legal and compliance issues to reputational damage and financial loss. These risks are obviously exacerbated when default permissions are in place that inherently increase risks of data leaks and exposure when apps are built on top. It can be like a house of cards.

The Citizen Developer Dilemma

Citizen developers have been heralded as a vital resource in the digital transformation era. These individuals are not IT professionals but rather employees within an organization who leverage low-code or no-code platforms like ServiceNow to build applications that meet specific business needs. They bring domain knowledge and hands-on experience, allowing them to develop applications quickly and efficiently.

However, data exposure issues present unique challenges to citizen developers. Unlike experienced IT professionals, they may lack the in-depth knowledge of the intricacies of data security. They also make uninformed decisions when completing application builds, such as who to share their apps with, how to encrypt data, how users should authenticate, and more. While more and more tools now provide robust capabilities to enable any business user to build applications, it’s equally essential to ensure these applications are secure from potential data exposure risks.

The issue compounds for citizen developers as the responsibility to rectify the problem lies with security teams and platform administrators, not the developers themselves. This lack of control and involvement can be frustrating, as citizen developers must rely on external parties to resolve the issue or even detect it in the first place. It disrupts the streamlined development process that attracted many to low-code and no-code platforms in the first place.

Challenges for Security Teams and ServiceNow Admins

The unique challenge of the ServiceNow data exposure problem lies in the fragmented nature of the platform. Each ServiceNow application operates independently and can have its own data security configuration. This means that there is no universal fix to address the data exposure issue across the entire ServiceNow tenant. These principles also apply to any low-code application development platform.

Security teams and respective platform administrators are faced with the cumbersome task of identifying, evaluating, and rectifying vulnerabilities and misconfigurations on an app-by-app basis. This not only requires significant resources but also prolongs the time it takes to address the issue comprehensively. In environments where there are only a few, or even tens of applications, this can be a manageable task; but in the world of citizen development, where new apps and automations are spun up in minutes (or even seconds, particularly when Gen AI is involved), the scale is incredibly challenging for security teams to manage. 

Furthermore, the article doesn’t shed light on a centralized approach that ServiceNow offers to detect and mitigate data exposure issues. Instead, it implies that the onus is on the organization itself to recognize and rectify these issues. This is where citizen developers, and therefore security teams, find themselves at a disadvantage.

What’s Next

The ServiceNow data exposure problem poses significant challenges for any organization that encourages citizen development to drive business innovation. The necessity for security teams and administrators to address the issue on a per-application basis disrupts the streamlined development process that citizen developers value as well as soaks up an enormous amount of time without an automated approach. To overcome this challenge, citizen developers must educate themselves on data security best practices and actively collaborate with other stakeholders. 

However, this is much easier said than done. As organizations continue their journey towards digital transformation, addressing potential data exposure in platforms like ServiceNow is crucial to maintaining the integrity and security of sensitive information, and rigorously analyzing each component that citizen developers leverage to build apps and automations is a good start. 

At Zenity, we are proud to have released the first SBOM for citizen development, which can be very useful for organizations concerned with data leakage and exposure stemming from any low-code platform. Get in touch with us to learn more!