Sure, Let Business Users Build Their Own. What Could Go Wrong?

hi everyone um I'm going to promise you one thing before we start this talk this is going to be different now you get to decide at the end whether it's different good or different bad that's another thing but it's but it's it won't be the same as other talks you'll see today because mostly when we talk about security we focus on the things that developers are building but this talk is going to be different it's going to be focused on what your business users are building and the kind of risks that that are exposed by them building their own applications um so briefly about me and why should you listen to me about this space I've been

working on kind of trying to understand the the implications the security implications of local no code applications those applications the business users are building for the last four years or so I founded a company that's focused on this space called generally I was part of the cloud security team at Microsoft where I got some initial conversibility into this space there's an OS code dedicated to top 10 full local no code we're going to see some of it today if you're interested please reach out afterwards and I'm actually most of my time is actually it's actually spent on the on the red team side figuring out how we can use these uh these types of applications to hack the

Enterprise so if you're interested in that there's a bunch more information after it you can search for my Dev contacts I gave a couple of them at the last Defcon um here's what we're going to do today we're going to start by making sure we're on the same page on what local node code actually is and what is the and how fast is going within the Enterprise and I'm I'm hoping to convince you that this is the kind of case like uh bring your own device or mobile applications where we can't really say this isn't this doesn't belong to us so this will not happen in our org we just have to go along with it

we're gonna see how the sdrc translates or how it doesn't translate to local no code and then we're going to focus on the top risks that we that we see these applications exposing and this is going to be driven by scanning of of more than 100 000 of these types of patients through my company and the oscoop all right so we're going to start by figuring out what local no code is and why is it and its promise to make everyone a developer and by everyone I really mean everyone I mean people from HR and and sales and marketing and across the organization this is kind of a joke but it's true right business users or business needs

always outweigh the our capabilities to actually answer those needs and this has been a problem since forever we've been uh I mean the business grows and the and the rate of growth is is larger than what it can provide and this is not only about lack of developers it's not only about kind of a shortage in the number of developers it's it's just an inherent inherent thing also kind of when you as a business user when you want your your need when you want something addressed you know to convince people you need to get the right attention um and so you end up waiting and so this is what local tries to solve and if this

sounds like something that is uh that is not new that's actually that kind of you've heard before it is not it's not new at all it's actually part of a larger Trend that we've had uh through many years now that's kind of about I.T decentralization about the capability of the business units to operate on their own without centralizing and there were many different Innovations in the past that have actually achieved this the number one thing that people think about um I encourage you to think about kind of when you think about what is the how how do um how fast can this go is things like Excel or office so Excel has been like the number one tool of the like the

single tool that I've been using across my career no matter how much I've learned the other things uh think about the number of jobs that are centered around Excel this is the ultimate local NOCO tool and of course Excel came with the with macros which are kind of our close friends until until today so low code is just another iteration on these capabilities that are about empowering business users or empowering everyone to build applications faster and when we think about it this way it's easier to understand where where is it going so it's going for it's going to a place where business where the business operates independently and it can be left outside of the conversation now one

thing that it's important for us to figure out is to have just a few it's important for us for the conversation to have a few concrete examples of applications that were built by business teams or were built with local no codes so we all agree uh or we have something to think about when we when we consider these applications so let me show you a few of them here's one this is actually an example for Microsoft if you go and visit of or if you went and visit Microsoft Office says physically uh doing during the pandemic and you had to uh you had to provide your uh copied vaccination proof this was facilitated through a local app

so you open up this this is just a web portal you open it up you need to upload your your copy the certificate of course this means that this is handling a health data right now who's building this app it could be professional developers with low code it could be business users for sure it's uh but but the main point is that it's built with low currents and it's kind of a it's a critical app and in most cases these are not really covered by the security umbrella but we'll touch on that in a moment here's another example this is a famous example by uh wokato and slack and so slack is a big volcato customer is an

integration platform and they are using a bunch of vocado automation to facilitate everything from the order to Cache processes this is of course critical right there cannot be any mistakes here and um and wokato has to be dealt with as a production as a production environment or a Production Service in this in this matter now let's see another one which would be a bit different this is another example for Microsoft but this time the developer here is clearly a business user so here's the use case here there's the marketing team there that is in charge of product launches and they found out that there were several different processes ongoing in parallel to actually go through those product

launches so they created an app that facilitated this process that allowed everybody to kind of go through the same kind of the same steps to launch their product this app was developed by the marketing team very quickly and became the go to app to work on that process so it's like the it's the official app for everybody that wants to launch applications and again this is built by a business user this is really well this is really cool but now let's think about all of the gates all of the all of the security controls everything that we have for professional development and whether or not this this applies here um now one thing you could be thinking

right now in order to get yourself out of the hook is that uh this doesn't doesn't apply to your organization that you never have business maybe you're a bank or financial service or something and you're thinking well in my organization we'll never let business users build it build things on their own and I'm sorry to be the one to say this but uh that's a very difficult task to achieve these things are already there within most Enterprises because low code is being packaged into existing SAS products and kind of just show me there aren't many Enterprises that don't have one of these vendors as a a kind of a deployed in the organization and there are of course

others every SAS platform today is baking in those local no code capabilities as a way to extend their platform but it also means that these are no longer single applications so thinking about office 265 or about Salesforce as a point solution is is kind of outdated Salesforce is no longer a CRM it's an application development platform and we are not really treating it this treating it that way in most cases so if you're using one of those platforms these are tools that are already packaged inside and that and they are shipped directly to business users there's no asking for permission in that process this means that in a typical Enterprise that I got to work

with even though they did not have an official kind of Citizen development or Business Development initiative they did they had tens of thousands of these applications and I'll show you the statistics in a moment um when you ask the people when you when you watch what people that are leading this space are talking about they are talking about it as as the next big wave of application building here are a couple of quotes uh you can see a quotes from uh from analysts you can but the more interesting one is actually the quote for Microsoft which is sharing kind of their goal in this space they're basically saying well we need to build so many apps in the

industry developers won't be able to do it so local is the way to to move forward now if we think about the fact that these applications are a very easy to build be more people can build those applications well pretty soon we're going to be in a situation where most apps in terms of numbers will be built with local will be built outside of our I.T those could be small apps but they still have identity they still move data they still they still have those operations that they they are doing and so it's kind of important for us failing to put them under the security umbrella would leave us in a very tough situation now one thing I mean these are

these are quotes that talk about the future but the more interesting about is whether what are they actually truthful whatever they are what is the situation today so I want you to say so one statistic that I uh checked kind of a week before or a few days earlier uh is how many dot-net developers there are right now and according to Microsoft there are over 5 million so I'll take that as meaning less than six um compared to that number that's the number today right how many local developers just using the Microsoft ecosystem do you think they are just kind of think about it have a have some sort of a some sort of an answer

all right so I just I went through Microsoft's uh earning reports for the last few years well they mentioned here in delcom the number of developers that are using the local local platform and of course this is just Microsoft because that information is out there but the market is much bigger than them he'll hear the statistics so they started off with their low code initiative in 2018 in 2020 so in 20 in 2022 they uh publicly mentioned that they have more than seven million developers that are using their local local platform and you can see the kind of uh the linear regression that I that I've created here which puts them kind of the prediction

is that today they are about 8 million but even if you take the 7 million number there are more low code no code developers on the Microsoft ecosystem than.net developers this when I saw this this kind of really surprised me because we are still thinking of this as a we might be thinking of this as a niche thing but it's definitely not right think about all of the uh all of the control of all of the effort that we put in place to help those.net developers avoid mistakes to make sure that the applications that they are building is are secured how much effort are we putting into uh helping those local noko Developers not a comparable amount at

all all right so this is these are statistics for the entire Microsoft development ecosystem but the more important thing for each one of us is how does it look like for a single organization so for our Organization for typical large Enterprise how many applications are actually being developed by these types of platforms and so so let me show you an example and this would be uh this would be numbers from kind of a real company just anonymized uh and and and they represent again a single organization again from launch in 2019 and 2018 you can see how the graph goes uh it's about kind of a quadratic growth there you can see that very that in in an amount of

something like two years they they have built about 65 000 applications 65 000 applications these are numbers that are unprecedented right nobody has is building so many professional developed application now of course many of these applications or even most of the applications are very simple they could be like an if this then that rule or they could be a single application that only a user is used or maybe somebody built an application and never even used it it doesn't really matter these applications still have an identity they still have the ability to move data and they are built on top of business data by definition because they are built with these SAS platforms that already

hold your business data okay so that's why it's important to get on top of this quickly because the number of applications that are developed is growing really really really fast and again when you think about when you see this chart it it becomes easier to believe that indeed most applications most business applications in the near future would be applications built by the business rather than applications built by it simply because of the the of these large numbers all right so here's a quick recap of what we've seen so far a we've seen that this is a this is a big boost in productivity that is expected to have all at least the people that are driving

it wanted to have at least an Excel level impact we're talking about uh business critical applications that are built built here not all of them but some of them and this is again available in every major Enterprise and it doesn't really matter whether we choose to enable It or Not by default it's already there right so one thing we need to to look at one thing we need to understand to in order to understand the kind of risks that these applications expose is how are they being developed so what is the stlc how does the sdlc look like for these local apps and so let me show you an example of one application and once

and this will kind of play out in the background but this is a very concealed example what I'm doing here is essentially I'm trying to fix my own problem in my organization we're using slack and there's this feature in slack where somebody can mention you on a public Channel and then there's this uh you're expected to reply really quickly right which is kind of annoying so what I'm doing here is I'm using an Automation in the API where every time somebody mentions being on slack I'll change my status as if I want to call because that helps and then five minutes later I'm going to change my status back to uh to available so nobody would

suspect me okay this is this is really cool because it's it's it's showing you actually a really sophisticated upload application that are building through zapier here and it's also drag and drop this entire video takes about two minutes but just think about the level of complexity that this application uh is it needs to handle it needs to uh reach out to it needs to authenticate to slack it needs to store some sort of a secret right it needs to subscribe to webhook on the slides on the slack side needs to support API changes buy slack it needs to have a state because this delay step waiting five minutes I mean somebody needs to to wake up after that

this is a significant piece of software and I'm able to build it simply with drag and drop now um take this process that you're seeing right now and compare it to the sdlc I mean when I'm when I'm finish here and you'll see it in a moment they will be I'll have like a nice little pop-up that would say uh publish app that's it right some of the platforms would even automatically save applications as you build them and deploy them to production right this is a really this is a really big challenge because these and because this this means that everything that we've baked into the sdlc doesn't really apply here it gets put pushed out of the

way now one thing I will mention which is important is that in some cases professional development teams are using low code with an stlc but uh they're they're doing this kind of despite of existing capabilities not their life is not easy at all um so going into the sdlc again this is just kind of vanilla stlc and this is the typical thing that we have for professional development of course this could vary a lot but I'm trying to make a point here about the law about low code let's compare it to what you've just seen so there's no real process here there's a single user that thinks about the problem and then solves that problem

that means that one there's no exchange of hands between different uh different people there's no there doesn't have to be any planning any monitoring you can think about what happens if one of these apps get hacked will your stock even be able to identify it will it be able to if if it was identified will it be able to actually do something with it investigate it I I'm not sure and more than that um this entire process is up to the business user now the important thing to note here is that this is a good thing this is the feature that is driving this platform this is the reason why we have so many apps because it's easy to create

those apps so this is not going to be easily solved right and one other thing that you could be thinking about to get yourself off the hook is that this is the platform's fault is that the platforms that are building that are allowing users to build these things they should fix the problem so I'm not really sure about that because there's something called The Shadow responsibility model we've learned this in the cloud already you can't expect a cloud provider to solve your problems for you when you build an app on top of a platform you're in charge of that of that app the platform is in charge of making secure building blocks allowing you to

use the platform in a secure way but when you build something you own that thing including the security risk of that thing okay so that and and in my kind of what I'm trying to convince you here is that this must be our problem because nobody else would fix it for us and with that the next part or the rest of this talk is going to be focused on the type of the types of problems that we're seeing when these applications actually get developed um and and what you're going to see when when we go through this the top 10 here is that is concrete examples of how these applications go wrong now before I

show you the actual list um a few words about about this this project this project started about two and a half years ago today there's a community of about 200 people that are because they instead of joined kind of the different channels there um these are mostly large Enterprises that are part of this group and if you're interested we're working on the new version of the 2023 or current 23 version of the top 10 so if you're interested we're really looking for feedback reviewers uh Reach Out we'd be happy to to kind of get you involved um this community is not only about the top 10 we're also we're also doing things that are more on the red teaming side

you'll find a bunch of tools that you can pen test your applications with so if you're interested either go to the link so reach out to me afterwards I'm happy to direct you all right this entire top 10 this entire the entire top 10 list is built on is based on the applications that we're actually seeing in the world so the applications that are that will build by business teams inside of the organizations that are part of this uh the overscope this is the top 10 and the top 10 here is again different from the kind of regular top 10 for web apps and it's focused on the business logic that these applications are present so it's not

about the the specific building block this is the platform's fault no this is all focused on your own on your on your part on the organization's part of the Shadow responsibility model all right the first problem that we're seeing again again these local platforms is a counterpersonation think about let's put yourself in the in the in the shoes of a local platform that's trying to expand in the uh inside of the Enterprise again without asking for permission what would be the number one thing that would make this uh graph that we saw earlier uh kind of not not exist it would block this graph to block this growth the number of one thing that would block you

is permissions right if a user has to ask for permission every time they create an app you would never see this golf that would never happen so how do you circumvent that how do you allow somebody from the HR team to build an app without asking for a service account you allow them to use your own to use their own identity and so the way that these platforms work the way that these platforms go around this problem is that they actually copy the user's refresh tokens and then replay them as part of the app which means that actually they are completely breaking the oauth model or the permission model that we're used to inside of the organization many of these

Integrations are actually built on top of user impersonation so we user logs in I copy the token and then I replay it I also allow that user to share that token but we'll see it in a moment now one other thing that typically happens is that when somebody Builds an application it could be an important application a useful application they embed their own identity within that application through these refresh tokens and now when I share this application with you you can use it but underlying you're using my own identity now who cares right it works well let me show let me share a story with you of what could happen so this is a real story where a customer

care team in a large organization they basically they had a problem where people didn't have access to the right um to information about customers when they were part of a of a support ticket and so the way that they sell it is that they created an application that used the assembly from the kelston for the customer care team use their own their own user to go to the customer database and fetch information about that specific customer and they did bake role-based Access Control into the app itself right so the app only exposes the customers that you are that you that you related to so employees are happy right because they can provide more information to to they can do their job

better customers are happy because they get better service customer care team is happy because they fix their problem uh who's who's not happy the sock uh think about it from the socks perspective right this is not an app this is just I don't know scraping inside of the organization this is a bunch of a bunch of these different requests across the Enterprise going through multiple queries multiple IPS of different across time they're using the same credentials which are admin credentials to the database right and and this was actually caught by uh by kind of abnormal activities that that will cut inside the stock and just imagine the so-called that needs to try and handle this it took them some time

to find that this is actually an application and who's built this application and then the second has reached out to the person on the customer care team imagine that conversation right not an easy conversation now of course kind of this is it's obvious why this is a problem right you're baking in an identity to an application uh and everybody can use that identity um underlying and even though in this specific case role-based access control was was was baked into the app in many cases that doesn't happen some platforms even have an ocean of uh that they call implicit sharing which essentially means when I share an application with you you get direct access to the underlying data

sets even if I revoke access to the app afterwards you still get access to the to those data sets and so let's see where that could take us and this would be the second thing the second top 10 here which is about authorization now problems with authorization have uh they're not new this there's nothing new about low code here the only thing that's new is that this is has become much much much easier because local platforms are essentially credentials doing credential sharing as a service they are providing you with a service that allow you to share your authentication to share your identity with other users within the organization these are snapshots of uh different platforms you're seeing uh Power

automate by Microsoft JPL and volcato this is not picking them to them specifically others are doing this as well the whole Heaven notion called kind of a default environment or a default uh convert or default folder and in this default environment what you'll find is credentials connections that have been shared across your entire organization and when I say across your entire organization I mean everybody in your Aid tenant that would include guests for example and this is a single click away when you create those connections now what can a connection be you can see you you might be able to see on the slides here a few examples but in many organizations we're seeing connections

to people's own Outlook and teams and users we're seeing FTP servers SQL servers this could also reach out onto on-prem through gateways and so there are this is just basically a lateral movement waiting to happen right if I get access to any user in the in in the organization I can reach out to those platforms and just find those connections that are waiting for me to use and we actually have a bunch of tools that could help you identify this within your organization I'll give links to them afterwards one other thing that we're seeing with the with authorization is basically this people are API permissions are can be somewhat difficult especially if you're not an

expert or if you're not a professional developer and then in many cases what we're seeing is that all of the users of an app get provisioned with the same permissions admin level permissions but then they hide the different screen the administrative screens on the UI side on the client side this is very common for example with Salesforce development we've seen this again and again and so here of course the problem is obvious right but this is not something that you think about unless you're aware of the risks and and we've been uh kind of in recent years there were there we've gotten a long way with professional developers becoming better equipped to work around security business users are

not there I'm not sure we can expect them to be them okay let's go to the next one um there are multiple ways in which we are trying as Enterprises to to block data leakage outside of the org and one of the things that we've been trying to block since forever is uh emails going outside of the organization right so um for example uh one very popular thing to do for all of us is to get the corporate email invites to our personal Gmail account because it's it's much it's much more comfortable now organizations are trying to uh to combat to to to block this and the way that they do it could be through DLP

solutions could be through something on the email server but here's what's happening with local platforms instead of forwarding an email instead of doing anything that would work over the network which would allow a network parameter uh Appliance to to to help you they are simply connecting with one hand with one account to the corporate account and with the other hand with another account to the personal Gmail account and then copying the content and this copy operation is being done on the SAS platform that is owned by the vendor you don't have an agent there there's no way for you to monitor it so again this is a clear way to explore data outside of the

organization there hasn't been a single org that I worked with that didn't have some form of this happened happen inside of the old this could be about email this could be about moving data between different drives so a SharePoint and a Google Drive for example and we also see in many cases that people could build a useful application and then just use the wrong data set database as the database of that application instead of storing it in a couple database they'll store it in their own personal one uh OneDrive for example Excel they will access it one other thing that could happen is that these applications could be used to do kind of malicious things so for

example this is a this is an example of a ransomware for a specific SharePoint site so I'm iterating over the entire SharePoint site and for each file I'm simply encrypting that file with the encryption function that is provided by the platform and overriding it within within the site now SharePoint has backups but this this same thing Could Happen uh on on an on-prem machine through the on-prem connection of those types of platforms and this is just one case but it we see in many cases where these platforms by mistake cause harm so there might be conflicting automations that are overriding some files and then things get changed and you need to walk your way through those types of

applications again with no visibility into it one other problem that we're seeing is authentication and secure communication and this is this is this a silly one but the power of these platforms is based on the fact that they can connect across your Enterprise They Come built in with hundreds of different connectors that connect to SAS and on-prem and others and other places as well and when you create those connections you as the business user you're in charge of configuring them correctly so one thing that we've seen which is kind of weird because this is something we should we we thought we solved already is the connections to FTP that are using FTP either ftps and again this is up to the

plot to the user to decide the business user they they can't really do that on their own okay let me show you another another thing uh which is pretty common which is misconfiguration this has been a huge thing in Cloud for the last for recent years and one of the things that you should that be that you should be thinking about when you think about misconfiguration as an example is the S is the open S3 bucket problem with AWS right so AWS has recently uh changed the default and made it very difficult for you to open up these buckets but we still have open buckets with a person with private corporate information out there because people are making mistakes

and so it's not only about the default it's also about helping people not make mistakes and so let me show you how this pops up again with low code this is an example from a Microsoft's platform they have something called podolabs which is the which is an application that is basically creating a web app for you and it allows Anonymous users so users that are unregistered not logged in to go into the website because well it's it's a website another feature that it has is an API it is a basically an API endpoint that it sets up for you that allows you to query all the different tables behind this behind this application now the problem

was that the default configuration was that every user including Anonymous users could access every table in the Behind these applications through this API and this was actually this was actually a problem identified again about a year and a half ago where the default was like this and so it was very easy to find the to find the information that should not be exposed to everyone just through randomly querying those applications and so even though the problem has been fixed by Microsoft the default setting has been changed this is still happening so let me show an example from last year and this is a real example this is a product for a company a financial industry company in

the US you can see we've we found this specific portal for that application for that company I'll share with you in a moment how and then when you query this API you get a list of all the tables that you can query through the API so the default table doesn't have anything interesting entity forms is just form submissions Global variables is kind of interesting right so of course it has authentication tokens to uh to Azure and to uh other services and this was of course this close to the to the specific company where we found this but one of the but but the main problem here and maybe I'll go back a few slides so you can figure

this out on your own look at this domain name all of these applications are stored in our hopes are served in different sub-domains of this domain so just enumerate this domain enumerate these different sub domains go to this endpoint and it's very easy to find those configurations to misconfigurations are very much predictable which makes this a huge problem okay another thing that we uh that we see pop up with the local platforms is injection injection attacks or inject more injection surface now this could be a tricky one because platforms would tell you that injection has been solved because you're using widgets that are provided by the platform but if you take uh input from a user and you plug it

into a a SQL a SQL query that goes out to your SQL server and you don't sanitize it on the way then then you have created an injection surface and again because this is something that business users are doing or that people that are not part of the security umbrella are doing then you're not in a really good position to help them catch it another problem that is surfacing here again is a supply chain the only reason why low code is successful is because there's a bunch of tools you can pick up and use from a Marketplace in order to build your application there are widgets there are connectors which are kind of wrappers around apis

there are different back-end operators that you could use all of those things some of them are built by the platform themselves but all of the different all of the large platform vendors have a Marketplace if you think that they are doing uh that they are completely owning the risk of all of the components in their Marketplace you're absolutely wrong they might do a single review but they cannot review every change of each one of those widgets and also in many cases the way in which you're using those different cell party widgets is that you can just pick them up from GitHub or something like a zip file and then you upload it somewhere there's no

hashing there's nothing okay so the problem of uh supply chain attacks is is very is kind of is very difficult to find and and actually identify within those local platforms and again it's baked in because local platforms without third party widgets would would really don't have a lot of value in them foreign let me show you another kind of example that we're seeing a lot and this is about sensitive data sensitive data and sensitive and sensitive and secrets and so here's an example an app that uses some sort of sensitive data a user submits that sensitive data to the app and then the app stores the sensitive data on a database in plain text this is kind of funny and again not

new but because business users are building these applications how do they know how to store credit cards it's not really their role so let me show you let me show you a specific example this is an HR team at the large IT company basically they created the they wanted to do a giveaway campaign when people can donate donate money to charity so they created a small application that did a very simple thing you register to the application you provide your credit card and you say which and you choose the charity you'd like to donate to and the company will will donate as well now the credit cards that were collected there was stored a in plain text B in an

environment which was kind of a development environment showed across the entire organization okay so again this is very cool that business users are able to do this but this is kind of a problem and by the way they found this when a compliance audit all started asking questions which which is kind of a difficult place to be at um and we are seeing this thing about kind of uh sensitive data that's being handled by these these these applications a lot and again because uh these platforms are built these local platforms are built on top of SAS platforms that contain business data it's very difficult difficult to create those uh those distinctions to make sure that things

um that these applications are not touching business data for example one other thing that is clear is that most of these applications are built outside of it's IO control there are so many cases where somebody builds a successful application other people are using them and then this person leaves the organization okay what happens now this application is remains I mean it's used until it doesn't work anymore and then who would you call what would happen if this application gets hacked who would be who would own it I mean this is a really difficult situation and this is because we as the people that are in charge of kind of secure in the organization were really not not aware

of them one of the key things that that I see people try to do here is is focus on applications that become viral within the organization so focus on those apps that are not used by one user or a couple of users by use by a lot of different users within the org and the last problem that I'll mention here is login and monitoring so this is it's funny but there are kind of two separate problems here which are kind of the opposite one is that in many cases there are no logs at all so you won't find or the logs are not available to the right people so again just think about whether you can if something

happens with one of these applications whether you can actually create an investigation to find out what happened who is logging into these applications what data did they did they provide to that to those users so those things don't really exist but on the other hand some of these actual components so for example it's automations have a habit of recording everything and when I say everything I mean all of the data that goes through those automations and so one of the one of the issues that we're seeing is that let's say I build an application that allows you to check your email or something okay now you can use you you can use the application but

as the build of that application I can access the logs that are that are available to that application which can include the actual data that goes through the app okay which is again a very clear pass to privilege to prove the Discrimination of one user to be able to view things by other users and actually uh previously earlier this year Defcon I showed how this specific capability could be used to move laterally across the organization all right so we have seen uh let's talk about what we've seen so far we've seen that Loco knocker is rapidly going within the organization and chances are it's already there in your org and I'm not saying this is a you

shouldn't be worried about this you should bring it under the security umbrella I mean security business users are in many cases you'll find that there are teams that have already started developing critical applications on these platforms and they are scared because nobody's helping them got to make sure they're doing the right thing there's a huge opportunity here for us to to be part of that conversation we we saw that there's missing sdlc in some cases there is some sdlc but in many cases you'll find none and I really encourage you to look at the OS top 10 there are a bunch of more examples that I haven't shared here already and actually uh where the the new version

that we're going to share is going to be much deeper one of the things that we are working on is having those top 10 written in a way that you can actually give your business users and they will understand stand to help them kind of be closer to the security mindset the opportunities for you to take and this this might be the important the most important thing to take out of the slides out of this talk there's a huge opportunity for you to be the champion of of this space within your organization absec needs to be part of the local local conversation or the business development conversation we are seeing organizations that are creating security Frameworks or basically

extending the secure development policies that they have to business users and of course there's a lot of there's a lot of need to think about what exactly do you want to build what use cases are approved how do you how are you checking those those use cases how how are you providing galleries for those users to build correctly but kind of instead of just thinking so they don't need to think about security you can just continue building but you protect them along the way if you're interested please reach out and um I think this is we have some time for questions so thank you very much [Applause] I might do this so we have light

thank you I'll be coming around and let's see okay now I can see you raised your hand okay come on wait wait I'm gonna give you the microphone so something that came to mind for me was um when we've you know seen people whose say Office 365 email has been compromised and you know the bad guys tend to create Outlook rules and things like that to forward emails for business email compromise and things like that I was wondering if you've seen any instances where these automations were used to you know do that as well like the email things and that you suggested so unfortunately yes about uh three years ago Microsoft published a report where a single organization was attacked

by something like four different manual groups and Defenders were looking to clear the network out of Marvel for like six six months and they they they weren't able to find what was what was going on after six months they found a single power automatic automation they did a very simple thing it was running under administrative permissions and on a schedule it used the e-discovery tools by Microsoft to find sensitive information Secret that's whatever it could across the organization store all of them and send them to an HTTP endpoint and this was a single automation that I mean just trying to find this this automation took so much time and so this is and this is a I can

share a link afterwards if you're interested uh shoot me an email or or on Twitter but this was actually uh this was actually a long time ago ever since then we've we've seen this happen mostly As mistakes people that are making mistakes and just moving that outside of the org

on to the next question

any ideas on a strategy for how to detect and find these things in your organization yes so I I do have one optimistic message here we we have to remember that these things I mean data that that was these local applications are replacing uh what you can call copy and paste integration people have been moving files from one place to another since forever and we've been trying to address it with DLP Solutions and other things for a long time and and we haven't been successful though but now when business users are using these local local platforms you there's somebody you can ask tell me you can go to the platform you can go to the

platform API and ask what are all of the applications that are available in your platform that have been built on top of your platform now of course it does require you to understand what these applications are doing to scan for example what the definitions of those applications to actually figure out what data they're touching and we are seeing organizations that are that are actually going through those processes so you can do it you can automatically scan those applications find inventory then find vulnerabilities collect logs but you need there's a lot of work that you in order to in order to do that you do have an API for some of it so you do have for

example an API to to query whatever all of the applications that existed there is much more than we had uh when new businesses were just copying files thank thank you we have four minutes more left for questions anybody else

it seemed like one of the largest issues you mentioned with this was role-based authentication um it seems like largely that's because it's operating outside of the existing structures we have for auditing that you mentioned sock I believe do you think that we would still see benefit in the low code no code Solutions if we forced them to go through the more standard process of role-based Authentication and how do you see that working when currently there seem to be working around current authorization structures do you think and I know you said that we can't rely on them to or rely on the tools to fix the problems for us do you think it's reasonable that they should be

working within current structures such as oauth so I think all of the platforms have a way for you to build your applications uh and and connect to things with service accounts rather than users which which would be the best case scenario right because then you can provision those accounts you can you can monitor them Etc the problem is that this means that somebody needs to ask for permissions which creates a roadblock which means that the applications won't get fully adopted adopted which means in my at least in my view that it would never really happen I mean again these capabilities are available some in some platforms people are actually using service accounts but enforcing the use of service accounts I

I don't see a way for this to work together with the exponential growth with the quadratic growth that we've that we've seen earlier there are cases and we're connecting this to the previous problem to the previous question one of the things is I that I do see Enterprises do is that they make sure that for some use cases so for example if you're touching business sensitive data if you're touching credit cards you have to use a service account but then you need to create you need some way to to actually enforce that that rule thank you and this will be our last question we have one minute left um yeah somebody who is kind of dealing

with a new low code new code environment coming in um I Echo everything you said um one of the things in the security organization we sort of caught it sort of late into the adoption cycle and um one of the things that we've had to do is basically say that only modules that have been vetted are allowed to be brought into our organization so something equivalent to artifactory kind of a model and we've also had to work with the vendor applying heavy pressure to allow our son sonar Cube rules so example be applied and just as a normal sort of thing with hard guard rail mechanisms it was something that no code low code vendor

was like very very very grumpy about but it's something that we've really twisted the screws on and so we are you know I'm not going to say what my organization is obviously but it's something that everything you said is absolutely 100 and we've been applying screws on that stuff thank you I think that uh one of the one of the mistakes we I think we should avoid I mean we should we must push the vendors to be better however um we need to understand that there's an entire ecosystem that needs to be built here right when there are proficient when you build a a normal app a pro code app you have a shift left you have

runtime monitoring you have uh Network parameter you have a bunch of things that are helping you prevent mistakes and prevent attacks in no code you don't really have all of them and vendors would solve everything for us but vendors need to make it easier for us to actually solve those problems I know we're out of time thank you very much I'll stay here for questions and if you can't catch me here reach out on Twitter thanks foreign [Applause]