Of all the shitty enterprise software vendors, there is no platform I hate more than ServiceNow.
What an abomination of something seemingly so simple made into something so horrendously complex and bloated.
I was trying to explain to some new ServiceNow AE why we wouldn't be buying more product from them. Literally everyone who uses the product hates it - developers, admins, end users.
It behaves like it is constantly broken.
People talk shit about it all day, every day.
Maybe one day, some time a long time ago they had a good product, and that's how it got embedded all over the place, but now, what a pile of junk!
You should have seen the platform it replaced. ServiceNow was essentially "let's rewrite HP Service Manager from scratch to remove the legacy debt." Service Manager was what you get when you develop a mainframe green screen application using a low-code RAD system and then try to maintain it for 20 years.
Amusingly, I'm consulting with a company now whose business model and product strategy is "a rewrite of Service Manager that's cheaper and more sane." Presumably the cycle of rewriting these kinds of platforms will continue until the heat death of the universe.
I recall that once upon a time, Service Manager was a client side app using the same GUI framework as Eclipse. Which made it very heavy, using tons of memory for an app that you only used now and then. I am not completely sure it was Service Manager, but quite sure. Then it was made a web app, 15+ years or so ago. Compared to that, ServiceNow is a dream to use.
The young pups here whining about ServiceNow have no idea.
Service Manager, Remedy, etc were exponentially more miserable. I worked at a place that had 6 people who just twiddled Service Manager and kept the servers running etc.
All ticketing systems suck. It’s the nature of the beast. People used to talk about how awesome JIRA is. Lol.
Personally, I think JIRA is awesome. I’ve seen the absolute disaster that is enterprise software and the cloud version of JIRA is not a disaster.
Everyone hates ticketing systems. But I think that’s because people hate spending time on things that aren’t relevant to them. They all get in the way of someone’s desired workflow. (Did I, a champion of organization, fill out my time sheet? No. No I did not. grumbles)
JIRA’s strength is being mediocre for just about everyone. No one’s workflow can be implemented 100%, but it can be customized enough for most purposes.
I think all that generally applies to enterprise software like that, no? SAP is absolute garbage but it ticks various C-level agenda items (mainly the act itself of investing in ERP modernization) and so it sells regardless. Servicenow I belive makes it harder for employees to get help and thus saves labor. Enterprise software isn't for you or me, that's why we hate it.
I couldn't agree more. But as others have said, it did replace some awful late 90s, early 2000s, software.
What's funny is that my dayjob became a re-seller for ServiceNow, and our ServiceNow install is terribly slow.
Then we have a major government client that we tried to sell ServiceNow to, but they decided on another re-seller. And I still have to work with this client as a consultant so I have to login to their separate ServiceNow setup, and wow is it faster! That other vendor that won the contract over us sure did a much better job at the setup than we ever did. (I was not involved in the re-selling or setup of ServiceNow at my dayjob, I only work in it as a user)
One of ServiceNow’s biggest mistakes and greatest strengths is how much freedom it provides admins and devs to absolutely grind the instance to a halt.
Every shitty or slow ServiceNow instance I have seen in recent memory is because the customer is slugging along horrible code and poorly designed LCNC apps. A well managed instance can fly.
Not that the platform doesn’t have its problems of course. But most people’s experience with it is as the victim/end user of awful implementations.
My university used a resold white label instance from a consultant and that thing was an absolute disaster.
We use Slack, which is pretty decent. We also use Github, which has been historically great.
There’s Bulas, which is a timekeeping application developed somewhere in 1995 (I think) that’s just server rendered HTML and is a joy to use (especially compared to the other piles of crap).
I think you have a skewed perception of value add. ServiceNow conquered the software as a service industry like no other and will be around for decades to come.
Developers and Admins may not like it because its development with bumpers for kids. End users dislike it because of the developers and admins. There may be some worth looking in the mirror to be had before you point the finger at a software platform for short comings within the organization.
> Developers and Admins may not like it because its development with bumpers for kids. End users dislike it because of the developers and admins.
What about not liking it because they have a bad data model with insufficient validation leading to silent data loss and various cases where you can create a record you don’t have permission to use? Or not having decent full-text search in 2023? Or needing ~10-15MB of JavaScript to simply load?
I agree that enterprise IT departments make it worse but it wasn’t like it was starting from a position of good unless you recently emerged from cryosleep and haven’t updated your views on software engineering since 1993.
There surely are. They don't, however, have the name recognition, the comparative availability of people who know how to deal with it, the ecosystem of vendors to sell you extensions, or, yeah, the sales function to push it at larger companies.
ServiceNow is big because everybody involved is incentivized to help make it big.
And FWIW, at my very very large company, it isn't even in the top 5 of shitty systems I have to deal with. ServiceNow at least works.
No, there isn’t. They all have pros and cons but none overall are “better”. ServiceNow is for large orgs with independent departments/orgs who need to use it differently. There’s BMC/Remedy but it’s just as convoluted and worse. Also Clarity used to be there.
There are many that are better at one one or two specific functions, sure. But none that have all the added features a large mature org would need.
> Developers and Admins may not like it because its development with bumpers for kids. End users dislike it because of the developers and admins.
As a current ServiceNow developer for a F500 company, this is so true. Developing is frustrating since they strive for low/no code. They only started allowing ECMA6 like last year and it's still extremely limited.
Enterprises want software that they can bend to conform to their entrenched, arcane business processes. But no two enterprises are alike. And meeting the needs of the lowest common denominator doesn't sell units.
So you risk falling into the trap of trying to do everything for everyone but doing nothing well.
You can only stuff so much shit into a cornucopia before it becomes more of a garbage bin.
>> Of all the shitty enterprise software vendors, there is no platform I hate more than ServiceNow.
Forget about their enterprise software, the very premise of the function they support is the thing I hate most. The software, the company, the consultants who push this garbage, the employees within your company who somehow have a named role implementing and managing it, I loathe it all.
interesting; curious - What is the thing you hate the most here?
FWIW, I've been a kind of sysadmins for couple of decades, then ops manager for 5. After supporting multiple production streams, good and organized and consistent processes are an absolute must for me (as opposed to random wild west and utter chaos sometimes we techie prefer :-)). It is my understanding "premise of function they support" is organized work flows - standard and "let's not reinvent the wheel badly" ways to manage and report on incidents, service requests, etc. And hopefully do some trends and reporting and categories and whatnots.
So I don't know if service now does that well or poorly... But what in there do you "loathe"?? It may not be your cup of tea and you'd rather develop freely, and fair enough, but somebody somewhere has to support large productions and large numbers of users and need tools better than slack and emails to do it... :-/
My guess is they underestimate the scale at which it's used in most businesses who do and the relative unimportance of the accuracy of the data it holds. It's never going to perfectly capture all details of work because of its inflexibility, but it's better than nothing or not even trying. As long as everyone understands that and nobody is delusionally running around with a trusty clipboard and a whip or rallying for significant change based on it without consulting the people actually entering the data, it's alright.
There's a lot to keep track of. Definitely not my cup of tea either, but it is what it is.
The UI UX is hands-down the worst part. When a serious incident is opened and assigned to a team member the most efficient way to work it is to share around the link from the notification email as it can take more than 20 minutes to find it without a unique ID of the task or the assignee. The UI is full of unused links in my organization's implementation which makes this even more difficult as there is no hierarchy based on common or high use tasks. My favorite gripe is when resolving a task or incident the required notes for resolution are hidden under a tab somewhere in the middle of the page. Due to the counter-intuitive UI my team is often breaking process just to appease the SNOW workflow which in my organization leads to more tickets...
ServiceNow was the better alternative all round -- as compared to Remedy and HP Service Center.
The customizations and integrations, api, cloud were decent.
The licensing was bad. The pressure to "upgrade" to latest version every year (or lose support) was insane.
Sales was aggressive.
A couple of trends probably pushed this into a hated category --
Orgs had to customize the hell out of every workflow instead of keeping it simple and following standard ITIL.
The moment you veered away from "out of the box" features and did customizations ..your yearly upgrades risked failing.
The people in Orgs who maintain and customize the tool needed to be decently skilled. Cheapest body shop vendor doesn't cut it.
ServiceNow certifications were good initially then they became expensive/unaffordable, too many, too much to keep current.
ServiceNow themselves brought into many new features like AI, chatbots, RPA etc that it all became a huge complex beast. Basic features of a ticketing tool probably became too complex to maintain?
I worked there for exactly two months. After 15 days, I could not receive another offer and put in my notice fast enough. Ended up giving them four days. And I'm usually very careful about not burning bridges.
I feel like if you’ve worked at a place for less than. 2 months, there really shouldn’t be any obligation to give two weeks notice. Unless it’s a tiny company and you were hired as like their staff engineer or something. The chance you’re actually on something that matters instead of ramping up is very low.
Can you elaborate? A customer is in the process of implementing (Tokyo version?) it and it seems to have an intuitive, responsive UI. I'm judging it against Atlassian and Oracle EBS so I have low expectations.
I don’t know what version I used to use but I wouldn’t have called the UI intuitive or responsive. It was randomly buggy from a workflow perspective too. Like resources getting stuck in a weird limbo. Conditions would be met but not visible by the condition evaluator. Or queries failing to find anything but later work. It could be somewhat awful at times but I don’t think it was as terrible as Remedy... but what is?
I was at IBM for several years, can agree that ServiceNow is a steaming pile, like most of IBM. I spent the majority of my time fighting tooling over actually helping customers, lol.
You could be wrong... I worked at a place where we had like 20-30 different ERPs and they got SAP as a way to centralize the entire thing on one platform. However, during the migration they managed to recreate interfaces that resembled the old workflows people were used to, effectively having 20-30 customized SAP UIs with a common backend.
It became such a clusterfuck the vendor (SAP) who we paid MASSIVE amounts of money to, wouldn't support their own software.
Thanks for coming to my TED talk, try to run as vanilla as possible.
"Most companies spend way too much time and money trying to make software work for their processes. Some of these processes haven't changed in years or even decades. Rather than customizing software to work for your processes, it's often easier to reevaluate processes around modern software."
You can have your ERP customized, but you cannot have your cake and eat it (without cost). Ramping up new trading partners, onboarding new staff, whatever it is.
One reason accounting people have it easier than us tech people is they've got a very good clear process. It's rare that anyone mucks with Accounts Payable / Accounts Receivable / Payroll.
So yeah, go on pretending your SMB that manufactures/ships/resells/distributes product/service _________ is unique and needs your own processes, it _will_ bite you in the butt.
I've worked on a Siebel 7.5 installation that was so heavily customized by a certain DBS TV company that it's still running to this day because upgrading to a current release means starting over from scratch. There are efforts underway to migrate it to SalesForce but that's been in progress for 3 years and still not far enough along to cut over.
Thanks, appreciate the perspective. But I've been implementing peoplesoft for, dear god, quarter of a century now, so I'm familiar with that unfortunate pattern. I guess I'm more wondering is service now inherently so bad it's unsalvageable, or is it a matter of good vs bad implementation, and resulting business transformation (or lack thereof :).
It’s like, navigating through servicenow immediately tells you that the people that build it were used to doing RPC, and didn’t quite understand how HTTP or HTML worked. It goes downhill from there.
I think at some point they decided to hire a few frontend engineers to do some form of SPA, but now it’s so badly integrated that…
We used it locally at megacorp in place of the standard JIRA instance. As an end user I disliked it because it was painfully slow and the interface was awful. It broke browser navigation, if there were permalinks they were nearly impossible to find so most things couldn't easily be bookmarked, filtering was tedious and unintuitive. Some coworkers tried to write CLI tools and the API turned out to be as awkward as the web UI.
Ideally we would've just thrown more money at CloudBees, but there was no political will to fight for another paid JIRA instance. I'm sure there are worse tools than snow but I'd just as soon never use it again.
It’s secret super power for executives is GQL it’s easier to use vs SQL and the interface looks slick compared to what’s out there.
A very well architected instance looks and is pretty good, the issue is that often large enterprises will hire the cheapest possible consulting firm to implement it, and you can really screw it up if you’re not careful.
My background is ERP so that sounds similar then - the bones may be decent, but how you implement it can make or break it, both as IT exercise and as business transformation / process implementation; is that About right?
I will likely have some input on how it's implemented and particularly the processes. I guess I should start reading up on best practices etc...
This seems to be the big problem with ERPs. Problem domains are complex so you need implementation flexibility, but with that comes the ability to create shitty systems that everyone hates.
Yes, servicenow is much closer to an opinionated ERP vs a simple ITSM platform. In fact they’re working pretty hard on making it easier to implement your own erp type process in snow, instead of using it for only your item needs.
100% this - I used to do enterprise integrations in the early days of ServiceNow. It's not a bad platform, consulting companies can suck (most do) and in-house implementations usually suck for different reasons.
ServiceNow is a combination of data modeling, interface and process design along with carefully balancing how to do things. Most of my time was in the CMS and SOAP integrations.
Many places to start, but I would say SN lacks a strong engineering culture, so everything is driven by sales and profit. That means updates come every 6 months with "features" that will never get proper support. It's shiny thing stacked on top of shiny thing and it's just a mess
The best answer I can give you is that if you guys get it fully implemented next year you'll be able to have the first screen load, and if you're lucky run a query to completion the year after that.
Not because you need to implement anything, or configuration reasons. That's just how long it takes to do basic things.
Something I've been mulling over for a while: security vulnerabilities are basically the original developers getting outsmarted, caught out being careless. Even a very skilled, careful team might ship bugs that have security implications. But low-skilled, careless teams are definitely doing this. All buggy software is also vulnerable. There is no such thing as low-quality but secure.
> security vulnerabilities are basically the original developers getting outsmarted, caught out being careless
This is absolutely not true. Security vulnerabilities can be due to a huge variety of reasons well beyond "the developer is outsmarted/careless". A great example of this was unicode related issues. Also, changing API/ABI surfaces.
And, we think of security vulnerabilities as "bugs" that cause "hacks", but sometimes vulnerabilities come in the form not in a technical hack, but attacks on users.
Sometimes, the developers know there's an issue, but the business forces them ahead anyways and takes on the risk. I've dealt with a few of those.
It's counterproductive to put it firmly on the developers, but I do agree that technical security issues and quality issues are tightly intertwined.
Any user can query pretty much any table in the DB using their "GQL" wrapper around SQL. Someone thought enough to restrict the "user_password" field, so instead you query another table which gives you the user's session ID. Normally a token is user session ID + signature. But it turns out the signature wasn't really being validated, so user session ID + anything worked.
I'm normally not one to jump on mistakes, but that's remarkably bad.
It can really depend on the nature of the vulnerability and who discovered it. Based on the timeline at the bottom of this article it seems like this was way too slow. Based on the cve information this was ranked as 9.8. The last time I dealt with a bug that bad it was log4j. It was found on a Tuesday, patched on a Thursday, announced on a Friday, and I redeployed all of our servers over the weekend.
The most egregious part in my eyes is the slow response to the initial contact. In shows that Service Now does not monitor it's reporting and that they don't care about security. If I were using a product of theirs to handle proprietary or privileged information I would no longer trust them.
I suspect the CVSS score has been over-estimated. For the "scope" metric, the "vulnerable component" and the "affected component" are both ServiceNow itself, so that should be "unchanged": https://security.stackexchange.com/a/129205
That drops you down to an 8.8. Also, log4shell was a 10.0, which got that extra .2 points from not requiring any privs, whereas this ServiceNow vuln requires "low" privs.
Hi, ServiceNow dev here. I'd agree that the CVSS might be a little overinflated, but I don't think by much.
I would argue that ServiceNow as a singular component is flawed. It could be several applications on a single instance: Vulnerability Response, Security Incident Response, IT Service Management, IT Operations management, Vendor Risk Management, CMDB, etc.
I actually think in some instances, this vulnerability is considerably worse due the information it provides. User contact information, an inventory of the security vulnerabilities across the organization, applications & versions, Server information, etc. The social engineering issues are massive since they can spoof from essentially your service desk.
Often times ServiceNow has access to other subsystems. Midservers, provisioning tools, monitoring systems, desktop orchestration tools. These systems are often used to handle the response & monitoring. The ServiceNow teams are often understaffed and underskilled.
I've only been thinking about this for the last hour, but compromise 1 account (and I can think of at least 5 different ways that could happen) and a hacker could have:
- a complete topology of your infrastructure
- your active security vulnerabilities
- contact information for your entire company
- a very convincing spoofing method
- the ability to remotely install software on customer desktops
- the ability to monitor your response to security issues
- access to your provisioning tools
This kind of attack could go undetected for years. God forbid ServiceNow's internal instance got compromised. They can remote in to ANY instance.
My experience with this sort of enterprise software is that if you are a user, there is usually someone higher up the org chart than you that is worried such a disclosure will damage his relationship with his mate. My point being, much like Oracle, the usual timeline is that you never go public.
Yes - I worked at a place which had that experience with them. Massive outage: down for weeks, data lost, etc. We paid millions for “support” and had very little to show for it. Things escalated, and their regional VP took our senior VP out to the corporate box to discuss it over football. Monday morning, word came out to stop talking about the problem where possible. A bunch of people worked nights & weekends to get it patched up but didn’t even get thanked by anyone above their immediate supervisor.
No, judging from the Disclosure Timeline at the very bottom, it appears the lengthy remediation is due to ServiceNow dragging their feet. Took them over a month, plus a followup email, just to get them to respond to the initial report.
ServiceNow ships major upgrades twice a year and patches every month. It means that they could genuinely not figure out how to remediate this quickly and quietly without disrupting ongoing contract negotiations. It means that even with that, they couldn't fix it for a whole year.
They negotiate multiyear contracts. they're investing into government and healthcare services.
I have to correct myself. Apparently the vulnerability was patched in San Diego patch 7 which was release on September 1st 2022. It wasn't disclosed until June 2023.
I am still mad they didn't release it as a hotfix, but that meant they couldn't sneak it under the radar.
Ah, ServiceNow. We had to hold a formal code review on the steaming pile of turd they delivered because it was so incredibly bad even testing it would have been a security risk. That's the quality you get from them.
Eh, Remedy has lots of issues but I'd take it over "SNow" any day - at least it's easy to build CLI tools or API calls into Remedy. I'm neither an admin or user of either, just an end user.
What an abomination of something seemingly so simple made into something so horrendously complex and bloated.
I was trying to explain to some new ServiceNow AE why we wouldn't be buying more product from them. Literally everyone who uses the product hates it - developers, admins, end users.
It behaves like it is constantly broken.
People talk shit about it all day, every day.
Maybe one day, some time a long time ago they had a good product, and that's how it got embedded all over the place, but now, what a pile of junk!