The Security Risks of Math.random() in JavaScript

Math.random() is not designed to provide cryptographic strength randomness. It is unsuitable for scenarios where strong randomness is essential for security, such as generating secure tokens, encryption keys, or passwords.

Using GlideSecureRandomUtil API in ServiceNow

ServiceNow provides a robust solution to this problem – the GlideSecureRandomUtil API. This API offers a secure method for generating random integers, long values, and strings, ensuring unpredictability and bolstering system security.

Example Use Case: Storing Active Directory Information and Generating Default Passwords

Consider a scenario where you need to store the Active Directory information of users within ServiceNow and generate default passwords for their first login. Instead of relying on the insecure Math.random(), utilizing the GlideSecureRandomUtil API ensures a higher level of security for password generation.

Here’s how you can use the GlideSecureRandomUtil API in ServiceNow to generate a secure default password for new users:

In this example, a 12-character random password is generated using the getSecureRandomString method of GlideSecureRandomUtil.

Advantages of GlideSecureRandomUtil API:

1. Cryptographically Secure: GlideSecureRandomUtil employs cryptographic algorithms to ensure randomness, mitigating the risk of predictable patterns.
2. Compliance with Security Standards: By leveraging the GlideSecureRandomUtil API, organizations can align with security best practices and compliance requirements, ensuring robust protection of sensitive data and operations.
3. Available for both Global and Scoped Applications: It offers multiple functions catering to different use cases.

Conclusion:

In a world where cybersecurity threats are a constant concern, it’s essential to prioritize the security of our applications. By understanding the limitations of Math.random() in JavaScript and embracing secure alternatives like the GlideSecureRandomUtil API in ServiceNow, we can reinforce the security of our applications and uphold best practices in random number generation.

The post The Security Risks of Math.random() and the Solution with GlideSecureRandomUtil API in ServiceNow appeared first on ServiceNow Guru.

1. Source Identification: 

Include information about the source of the generated text using Flow Designer, Virtual Agent, or UI action. For example, indicating whether the text was generated by Azure OpenAI or OpenAI can provide transparency and accountability.

2. Input and Output Sanitization:

Always sanitize the input and output from generative AI providers to ensure that malicious content is not stored in the application. Input/output sanitization is essential for maintaining data integrity and security within the application.

3. Sensitive Data Handling:

Configure sensitive data handling for generative AI by creating and updating sensitive data regex records with patterns to prompt for appropriate handling of sensitive information.

4. OneExtend Builder Capabilities: 

When utilizing OneExtend Builder Capabilities, check for related list records under OneExtend Builder Config and ensure that only one provider is chosen as the default for a capability.

5. Flows Designer – Flows & Actions: 

– Flows should run as the user who initiated the session.

– Ensure that the input to the Generative AI Provider is always a string, and cast the input as a string if necessary. For example, in the “summarize” action used in a flow, cast the input to a string with scripting or add text to the “textToSummarize” field in addition to the data pill.

6. LLM Summarization: 

If using LLM for summarization on a record such as an incident record, consider enabling recursive summarization for fields like activity fields which have large data. This feature helps to break down the information given to an LLM into chunks, and summarizes each chunk individually. The chunks are organized with overlaps between the pieces so that the context is retained across every piece. However, note that enabling recursive summarization may cause the capabilities to process large inputs more slowly because they must make multiple calls to the LLM instead of just one call.

7. System Properties:

After installing the Generative AI Controller, it’s crucial to set values for a few system properties: com.sn.generative.ai.provider, com.sn.generative.ai.ais.message, com.sn.generative.ai.log_prompt, com.sn.generative.ai.moderation.message, com.glide.one.extend.token.buffer.

8. Virtual Agent:

In the OneExtend Builder Config [sys_one_extend_builder_config] record for Virtual Agent Designer‘, ensure that the execution mode is set to “Async”. Also, under the OneExtend Builder Capabilities related list, check for the following points:

– Default field: Determines whether the capability definition is the default. You can have multiple OneExtend Builder Capability records, but only one record per capability may have a default set to true at a time.

– Execution mode field: Determines when a capability is executed in relation to other processes. Select the “Async” option only because the “Sync” and “Fire and Forget” options do not work.

9. Legal and Ethical Considerations:

Be mindful of legal and ethical considerations when using generative AI. Respect copyright laws, privacy rights, and other regulations governing the use of data and content.

10. Domain Separation:

Domain separation is supported for the Generative AI Controller at the generative AI OneExtend capability level. When creating a copy of an existing generative AI capability in a different domain, ensure that you create a record in the OneExtend Capabilities (sys_one_extend_capability) table. After you create the OneExtend Capability record, you must create records for the following attribute and config records in the new domain:

– OneExtend Capability Attribute records with the same values as the capability in the global domain.

– A OneExtend Capability Definition that corresponds to the new capability.

– A OneExtend Definition Config definition record that includes the OneExtend Capability Definition for the new domain.

– Also, the OneExtend Capability Definition record that you add must be the same as the capability that you want in the new domain. For example, if you’re creating a capability in a new domain for sentiment analysis, you could add the Sentiment Analysis (OpenAI Completion) record. Adding the Summarize (OpenAI Completion) Config could result in unexpected behaviour. The OneExtend Definition Config record that you select should include the OneExtend Capability Definition record that you added.

The post Best Practices for Generative AI with ServiceNow appeared first on ServiceNow Guru.