How to Prevent Unauthorized API Integrations in ServiceNow Using Reco

In today’s interconnected IT environments, APIs are at the core of service communication. While ServiceNow provides powerful capabilities through its REST and GraphQL APIs, it is critical to ensure these interfaces are securely configured. This article explores how Reco’s security posture checks can help prevent unauthorized API integrations in ServiceNow instances, focusing on two key risks: improper authentication and unsecured GraphQL endpoints.

‍

Why API Security in ServiceNow Matters

‍

ServiceNow APIs enable a wide range of automation, integration, and user-facing functionalities. However, improperly configured APIs can inadvertently expose sensitive data or allow attackers to exploit system capabilities. Unauthorized access could compromise the confidentiality, integrity, and availability of critical business information. Therefore, maintaining a secure API posture isn't just a best practice – it's a necessity.

‍

To address these concerns, two Reco posture checks were implemented within the ServiceNow instance:

‍

1. ServiceNow - Require Authorization for API Requests

2. ServiceNow - GraphQL API Authorization Enabled

Each posture check helps proactively identify and remediate misconfigurations before they can be exploited.

‍

How Reco Supports API Security in ServiceNow

‍

Reco offers native ServiceNow posture checks, real-time drift detection, and seamless integration into existing security operations workflows. These posture checks are part of Reco’s broader identity risk management strategy, which includes continuous monitoring for shadow access, misconfigured entitlements, and SaaS-wide exposure.

‍

It provides quick visibility into security misconfigurations that would have been difficult to uncover manually. What made Reco particularly effective for this use case was its combination of:

• Seamless integration with ServiceNow
• Purpose-built posture checks for identity and configuration risks
• Automated alerts for drift from secure baselines
• Continuous monitoring with minimal operational overhead

1. Enforcing Basic Authentication on API Requests

‍

Enforcing basic authentication helps ensure that only authorized users can interact with your ServiceNow APIs. This section outlines how Reco helps identify weak authentication settings and how to strengthen them.

‍

The Risk

‍

The first posture check by Reco monitors the system property glide.basicauth.required.api. When this property is set to false, it disables the requirement for Basic Authentication on API requests. This potentially allows unauthenticated users to send HTTP requests to ServiceNow APIs, exposing data and services.

‍

Reco Posture Check Summary:

• Property Checked: glide.basicauth.required.api
• Recommended Value: true
• Impact if False: Unauthenticated access to ServiceNow instance data

The Fix

‍

Step-by-Step Remediation:

1. Log in to your ServiceNow instance with admin privileges.
2. Search directly for "glide.basicauth.required.api" in the system properties table (sys_properties.list).
3. If the property is not present, create it:
   
   • Name: glide.basicauth.required.api
   • Type: True/False
   • Value: true
   • Description: Require Basic Authentication for API requests
4. Save the record and confirm the change takes effect.

This ensures that all REST and SOAP API requests require valid Basic Authentication credentials, unless OAuth or other methods are explicitly configured.

‍

2. Securing GraphQL APIs with Authentication and ACLs

‍

GraphQL endpoints can expose sensitive data if not properly secured. Here’s how Reco helps you detect and fix misconfigurations that allow unauthenticated or unauthorized access.

‍

The Risk

‍

GraphQL, though powerful and flexible, can become a significant attack vector if not correctly configured. By default, schemas in ServiceNow can be exposed without enforcing authentication or ACLs. This means any user (or script) could potentially perform queries and introspection on your data model.

‍

Reco Posture Check Summary:

• Table Checked: sys_graphql_schema
• Required Flags:
  
  • Requires Authentication
  • Requires ACL Authorization
• Impact of Misconfiguration:
  
  • Unauthorized data exposure
  • Permissions bypass
  • System structure disclosure via introspection

The Fix

‍

Step-by-Step Remediation:

1. Navigate to System Web Services > GraphQL > GraphQL APIs in your ServiceNow instance.
2. Open each schema identified by the Reco alert.
3. Verify and enable:
   
   • Requires Authentication (checkbox)
   • Requires ACL Authorization (checkbox)
4. Confirm appropriate ACLs are configured:
   
   • Go to System Security > Access Control (ACL)
   • Search for access controls related to the GraphQL schema's tables or fields.
   • Ensure only users with the correct roles can query or manipulate the data.

This prevents introspection or data retrieval from unauthenticated or unauthorized users.

‍

Additional Recommendations

• Disable Introspection in Production: Consider disabling GraphQL introspection queries using custom GraphQL middleware or configuration.
• Audit Schema Access Regularly: Track which roles can query which GraphQL schemas, especially as new roles or tables are introduced.

Monitoring and Alerting with Reco

‍

Reco provides continuous monitoring and alerting capabilities. Once these posture checks are configured:

• You’ll receive alerts anytime a setting is changed to a non-compliant state.
• You can set notifications on the “Set Notifications” button at the top of the posture check.

Lessons Learned and Implementation Best Practices

‍

Strengthening API security means going beyond quick fixes for isolated issues. These best practices help integrate security into your ServiceNow workflows and support long-term stability and visibility.

‍

1. Document All API Entry Points

‍

Maintain an up-to-date inventory of all REST and GraphQL APIs in your instance. Use ServiceNow’s API Explorer and GraphQL Schema Viewer for discovery.

‍

2. Leverage Scoped Applications for Isolation

‍

Encapsulate APIs within scoped applications to restrict access via application-level permissions.

‍

3. Use OAuth Wherever Possible

‍

OAuth provides more robust security and token-based access compared to Basic Authentication. For integrations requiring long-term credentials, OAuth flows like client credentials are ideal.

‍

4. Regularly Audit ACLs

‍

Use scripts or reporting tools to identify overly permissive or missing ACLs, especially on tables exposed via APIs.

‍

5. Educate Development Teams

‍

Ensure that any team building or publishing APIs in ServiceNow understand the required security configurations. Include Reco posture check outcomes in your CI/CD pipeline or code review process.

‍

Conclusion

‍

Preventing unauthorized API access in ServiceNow is a shared responsibility across development, security, and platform teams. With the help of tools like Reco and proper configuration of ServiceNow properties and access controls, organizations can significantly reduce the risk of data exposure.

‍

Enforcing basic authentication through system properties and securing GraphQL APIs with mandatory authentication and ACLs can significantly reduce the risk of unauthorized integrations. Organizations that haven't reviewed their API security posture recently should consider doing so now.

‍

Reco Beyond ServiceNow

‍

Reco’s capabilities go well beyond ServiceNow. It offers unified visibility across your entire SaaS environment, monitoring API security, access control, and misconfigurations across cloud platforms. If securing your SaaS stack is a priority, Reco delivers the continuous posture management and identity risk protection you need.

‍

Resources:

• ServiceNow Docs
• ServiceNow Developer Community