Low-code is driving a tectonic shift in IT - can IT and security teams enable the business while staying secure?

In recent years, we have witnessed a tectonic shift in the way organizations develop and maintain software. As part of this shift, IT operations are quickly getting decentralized.

Traditionally, IT and development teams developed, owned, and monitored both internal and external business applications. This legacy approach directly slows down the business side. When a marketing professional, for example, conceives a new desired capability or a new application, they need to go through multiple cycles with project and product managers, convince executives to spend time and resources, and elaborate on the requirements for the development team in IT. Aside from being extremely slow and cumbersome, this process typically ends up with misunderstood requirements and oftentimes with the wrong architecture.

Today, business groups within the enterprise are hiring their own developers, placing more power in the business side’s hands for building their own tools and applications internally. Low-code is the main driver for this change. Low-code reduces the barrier to entry for application development, to the point that literally *anyone* can build applications today. As the VP of platform ecosystem at HubSpot put it back in 2018, “Now every marketer is an app developer - even if they don’t know it.

Low-Code is Driving IT Decentralization

In recent years, low-code/no-code has facilitated and accelerated the IT decentralization trend that has been going on for many years now, and it has done so with record speed. In 2020, Gartner released a prediction stating that by 2023, the number of active citizen developers at large enterprises will be at least four times the number of professional developers. In 2021, only a year later, a Gartner survey revealed that four out of five technologists within the enterprise are outside of IT.

In this new decentralized IT world, organizations must ensure that while productivity goes up, fundamentals like security, privacy and compliance remain a priority. This is a very tough challenge to overcome. While the responsibility for fundamentals remains with IT and security teams, development is now highly distributed. None of the processes and tools on which enterprise security was built are in place for low-code development. Information security fundamentals like security review processes, application security testing and ways to monitor and detect threats are severely lacking. In fact, low-code’s tremendous gains are rooted in its implications for the Secure Development Lifecycle (SDLC) process, which can be summarized by “Click Save to deploy.” In many cases, IT teams don’t even know that their business teams have started using low-code, making shadow IT another major part of the low-code security challenge.

The Emerging of the New Business Cloud

Low-code has multiple paths directly into the heart of any organization. In some organizations, where digital transformation is a strategic effort, low-code is introduced by senior management in order to accelerate productivity across business teams, usually coupled with a Center of Excellence that helps educate users and find key use cases to focus on. In other organizations, low-code is introduced bottom-up by the business teams themselves. Anyone, from a single business team to an entire business organization, can introduce a low-code platform to solve their own needs.

Moreover, major SaaS vendors are increasingly shifting towards becoming low-code platforms themselves. Almost every modern enterprise uses big SaaS vendors like Microsoft, Salesforce or ServiceNow, and these vendors have all integrated low-code platforms directly into their offerings and right into the heart of every big enterprise.

What we’re witnessing here is the formation ofa new kind of cloud: the Business Cloud. The business cloud does not compete directly with the public cloud. Instead, it aims to solve business use cases that were not previously addressed and to enable business professionals and developers to address their own needs with increased productivity and business agility.

The tectonic shift in the way applications are being developed leaves IT and security teams unable to control, secure and monitor business-critical applications. This shift exposes organizations to security breaches and data leaks. Hackers have already taken note, turning low-code platforms against their owners and using them to hide in plain sight. In one case, hackers leveraged a low-code platform to maintain privileged access to Office 365 for over 240 days.

The Shared Responsibility Model - Who is Responsible for Low-Code Security?

How should the industry react to these changes? Who should own the security risk, it is the vendor? The organization who uses low-code? What can we learn from past technology shifts to better address this one?

We have seen a similar change like this before, with the adoption of the public cloud. A few years ago, companies leveraging AWS, Azure, and GCP, among others, realized that even though cloud providers are heavily investing in the security of the platform, the consumers of these platforms own the applications’ logic, and therefore are responsible for the risks they introduce. This concept is commonly referred to as the Shared Responsibility Model, and organizations must own their part, or risk a potential breach. The same is true for low-code; organizations must own their part of the low-code shared responsibility model.

With regards to low-code applications, IT and security teams were left with an impossible decision: either enable the business, or maintain control. The business team needs to unleash thousands of new developers, solve thousands of use cases and move fast. IT/security teams need to maintain security, ensure business continuity and guarantee compliance.

Which decision has your organization made?

Introducing Zenity: An End-to-End Security Platform for Modern Business Applications

Zenity is the world’s first and only governance and security platform for low-code/no-code applications. It provides IT and security teams with the tools they need to discover, assess, govern and monitor applications across low-code platforms. With Zenity, IT and security teams can have their cake and eat it, too; they can enable the business while also staying secure.

IT/security teams can set guardrails, monitor and detect threats, intervene when needed and empower the business team. At the same time, business teams can unleash citizen developers, build with confidence, seamlessly comply with organizational policies and work together with IT. Zenity is the bridge that IT and business teams can use to work together and accelerate business transformation while maintaining control.

At Zenity, we are committed to helping our customers and the Infosec community at large to address the low-code security challenge. We invest in researching low-code platforms and their usage, mapping security threats and helping our customers to detect and mitigate threats to low-code applications. We are fortunate to be working with many Fortune 500 companies, seasoned industry experts and top VCs to tackle this emerging challenge.

If you’re interested in learning more about Zenity or being part of the low-code security movement, we invite you to reach out, subscribe to our newsletter, and follow us on social media.

Low-Code for Dummies - An Overview of Low-Code Through Examples

Preface

While the mission statement of the Zenity Low-Code Security Blog is to help organizations adopt low-code platforms securely and with confidence, we often find ourselves explaining basic low-code concepts and principles - mostly to those who are not familiar with the day-to-day low-code development process. Since our blog will cover many critical topics related to low-code security, we thought it would be beneficial for our readers to first get closely acquainted with low-code, and there’s no better way to do so than through real-world examples.

What's so special about Low-Code?

Low-code/no-code platforms continue to gain popularity, becoming the go-to technology enabling digital transformation. Low-code solves a whole range of business needs with the key commonality of providing quick, efficient and scalable solutions that can be built by the different business teams themselves. By bringing development closer to the business professional that feels the need most acutely, and even letting that business professionals develop themselves, low-code cuts communication costs and allows for fast and agile development.

If you are in a business role in your company, you’re probably very familiar with the frustration of having to wait for a professional developer or an IT expert to build some survey form to collect data, integrate several systems together in order to facilitate a business process, or even automate mundane tasks. These are exactly some of the most common use cases which drive organizations to adopt low-code.

Trying to create a comprehensive list of what people build with low-code would be as futile as trying to compile the same list for things built by professional developers or any other builder’s profession for that matter. We can however look at a few representative use cases to help us grasp what this technology can unlock for us. The purpose of this post is to do just that.

To provide some context and narrow down on a particular domain, we focus on corporate COVID-19 response, and how low-code came to the rescue.

Top low-code use cases

Use Case 1: Business process automation

Power Apps portals site used to check special cash payment application status, City of Kobe

With the COVID-19 crisis response, Japan announced a special cash payment program which allowed every citizen to apply for subsidies. Faced with a huge surge in citizens calling the city offices with inquiries about their application, City of Kobe officers realized they needed an efficient way to manage and track the status of these applications. They leveraged Power Platform, Microsoft’s low-code platform, to facilitate the entire process and create a self-service portal where citizens could quickly receive necessary information about the status of their application without calling city offices. The portal was soon in high demand, as stated by Microsoft:

“The development efforts started in April 2020 with each solution below taking less than two weeks to build. As of May 2020, they’ve been deployed to all citizens and accessed by thousands of users per day. The Power Apps portal solution hit peak usage of over 200K+ in a single day, and as of July 2020 has been averaging 35K+ page views per day.”

Of course, with a self-service portal that allows citizens to view their personal data, security of that data must be taken seriously. The City of Kobe had to make sure they configured their portals correctly to ensure that users can only access their own data.

* Power Platform image source.

Use Case 2: Integration and automation

When COVID-19 hit, vaccine maker Moderna quickly rose to the challenge, creating a vaccine to prevent infection and reduce severe illness. In order to operate as well as they did, Moderna opted for a cloud-first strategy for increased operational speed and agility. While using multiple SaaS services had great value for the business, it also introduced two key challenges: siloed data and user provisioning and deprovisioning. As Moderna put it:

Data integration and automation, Boomi

“The cloud helps Moderna accelerate learning, automate processes, and improve quality at scale. But to harness its full power, the firm needed to integrate its best-in-class, on-demand applications and data from multiple SaaS vendors.”

To solve their siloed data problem, Moderna leveraged boomi, a low-code platform focused on integration, to integrate and synchronize data between multiple parts of the business including budgeting, vendor payments and human resources management. 

Moderna also automated the flow of onboarding and offboarding new employees. 

Of course, automation and integration go hand-in-hand with paying close attention to the way user identity and authorization are used in the process. In order to get an automation working, for example, it is tempting to use personal credentials or admin rights, but the implications could be detrimental to an organization. An organization that is aware of the risk will be particular about users using service credentials only.

Thanks to low-code, Moderna was able to accelerate employee onboarding, increase business efficiency, scale operations and make data accessible internally.

* Boomi image source.

Use Case 3: Rapid application development

During the pandemic, the need to reduce costs and deliver secure services with low-code technologies increased as agencies were, and still are, required to deliver new services rapidly for public safety. The U.S. Department of State (DoS) has leveraged the Now Platform by ServiceNow to distribute critical data to diplomats around the world. As principal deputy CIO of the U.S. State Department, Michael Mestrovich, stated in an interview with MeriTalk:

Rapid application development, ServiceNow

“These were big apps that tracked every country on the planet and what their Covid-19 requirements were. If you came from North America to Great Britain, would you need to quarantine? If you went from Great Britain to Germany, did you have to quarantine? If you did, what were the quarantine requirements? So, there’s a huge tracking mechanism that shows what phase these countries are in, what phase our posts are in, and the COVID requirements for each. All that was done through ServiceNow’s low-code platform.”

A crucial component to this critical information-providing application is ensuring that information can be edited only by authorized personnel. The Department of State had to make sure application permissions were in place to separate the users of the application from its content creators. 

The careful use of low-code has since allowed the DoS to evolve and adapt their application to the ever-changing landscape of COVID-19 response.

* ServiceNow image source.

Summary

Low-code platforms are used in organizations to deliver faster, cheaper and more adaptive software. Business applications can be developed to target specific time-sensitive demands, and can scale up to tens of thousands of users in just a couple of weeks. This tremendous change to the software development lifecycle (SDLC) is at the heart of the low-code transformation, however, it is also its greatest risk. To leverage the full power of low-code without compromising on security, business teams must work together with security teams to understand, manage and address low-code’s intrinsic security risks.

Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners

Low-code development platforms open the way for greater independence and efficiency for business users. Unfortunately, they sometimes also open the way for attackers, as a result of poor low-code security practices, especially as low-code application security tries to catch up with traditional application security.

Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft's low-code platform. Using live-off-the-land techniques, the attackers were able to exflitrate sensitive corporate data and maintain complete Office 365 access for 240 days!

This post presents an in-depth analysis of the attack. We will use the small bits and pieces of information (see end of post for a list of sources) that were published to try and understand what happened, and how users of low-code platforms can apply better security controls to prevent similar attacks from happening.

What happened?

As mentioned above, the attackers were able to maintain a persistent and complete Office 365 access for 240 days. During this time, the attackers were able to discover sensitive data, achieve strong persistence and exfiltrate data - all without the need to install any malware or access the corporate network. As traditional security solutions are based on either host or network agents, this type of attack was very hard to discover, to the extent that it took a security response team more than seven months to complete the investigation and oust the attacker.

Let’s start with a summary of the raw details:

TargetA “Large Multinational”
AdversaryNation-state backed adversaries
Adversary reputationThis APT group targets organizations across multiple industries, including government agencies, financial institutions, and technology companies.
Entry pointPassword spray
Exfiltration pointMicrosoft Power Automate
Access level achievedOffice 365 Admin
ResultSystematic access and exfiltration of data as well as sensitive emails.
Time undetectedUnknown
Time persisted240 days
Time investigatedMore than 7 months

As you can see, this attack went deep. Attackers were able to remain persistent within the environment for more than seven months while the security investigation was already ongoing. It is unclear how much time the attacker remained undetected before the investigation even started.

DART has published a slide which summarizes the chain of events:

Microsoft DART low-code security incident details report

Note that the attackers were able to execute an entire successful campaign without ever installing malware and hardly generating any network traffic directly. From the Cyber Kill-Chain perspective, the attackers started with #Delivery and #Exploitation via a Password Spray attack, skipped #Installation, and continued to leverage Office eDiscovery and Compliance Search for #Actions-On-Objective and Microsoft Power Automate for #Command-And-Control.

Many details are still missing, for example:

Let’s try to reproduce the attack and come up with possible answers as we go.

How did it happen? Reproducing the attack

Step 1: Obtain confidential information

Microsoft 365 compliance center offers eDiscovery tools to comply with legal requirements for identifying and delivering specific data across the Office suite. As Microsoft puts it:

“Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery tools in Microsoft 365 to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business conversations, and Yammer teams. You can search mailboxes and sites in the same eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites.”

There are two tools that allow you to search over the entire tenant’s data: Content Search and Core eDiscovery. While these are separate services solving different business use-cases, both have a very similar user experience and search across the entire Office suite, including Exchange mailboxes, Teams Messages, SharePoint sites and Skype for Business messages.

According to DART, the attackers used these built-in eDiscovery tools to perform precision searches for both passwords and intellectual property. Here are a few examples of harmful search queries:

TargetSearchScope
Password reset emails(subjecttitle:"password reset")(senderauthor:@microsoft.com)(senderauthor:@namecheap.com)(senderauthor:@godaddy.com)(senderauthor:@amazon.com)(senderauthor:@zapier.com)Exchange emails
Passwords shared between userspassword (c:s) username (c:s) client id (c:s) client secret (c:s) certificate (c:s) .ppkTeams, Skype and Office 365 messages, and Exchange emails
Legal documents(size>1048576)(filetype=docx)(filetype=pptx)(filetype=xlsx)(filetype=pdf)legalOneDrive and SharePoint documents, and Exchange emails
All communications to company CEO(recipients:ceo@company.com)Teams, Skype and Office 365 messages, and Exchange emails

These are only a few examples, however they demonstrate the tremendous power that these tools provide. If such capabilities fall into the wrong hands, they can be abused to move laterally by acquiring new credentials, obtain sensitive documents and perform a precision search to acquire all information of a single high privileged account.

Once you create an eDiscovery search, you can export its results periodically. Microsoft documentation clearly states that automated export is not supported, which might be related to the incident we are exploring. Today, Microsoft offers the eDiscovery Export Tool to access search results. The results are stored in an Azure storage account prior to being downloaded with the aforementioned tool, providing an opportunity for the attacker to access the files automatically. For this post’s purposes, we assume an attacker can fetch search results via an authenticated HTTP(s) request.

We now have a way to obtain valuable confidential information. It’s time to exfiltrate it and automate the process.

Step 2: Automate exfiltration by "living-of-the-land"

Power Automate is Microsoft’s low-code automation tool. It is available by default for every Office 365 user and is conveniently plugged into Office, SharePoint, Teams and Microsoft Dynamics. As Microsoft puts it:

“Empower everyone to build automated processes with flows in Power Automate. Use low-code, drag-and-drop tools and hundreds of prebuilt connectors that automate repetitive, mundane tasks with ease.”

Indeed, Power Automate is a powerful tool that gives business users and developers alike the ability to automate tasks, connect services and streamline an entire business process without writing any code. Most things a developer can do with scripts are now possible for both developers and business users with low-code.

When unprotected, however, Microsoft Power Automate gives power into the hands of attackers. An attacker can create a scheduled flow, export query results from Microsoft Compliance Centers and store the results in their own Azure blob storage (or any other exfiltration endpoint).

A malicious low-code application

From the attacker’s perspective, Power Automate serves a dual purpose:

  1. Execute attack logic - instead of having to install malware on a compromised machine and risk detection by host-based security mechanisms, the attacker can leverage Office to orchestrate and run the malicious flow.
  2. Exfiltrate data - instead of having to find a route out of the corporate network while bypassing network security mechanisms, the attackers leverage an existing path to Office 365 and then use Office to send data elsewhere. Additionally, this method leaves no traces of the attack in the network logs, since Office is making all of the connections.

Preventing low-code platform abuse

Several things went terribly wrong in this attack. First and foremost, an administrator account should always have strong passwords and have multi-factor authentication (MFA) enabled. This would have prevented access to Microsoft compliance center capabilities and thus drastically limit the blast radius of the attack. Moreover, a few key log streams were disabled, hampering the investigation.

However, even if the attackers were not able to compromise an administrator account, they could still compromise other users within the organization with the same password spray attack. The malicious use of low-code platforms demonstrated above could be part of any attack, providing the attackers with a way to orchestrate and execute their malicious operations and exfiltrate data, all without leaving any trace on a host machine or the corporate network. Anything a user has access to is up for grabs for the attacker to automate.

This malicious strategy could easily be used with other low-code platforms, including Salesforce, ServiceNow, Zapier, IFTTT, Workato and MuleSoft. 

While low-code platforms are not the only application development platforms that can be manipulated by attackers, they are particularly vulnerable to attack because low-code application security is still in its infancy, and organizations have yet to learn how to master low-code security best practices. 

Traditional application security and IT security solutions cannot be used for these modern low-code business applications, and the equivalents for low-code are only just emerging. Application and information security professionals often have lower awareness of the unique risks of low-code platforms - or they have a keen awareness, but their hands are tied for lack of appropriate governance tools. 

To prevent an attack like this or spot it as it unfolds, security teams must be familiar with the low-code platforms that are used within their organization and continuously monitor them for potential vulnerabilities and malicious activity. To succeed, they must realize that low-code is as much a revolution in SDLC as it is a new technology. They must also work alongside platform administrators to leverage platform governance capabilities that can restrict dangerous functionalities not required by users, like automated access to Office admin centers. 

As always, there is a delicate balance to strike between improving security posture and enabling business workflows.

Let's get practical

The following low-code platform security measures are simple fixes that you can (and should!) implement today:

  1. Ensure that your administration users have MFA enabled.
  2. Ensure that Office Audit Logs are enabled, including logs for Power Automate and Power App.
  3. Work with your Power Platform admins and consider restricting unused administrative connectors such as Power Platform for Admins, Power Automate for Admins, Power Apps for Admins, Microsoft 365 Compliance, Microsoft Defender ATP, Microsoft Security Graph, Azure AD, Azure AD Identity Protection and Security Center. 

Low-code platforms are an amazing tool with tremendous ROI potential for the organizations that use them, which is one of the reasons why adoption is increasing so rapidly. To make sure you get the benefits of low-code without opening your organization to increased risk of attack, be aware of the issues. Set your priorities on putting appropriate security, visibility and governance strategies into place, so that you can open the door to business efficiency and growth, while closing the door to attackers.  

Sources

Low-Code SDLC - Build Fast, Stay Secure

Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integrations. Low-code platforms are becoming a key technology behind the ongoing digital transformation trend, and as such, adoption of low-code platforms is soaring. However, low-code is as much a revolution as it is an exciting new technology. Low-code development democratizes application development and makes the process faster, cheaper and more aligned with the business.

Low-code Security - Awareness is Key

Low-code application development drastically reduces the number of stakeholders involved throughout the software development lifecycle (SDLC) process, increasing velocity and productivity. At the same time, low-code development creates new challenges to governance and security. In order to avoid introducing security vulnerabilities into low-code applications, security teams, business users and citizen developers must first be aware of the relevant low-code application security risks and how to overcome them. As you will soon see, this is especially important given the substantial difference between traditional SDLC process and that of low-code application development.   

Building Software - The Traditional SDLC Style

The software development lifecycle (SDLC) process provides a high-level description of the steps required to design, implement and maintain software. It has been molded, reshaped and fine-tuned over the years to create agile, high-quality and secure software.

 The Software Development Lifecycle (SDLC)

As an example, let’s say an organization wants to develop a simple integration between two systems - e.g. notifying a Slack channel whenever a new file has been added to a specific Google Drive folder. 

With traditional software development, the development process is done by a team of professional developers, and would be along the lines of the following:

  1. Envision - The business stakeholder defines the needs and the scope of the solution.
  2. Plan - The product manager creates specifications in collaboration with the business stakeholder and the development team. Once approved, the developer creates a design that satisfies the specification. The design is then reviewed with the development team, product manager, business stakeholder and IT / privacy / security teams.
  3. Create - Developers are assigned to build the solution according to the design.
  4. Verify - QA teams are assigned to test the automation with manual and automated testing.
  5. Deploy - DevOps teams instrument the automation with monitoring capabilities and release the automation.
  6. Monitor - DevOps teams continuously monitor the automation to validate it is working properly.
  7. Manage - In case of an issue or a change in requirements, DevOps and development teams drive the mitigation with well-defined SLAs.

Note that every time ownership of a project changes hands, new stakeholders are onboarded and their efforts are prioritized.

As mentioned above and demonstrated in this example, the SDLC process assures that all business aspects are taken into consideration when building software. Well-architectured design, enterprise governance, security, maintainability and quality are built into the process.

The main drawback of the traditional SDLC process is that it is prone to stray from the original intentions of the business stakeholder, as information might get lost in translation. It can also be wasteful in terms of time. Software development methodologies like Agile aim to ease those pains by reducing the size of each project that goes through this process, but the inherent problems still remain.

Building Software - The Low-Code Way

Now let’s look at the same requirements, through the low-code lens. low-code development provides an alternative to pro-code (traditional) development, which satisfies business requirements without competing for IT / development resources. Here is the same development process, but this time, adjusted for low-code development:

  1. Envision - The business stakeholder defines the needs and the scope of the solution.
  2. Create, Verify, Deploy - The business stakeholders use low-code platforms, designed to be user-friendly for non-developers. They create the automation, manually test it to verify it works and seamlessly deploy it to a cloud runtime environment, oftentimes without even knowing or caring what a cloud runtime environment is.

This process varies between organizations. For example, in some organizations, the business stakeholder might reach out to an automation expert within their department or within the Digital Transformation department to create their automation.

As you can immediately see, the low-code development process is much shorter. It involves less people and can even be accomplished by a single professional. This dramatically reduces time-to-feature and the use of development resources. It also ensures business stakeholders get solutions to their needs, with a lot less hassle.

It should be noted that a few key steps of the SDLC are missing, namely Plan, Monitor and Manage. low-code platforms provide tools that can help with these steps, but it is still up to the low-code developer to use them correctly. Moreover, these steps require either a high level of expertise (e.g. security and compliance review) or a different mode of operation, for example - monitoring and maintaining software.

Traditional SDLC vs. Low-code Development

These two development processes are optimized for different goals. Low-code development is optimized for development velocity and alignment with business goals by putting more power in the hands of business stakeholders and digital transformation offices. On the other hand, traditional software development is optimized for quality, security and maintainability. It leverages multiple viewpoints from different stakeholders which verify that all aspects of software development are considered.

Low-code development adds tremendous value to organizations, especially the ones going through digital transformation. However, organizations cannot afford to lose their governance capabilities, security assurances or software maintainability. These challenges must be met with dedicated solutions that do not rely on or interfere with the work of low-code developers. Instead, they must enable working alongside developers to help them follow the paved road. For low-code to reach its full potential, organizations must be able to unleash their citizen developers without compromising secure software development.

Keeping an Eye on Low-Code Security Concerns

To summarize, while low-code development removes a lot of the obstacles associated with traditional software development lifecycle processes, it also introduces new concerns related to the governance and security aspects of low-code application development, partly because of the fact that not enough stakeholders with security and compliance expertise are involved in the process. There are less checkpoints along the way from inception to deployment, and in turn, less opportunities to verify and validate that what’s being built adheres to corporate security standards. Given that low-code development processes are not likely to change anytime soon, the best approach organizations should take is to provide citizen developers with the necessary low-code security education, make them aware of low-code risks and concerns, and provide them with the necessary tools to develop secure low code applications.