Business-led app development has numerous advantages. It eliminates licensing costs and provides complete flexibility and control. However, it also has its risks, particularly when it comes to cybersecurity.
The rise of low-code/no-code app development platforms is a welcome development for many. These platforms make it easy to create apps, automate processes, and integrate legacy or cloud-based systems. All of these address specific and critical needs of organizations. However, despite being innovative, they are associated with a number of risks. These include having no visibility of development activity and its security implications at the business-logic level, including, access control, identity management, data security, supply-chain, insecure code, and business logic flaws.
The citizen development cybersecurity problem
In April 2022, DarkReading conducted a survey on the state of enterprise application security. In the findings, 32 percent of the survey respondents said that they do not see governance over how low-code/no-code apps are accessing and using data loss prevention measures. Low-code/no-code platforms oversimplify the process of backing data into apps, which can mean serious data handling mistakes.
Additionally, the survey reveals that IT and security teams lack the proper information on how to check for security in low-code/no-code applications. Examining the code of the resulting apps is irrelevant, as the exposure comes from the maker side of the shared responsibility model, and making sure that the app, automation, or integration is secure and robust is going to be extremely challenging. This problem can be associated with the security visibility issue pointed out by 25 percent of the respondents. It is very difficult to protect or ascertain the security of something that is not seen.
Moreover, the survey shows that around a third of IT teams are unaware of low-code/no-code security concerns. Many platforms promise that they are secure, and many users readily believe that claim. All they care about are the ease and convenience they get from using these platforms.
Addressing security issues with Zenity
Zenity offers a solution to resolve the security issues and risks that come with low-code/no-code app development. It is a governance and security platform that makes the citizen development of business apps risk-free, addressing a crucial issue that deserves the utmost attention.
Introduced in 2021, Zenity aims to provide continuous protection for all low-code/no-code apps, automations, integrations, and their components. It enables the formulation and implementation of app governance policies, the identification of security risks, detection of emerging threats, as well as automatic threat response and mitigation.
Zenity takes the distinction of being the first security governance solution for low-code/no-code development. Likewise, Zenity addresses a critical problem already identified previously, however, lacked a systematic and easy-to-adopt solution.
How Zenity works
Zenity allows for the securing of low-code/no-code apps, automations, and integrations by providing full visibility and control over low-code/no-code platforms. It supports the development and enforcement of security policies, continuous monitoring and detection of policy violations, identification of anomalous app behavior, and effective remediation and troubleshooting of issues. Focus areas include discovery, mitigation, governance, and protection, especially.
- The platform makes it easy to discover shadow IT low-code/no-code apps, automations, and integrations. The design maintains an up-to-date cross-platform inventory of all low-code/no-code components and their relationships
- For the mitigation aspect, Zenity minimizes attack surfaces with its ability to undertake a continuous risk assessment. Moreover, it can also detect drifts from security and compliance best practices, and usages of insecure apps.
- Zenity provides effective app governance. This is done through its configurable safeguards with automated responses to risks, app usage, and environmental factors. This makes it possible to address risks without business disruptions.
- To ensure robust app security, Zenity is designed to detect suspicious activities. These include malware obfuscation, supply chain attacks, data exfiltration or leaks, and risky users.
Resolving crucial low-code/no-code weaknesses
Uriel Zilberberg, a security researcher at Zenity, aptly calls low-code platforms the new holy grail of cyberattackers. In fact, they are a sought-after attack surface since many organizations embracing them are not highly aware of the security repercussions and don’t actively monitor them. As mentioned in the survey cited earlier, around 33 percent of IT teams lack familiarity with low-code/no-code security issues.
“For low-code/no-code platforms to be effective in business, they have to make use of critical business data. This data could be on the cloud, on-premises, or even stored with third parties such as a trusted SaaS vendor,” Zilberberg says.
Here lies the rub: a threat actor who manages to access the low-code/no-code platform essentially also gains the ability to “run code” (create and run an app or automation) using the data or identity embedded in the business logic of the implementation itself. What’s more, low-code/no-code platforms also enable users to share connections with each other. This is inevitable for many organizations that rely on such platforms, mainly because they want to enjoy the convenience and extensive control associated with building their own apps and allowing collaboration and interconnections to undertake organization-wide operations.
Zenity provides the security functions that traditional InfoSec and AppSec lack to effectively cover the low-code/no-code paradigm. In addition, it can also complement the insufficiency and lack of scalability of the security audits conducted in organizations. Likewise, it compensates for the lack of cybersecurity proficiency among most citizen developers or users of low-code/no-code development platforms. Zenity plugs various security loopholes to remove the security stigma of embracing low-code/no-code app development.
Zenity provides the zen organizations need as they deal with the chaos and challenges brought about by the adoption of low-code/no-code development platforms. As Zenity CTO Michael Bargury affirms, “Low-Code/No-Code is a great enabler. The really cool thing about it is that it lowers the bar to be a digital creator.” Likewise, Bargury also stresses the importance of app security, privacy, compliance, and resilience.