Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Link Log
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Low-Code for Dummies – An Overview of Low-Code Through Examples Permalink
Clear examples of why low-code / no-code is so cool.
The 7 Deadly Sins of Low-Code Security and How to Avoid Them Permalink
Seven significant security risks in low-code development, such as insecure authentication and data leakage plus practical advice for mitigating these vulnera...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
You Can’t Opt Out of Citizen Development Permalink
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
3 Ways No-Code Developers Can Shoot Themselves in the Foot Permalink
Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the tec...
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
Embracing the Next Generation of Business Developers Permalink
Security teams that embrace low-code/no-code can change the security mindset of business users.
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
Are 100% Security Guarantees Possible? Permalink
Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these p...
No One Wants to Be Governed, Everyone Wants to Be Helped Permalink
Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.
Despite Breach, LastPass Demonstrates the Power of Password Management Permalink
What’s scarier than keeping all of your passwords in one place and having that place raided by hackers? Maybe reusing insecure passwords.
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
Generative AI Empowers Users but Challenges Security Permalink
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
Remediation Ballet Is a Pas de Deux of Patch and Performance Permalink
AI-generated code promises quicker fixes for vulnerabilities, but ultimately developers and security teams must balance competing interests.
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
Security Must Empower AI Developers Now Permalink
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
Seizing Control of the Cloud Security Cockpit Permalink
Much like an airplane’s dashboard, configurations are the way we control cloud applications and SaaS tools. It’s also the entry point for too many security t...
What Building Application Security Into Shadow IT Looks Like Permalink
AppSec is hard for traditional software development, let alone citizen developers. So how did two people resolve 70,000 vulnerabilities in three months?
Assume Breach When Building AI Apps Permalink
AI jailbreaks are not vulnerabilities; they are expected behavior.
To Map Shadow IT, Follow Citizen Developers Permalink
The tangle of user-built tools is formidable to manage, but it can lead to a greater understanding of real-world business needs.
Citizen Development Moves Too Fast for Its Own Good Permalink
While low-code/no-code tools can speed up application development, sometimes it’s worth taking a slower approach for a safer product.