Introducing the Zenity Attack Graph: Visualize Low-Code/No-Code Security Risk with Full Context

Introduction

On paper, applications are created to be useful tools that solve specific business needs. Think of an application that tracks all ongoing projects for a product manager, an automation that triggers emails to prospective customers when they fill out a marketing form, or a flow that sends aggregated payment information to a finance manager. While all these applications are fairly straightforward, and seemingly used for singular cases, they are anything but. Any business application, whether used on a macro-level (think an email application, or a CRM), or a micro-level (an aforementioned marketing automation application), is used to send, process, and/or store data that can be used across a multitude of user groups, departments, and services. How these applications interact with different systems, data, and other applications, is part of the application development process, and checked throughout the software development lifecycle. 

However, the introduction of low-code/no-code development tools, like Microsoft Power Platform, Salesforce, ServiceNow, and countless others, has democratized and sped up application development so that anyone can create an application in the blink of an eye. The productivity gains are massive, but the security and compliance challenges are immense. This is only exacerbated by the insertion of generative AI copilots. To ensure that compliance is met, and security is upheld, application security teams need ways to determine relationships between applications, data, and systems, which becomes increasingly challenging as app development time is reduced by 90%, and low-code/no-code applications are created at a 4x rate of traditionally developed apps.

To empower organizations in this crucial endeavor, we are excited to introduce our newest enhancement to the Zenity platform, the Attack Graph. The Zenity Attack Graph sheds light on the relationships that applications developed using low-code/no-code platforms have with supporting objects like data connections, frontend components (i.e. PCFs or customer connectors), and others to best illustrate and prioritize the risk. 

Simplifying Security Complexity

Due to the volume and speed at which apps and automations are created, security teams need ways to simplify their ability to manage low-code/no-code development. AppSec teams, with many tools to choose from and alerts to sort through, are forced to unravel and mitigate the risk of all applications that are created by various members of the organization, sort through the most pressing matters, and act accordingly. 

By harnessing the power of the Attack Graph, Zenity customers are able to easily visualize  a thorough view of relationships that a given application has with other data objects, and allows security professionals to identify, assess, and remediate risks with clarity and precision.

zenity attack graph dashboard

In the above example, it is easy to see the intuitive relationship between two active data connections, ‘Outlook’ and ‘Gmail’ that are both connected to an automation called “Auto-Copy to Gmail.” This is a very common use-case for automations built using low-code/no-code platforms, where data is moved from a corporate account to an external, or personal account. While sometimes sensible and practical, when adopted by additional users with additional use cases, this is likely to present a huge risk for data leaks. This is especially dangerous if this automation is responsible for handling sensitive data, which it likely would, given it processes data coming to and from emails which can lead to audit failures, data exfiltration, and more.

Visualizing Low-Code/No-Code Development Risks

Traditionally, the process of identifying security risks in developed applications relied on piecing together disparate information from various sources. This would typically need to determine the type of data the application is processing, who has access to that application, if the application moves data (and where), if it is publicly facing, if it handles sensitive data, and more. There is not one tool that handles all of these checks, but for traditional applications, code scanning is a good place to start. For low-code/no-code development, the risks come from the context of where that application exists, who can use it, what data it touches, and more. Answering these questions is a hard task even for a seasoned AppSec analyst because of the sheer volume and speed of the applications being created, not to mention the fact that there is no ‘code’ to analyze and scan. 

With the introduction of the Zenity Attack Graph, AppSec teams gain context and visibility within an intuitive interface that illuminates potential risks. Security practitioners can now explore the risks that exist within each created application including associations like role-based access control (RBAC) of the application or automation, what business data it processes, where is data flowing (both inside and outside the organization) and more, in an intuitive manner.

This new feature provides valuable context by illustrating how individual applications and automations interact and depend on other objects common within low-code/no-code platforms, such as data connections, custom connectors or custom code components. A simple example to demonstrate this can be a faulty data connection which is vastly used across the business, with the graph you can easily see the risk sprawl for other low-code/no-code applications using this data connection.  

This can be illustrated by an automation that moves data to an unmanaged endpoint outside the organization domain, for example a vulnerable FTP server.

Enhancing Incident Response

When a security incident occurs, having a comprehensive understanding of application relationships is key. The Attack Graph enables security teams to swiftly trace the incident’s root cause, assess its impact on other applications and resources, and develop targeted remediation strategies. For example, an organization had a data leakage incident from one of the low-code/no-code applications that was developed. Now, with Zenity, it is very simple and intuitive to know who had access to the application, as well as who had access to this sensitive data, which empowers security teams to respond to incidents effectively and minimize potential damage.

Conclusion

Understanding the complex web of applications, automations, data connections, and the varying relationships between resources is crucial for effective risk management and compliance strategy. With the introduction of the Zenity Attack Graph, security teams gain  a new level of insights and context that they can apply to cross-platform low-code/no-code development. By visualizing application relationships, data flows, and their associated risks, organizations can prioritize remediation efforts, enhance incident response, and foster collaborative security practices. 

At Zenity, we are committed to simplifying application security, empowering organizations to unleash citizen development, while safeguarding their digital assets with confidence.

Subscribe to Newsletter

Keep informed of all the latest news and notes within the world of securing and governing citizen development

Thanks for registering to the Zenity newsletter.

We are sure that you will like it and are looking forward to seeing you again soon.