What an abomination of something seemingly so simple made into something so horrendously complex and bloated.
I was trying to explain to some new ServiceNow AE why we wouldn't be buying more product from them. Literally everyone who uses the product hates it - developers, admins, end users.
It behaves like it is constantly broken.
People talk shit about it all day, every day.
Maybe one day, some time a long time ago they had a good product, and that's how it got embedded all over the place, but now, what a pile of junk!
Amusingly, I'm consulting with a company now whose business model and product strategy is "a rewrite of Service Manager that's cheaper and more sane." Presumably the cycle of rewriting these kinds of platforms will continue until the heat death of the universe.
What's funny is that my dayjob became a re-seller for ServiceNow, and our ServiceNow install is terribly slow.
Then we have a major government client that we tried to sell ServiceNow to, but they decided on another re-seller. And I still have to work with this client as a consultant so I have to login to their separate ServiceNow setup, and wow is it faster! That other vendor that won the contract over us sure did a much better job at the setup than we ever did. (I was not involved in the re-selling or setup of ServiceNow at my dayjob, I only work in it as a user)
Every shitty or slow ServiceNow instance I have seen in recent memory is because the customer is slugging along horrible code and poorly designed LCNC apps. A well managed instance can fly.
Not that the platform doesn’t have its problems of course. But most people’s experience with it is as the victim/end user of awful implementations.
My university used a resold white label instance from a consultant and that thing was an absolute disaster.
In my two-decade long career, I don't think I ever heard about any enterprise software for which that statement is false.
There’s Bulas, which is a timekeeping application developed somewhere in 1995 (I think) that’s just server rendered HTML and is a joy to use (especially compared to the other piles of crap).
Developers and Admins may not like it because its development with bumpers for kids. End users dislike it because of the developers and admins. There may be some worth looking in the mirror to be had before you point the finger at a software platform for short comings within the organization.
What about not liking it because they have a bad data model with insufficient validation leading to silent data loss and various cases where you can create a record you don’t have permission to use? Or not having decent full-text search in 2023? Or needing ~10-15MB of JavaScript to simply load?
I agree that enterprise IT departments make it worse but it wasn’t like it was starting from a position of good unless you recently emerged from cryosleep and haven’t updated your views on software engineering since 1993.
I find it hard to believe this grotesque abomination is the state of the art in IT management.
As a current ServiceNow developer for a F500 company, this is so true. Developing is frustrating since they strive for low/no code. They only started allowing ECMA6 like last year and it's still extremely limited.
So you risk falling into the trap of trying to do everything for everyone but doing nothing well.
You can only stuff so much shit into a cornucopia before it becomes more of a garbage bin.
Forget about their enterprise software, the very premise of the function they support is the thing I hate most. The software, the company, the consultants who push this garbage, the employees within your company who somehow have a named role implementing and managing it, I loathe it all.
FWIW, I've been a kind of sysadmins for couple of decades, then ops manager for 5. After supporting multiple production streams, good and organized and consistent processes are an absolute must for me (as opposed to random wild west and utter chaos sometimes we techie prefer :-)). It is my understanding "premise of function they support" is organized work flows - standard and "let's not reinvent the wheel badly" ways to manage and report on incidents, service requests, etc. And hopefully do some trends and reporting and categories and whatnots.
So I don't know if service now does that well or poorly... But what in there do you "loathe"?? It may not be your cup of tea and you'd rather develop freely, and fair enough, but somebody somewhere has to support large productions and large numbers of users and need tools better than slack and emails to do it... :-/
ServiceNow was the better alternative all round -- as compared to Remedy and HP Service Center.
The customizations and integrations, api, cloud were decent.
The licensing was bad. The pressure to "upgrade" to latest version every year (or lose support) was insane.
Sales was aggressive.
A couple of trends probably pushed this into a hated category --
Orgs had to customize the hell out of every workflow instead of keeping it simple and following standard ITIL.
The moment you veered away from "out of the box" features and did customizations ..your yearly upgrades risked failing.
The people in Orgs who maintain and customize the tool needed to be decently skilled. Cheapest body shop vendor doesn't cut it.
ServiceNow certifications were good initially then they became expensive/unaffordable, too many, too much to keep current.
ServiceNow themselves brought into many new features like AI, chatbots, RPA etc that it all became a huge complex beast. Basic features of a ticketing tool probably became too complex to maintain?
Their cloud CMDB offerings are horrendous, and in my experience get bought before anyone gets a chance to let the blood out.
Also help desk is the first use case, nobody wants to give the helpless level 1 people any changes, as it’s an excuse not to perform.
We are likely to get it next year . I feel it cannot be worse than the aberration we are currently using but I could be wrong :-/
It became such a clusterfuck the vendor (SAP) who we paid MASSIVE amounts of money to, wouldn't support their own software.
Thanks for coming to my TED talk, try to run as vanilla as possible.
Ideally we would've just thrown more money at CloudBees, but there was no political will to fight for another paid JIRA instance. I'm sure there are worse tools than snow but I'd just as soon never use it again.
A very well architected instance looks and is pretty good, the issue is that often large enterprises will hire the cheapest possible consulting firm to implement it, and you can really screw it up if you’re not careful.
Not because you need to implement anything, or configuration reasons. That's just how long it takes to do basic things.
This is absolutely not true. Security vulnerabilities can be due to a huge variety of reasons well beyond "the developer is outsmarted/careless". A great example of this was unicode related issues. Also, changing API/ABI surfaces.
And, we think of security vulnerabilities as "bugs" that cause "hacks", but sometimes vulnerabilities come in the form not in a technical hack, but attacks on users.
Sometimes, the developers know there's an issue, but the business forces them ahead anyways and takes on the risk. I've dealt with a few of those.
It's counterproductive to put it firmly on the developers, but I do agree that technical security issues and quality issues are tightly intertwined.
There are far worse products in the same space than ServiceNow.
Edit: glad to see someone else already mentioned SAP.
Any user can query pretty much any table in the DB using their "GQL" wrapper around SQL. Someone thought enough to restrict the "user_password" field, so instead you query another table which gives you the user's session ID. Normally a token is user session ID + signature. But it turns out the signature wasn't really being validated, so user session ID + anything worked.
I'm normally not one to jump on mistakes, but that's remarkably bad.
The most egregious part in my eyes is the slow response to the initial contact. In shows that Service Now does not monitor it's reporting and that they don't care about security. If I were using a product of theirs to handle proprietary or privileged information I would no longer trust them.
That drops you down to an 8.8. Also, log4shell was a 10.0, which got that extra .2 points from not requiring any privs, whereas this ServiceNow vuln requires "low" privs.
They negotiate multiyear contracts. they're investing into government and healthcare services.
I am still mad they didn't release it as a hotfix, but that meant they couldn't sneak it under the radar.
Ticket systems are always a giant pain.
RCE as admin has been a problem for over a decade. _Globally_ sessions do not expire... This is just the tip of the shit architecture iceberg.
