CG - Sure, Let Business Users Build Their Own. What Could Go Wrong?

hi everybody uh welcome so the today's talk is about let business users build their own what could go wrong and uh please welcome our speaker M Michael Burgery over to you hi everyone Don't Clap yet I might have a this might be a terrible talk you don't know well uh okay so the the gist of the talk is that everything can go wrong but uh let me prove it to you this is going to be a very uh quick talk so I'm going to try to skip most of it like to to focus on the areas that matter we Al also in kind of an intimate setting so if you have a question just raise your hand or shout out in the middle I mean we're all at the at the end of this thing so uh let's make it interactive right okay um I uh I spent my last like the last four or five years uh focus on this area loow cod no code apps figuring out what could go wrong hackers perspective blue teams perspective there's a whole whole bunch of research I put out there uh I'd recommend like I gave a talk at Defcon last year uh which might be interesting if you're if you're into this area so check it out and reach out to me if you want to collaborate um that's what we're going to try to do today we're going to start with figuring out what business users are actually doing what are they building and why are they building it after that we'll try and figure out uh what goes wrong and I'll give you concrete examples of the things that we see go terribly wrong and then I'm try going to try to finish off with an optimistic message to send you to uh like how can we be better all right so um locco nood this is about like local noode is about empowering business users to like do whatever they want to be able to uh to move around without it without waiting for us and I mean I'm I'm sure you've all experienced this sometime when you ask when you when you as a business user in an Enterprise it's a b of frustrating experience right you need to wait for some for for people to get approval to give you uh priority and then you need to explain to someone what the hell you want them to build it's it's very difficult and so loc noode is the ability of business users to just stop waiting for us and they're actually doing it they're just they're just uh uh building their own applications they're not waiting around for it or for security or for any Central team and this puts us in a rough spot because we need to make sure that we remain relevant when the most of the business applications become things that business are are just building now just to convince you that this thing is actually like happening in every organization right now this video shows just how easy it is to create those applications right now you can basically talk to a chat and you can explain what type of application you'd like to build and the chat will create the right table for you on top of a database with permissions sending it out like you can share this later with people when you finish the conversation with the chat you can drag and drop things to customize it and that's see that the application now is alive and so think about what happens where every conversation with chat GPT ends up in with a an app that's alive that has credentials that has access to things uh I mean pretty soon you lose control right that's what's what's actually going on right now and so the the last thing I want to talk about in on on on this perspective on on kind of what business users are building is just to convince you that this is already huge and so in order to do that to do that I wanted to give us some perspective so you have a number here 5 million that's uh according to Microsoft that's how many net developers there are today okay how many low code no code developers do you think there are on the Microsoft ecosystem alone right now yeah so that's that's the number so there are 8 million about 8 million today I actually went through their earning reports and kind of collected the numbers from all around uh so this is pretty huge when we think about the the amount of security investment we're putting to what net developers are Building compared to what we're uh allocating to what business users are building uh I mean we're clearly not in a good spot um so now we understand what business users are building and why are they building it the next thing is the fun part where we get to uh to watch these things break and I'm going to use uh the OAS top 10 framework this is a a top 10 that's dedicated to low code no code I'm I'm one of the leaders of this that project we are all we are more than um 200 Security Professionals around the world that are part of this group right now uh we've actually had major contributions from people all around the industry if you if you're interested in this space reach out this is this is why I'm doing the talk uh so so you reach out afterwards um so the all top 10 is based on two things one is the the entire Community that's surrounded and two is uh statistics anonymize statistics that some that that we have been that some companies have shared about the applications that uh that that were that are built with local no code so far we've seen something like a million apps right this is this is a lot uh and the the the reason why we're seeing so many apps even though this is a relatively new project I mean a couple of years but uh it's because there are so many apps with local no right and so we we have a very very wide we cast a very wide net um so let's try we're not going to go through the top 10 one by one because that would be boring and you'll also have it on on you have it on the ow page so let me share a few concrete stories okay and I want you to think when I when I share those stories I'm going to do two things first of all I'm going to share like what did the business user try to do and then we're going to stop and we're going to put on our code review a reviewer hat or a red Dem hat and we're going to try and think what could go wrong with this application okay and this this would be best if it's interactive at least interactive in your head okay all right so the first thing is on boarding we know that on boarding an employee into an organization in the world where where SAS is is there and I mean it's difficult so many processes lots of them are manual so in many cases we we're seeing people automate these processes this specific specific case is automation of a process uh for HR so an HR team needs to uh pick information about needs to collect information about new employees um and and and so let's see how this application gets built so and I'm specifically going to show examples from Microsoft Power Platform which is built into office simply because it's so prolific within the Enterprise and so when I as as as the CH person and you can see the little icon on the um on the bottom right side that icon tells you that this is the legitimate user The Trusted user in a second you'll see the other icon of the for the hacker that's kind of taking a different mindset okay because I'm I'm just going to switch between different accounts so this will help you like uh stay synced so I'm going to start by creating an app first of all you'll know that I'm in an environment called the default environment this is where everybody can create applications this is where you can be productive all right and I'm going to start by creating an application that's a a simple form so you can see that I'm asking some information about the user about about people that are on boarded into my organization that their name their address the social security numbers things that I need as the HR team right where is this stored so I'm going to choose uh something called Microsoft database here to store that information for me and Microsoft database is a cool thing it's it's basically um a manag SQL Server it's a rer around SQL Server that's managed for you and it brings uh with it a bunch of capabilities like role based Access Control uh like logs and monitoring that's it's actually pretty cool um so this is what I'm going to use Here and Now the other thing that I'm going to do is I'm going to create an automation where every time somebody fills this form the entire H HR team gets no divite because so so they just know what happened all right this was the app that's it what could go wrong okay okay okay so let's see a couple of things first of all here here the icon here's the hacker icon all right we're logging into the application and the first thing we'll note is that this was created in a default environment and I told you that the default environment means everybody can create apps so everybody can go to the database and they can just search for the table that sits behind this application and then they can just view this the the the the the information like in rad text it's just there this is a real example uh these are not real Social Security numbers it's a chat GPT generated but um but it's it's a real example we've seen with organizations and and just think about the tough conversation with the auditor that that you're going to have uh for this thing right um and so this is so one thing which is pretty obvious is that well this application is allowing is storing data where everybody can access it now we've seen this pattern is actually reoccurring with with many different variants where the app itself has role based Access Control you can only see what belongs to you but then the underlying database is available to everyone another uh another way we we typically see this is with SharePoint lists so people would build it up on top of a SharePoint list but and then they share the SharePoint list with everyone and everyone has access to everything so that's one thing of course we also saw plain text uh uh pii and Social Security number so that's bad as well but this doesn't stop here so think again about uh like as a as a user I I plug in all of my information there and then there's this Auto automation remember the automation the thing about these automations is that by default they log everything that goes through the automation I'm talking about the actual data right not the fact that this ran but all of the data that was updated on this record and so the social security number the pi everything is just stor there and everyone that has access to this automation has access to this information as well all right so this is uh and in this case it's in the entire a Char te but you get the point this uh this is basically leaking information to these logs where it could be shared with everyone very easily and so there's another Point here which is about again sensitive data that's been written to L another data leakage issue all right so this was okay this was the first story I think we have we probably have time for one more so this the SEC the second thing is um one of the things that we hate about working at a corporate is security controls right they are really annoying so one of the ways in which we operate with them is that we try to circumvent that so one thing is that like reading email in an Outlook is not fun and reading them in your Gmail is fun so people are have tried for a long time to move their to Corporate email to their personal email right and we have controls for that we have DLP we have solutions that sit on the email server that's great here's the latest Innovation uh in emex filtration people are using a low code app to do two things so with one hand the loow code app signs in to Outlook and with the other it signs in to Gmail and then it copies the content it doesn't forward any emails so you won't find it on the on the email server and you won't find it forwarded anywhere I mean good luck with trying to to fight this thing right and so it's pretty obvious what's what's happening here every email I'm going to I'm going to uh every every new email to Outlook I'm going to copy that email to Gmail but unfortunately yeah but and and the problem here is pretty obvious unfortunately it doesn't end here because well what about my my the emails that I had like yesterday what about creating a full sync of all of the emails that I that I used to have because I I like Google search is is so fun and so we've we we've actually seen people create this type of application this is an application to sync the emails that they already have in Outlook to my Gmail account all right uh and here is how it works it's pretty simple I log in I need to plug in an email address where I will send myself those emails through my Gmail account and how many emails I'd like to syn all right um here's the uh automation behind the behind this so for every new uh email I'm going to iterate through the email and again copy the content so and and one other thing I'm going to do is I'm going to share this application all right and and this is a pretty nice thing I can share this application with everyone by the way when I say everyone I mean everyone right I mean everyone in the a tenant that include that include guests as well so if you're interested in uh what could go wrong when you do that with guests check out my blackhead talk tomorrow you'll find out um everything uh all right you in order to use this application you provide the application you need to provide the application with this access so access to your Outlook account access to your Gmail account so yeah so we talked about sharing with everyone which is obviously bad um you can share you you don't have to share with everyone the group you can just share with people whoever you'd like this includes your your personal Gmail account your personal Outlook account whatever um yeah okay and check out the talk now one thing to note is that when when a user logs into the app this is how it looks like all right um and you can see that I'm logged in with the admin account at this Outlook account at this at Outlook and I I'm logged into the account I'm going to plug in this Gmail address I want 20 emails and that's fine now remember the logging issue right so the hacker the the the malicious user that created this application if they go to the logs they have access to my emails now and they shared this with the entire or right so people can now use this application it's a useful application and it's and it's also user useful for the for the malicious user here um and so again the the other problem that we have here is is of course again personal data that leaks into logs now before I finish off with this example um one thing that is important here is that this screen this screen right here uh this is not the typical screen you would see when you ask when an application asks for permissions right you expect an O consent form you don't get an O consent form because this thing is not o this the the way that this thing works is actually there refresh tokens that are being copied and reused right so this is a token that is kind of will give you you all of the access to everything that this user can do all right and and and one of the ways in which this can be exploited is to create a fishing application inside of the organization and kind of check out my to Devon last year um okay so fine so in terms of the of of sync and productivity these are the things that we've discovered you can see that again very small applications can create a lot of a giant mess um I don't think we have time for the last for the uh yeah we don't okay I'm going to skip but um there are plenty more problems that we're seeing I mean things like uh injection attacks where uh people are trusting the thing the people are passing information between the app and the underly application the under ey Automation and then you can just change that like very easily we're seeing supply chain issues so uh lots more let me just skip through here all right so basically we have given business users a lot of power and we have no controls to help them make sure that they're secure and they of course don't have a very high security awareness and so of course things are going to go terribly wrong right this is this is this is kind of obvious and so let me let me finish by trying to offer a better solution and actually I think like the optimistic message that I do have is that some organizations they've already started to take to take ownership of this so some upsc teams have created low code no code Security Programs within their upsc program to to bring the uh Business Development under their umbrella this is a huge Challenge and let me tell you why um when you compare professional like traditional apps and low nood apps you'll find a few things that are completely different one is that uh well the people that are building them are are very different and you cannot expect somebody from HR to know how to start credit cards this this doesn't make sense the second thing is that there's no sdlc at all I mean you go to the app you save the app it's deployed that's it yeah forget about like uh Security reviews forget about Gates this this is not going to work um your existing controls don't apply and that is because mainly because of user impersonation most of these apps they operate with the Maker's own identity embedded within them and then you cannot distinguish the different users of of that application so your existing controls won't help you and the last thing is just the scale I mean you'll find at least 100x application more applications that are built with this thing you can everything manual is out the window don't think about like uh Security reviews or anything like that it just won't work and so let me let let me try to push you in a direction that I think would work and this is based on the organizations that are actually pulling this off or starting to pull this off large corporates mainly Fortune Fortune 500s so in terms of uh awareness it's important to even though we can't expect business users to know everything it's important to raise awareness there and I'm happy to say that the O top 10 might help you this is actually um uh so we've had a contribution from from a couple of amazing folks you can see written here which basically translate the entire top 10 to playing language that business users can understand this is a free resource you can use this to educate your your users uh and I'm hopeful this will this will help you um the second thing in terms of the sdlc there's a there's a Bigg opportunity to create a like a standard here you need to Define what works for your environment which use cases are fine and which are not what what environments people can use if everybody using a sing if everybody's using a single default environment to develop all of the apps of course we're going to find issues right so we need to think about what what we really want before we can push it in in in a better Direction um in terms of controls even though the existing controls don't apply we have an aming amazing opportunity here because loow Cod no code is replacing uh people that are just copying copying and pasting files and you've seen the level of login that these automations have think about the the level of visibility we could have into what the business is doing this is this can be unprecedented visibility but we need to do the work first and in terms of the scale well the only real solution for that is to fight fire with file right so we need to build we need to use low code no code we need to use automations to find when these things can go wrong and automatically fix them because if we if you wait for manual Solutions I don't think it will help so with that I think I'm at time thank you very [Applause] much we might have uh time for one question right we can do two questions awesome anyone oh just a statement just somebody tell tell me that I'm wrong very very good um do you have you encountered zapier is that does that play into your your top 10 as well different problems um the only thing that kind of that we see that kind of differ