Sure, Let Business Users Build Their Own. What Could Go Wrong?

Presented at BSidesLV 2023, Aug. 9, 2023, 5 p.m. (Unknown duration).

Business professionals are tired of waiting for IT to address their needs. Instead, they are building their own applications with low-code / no-code platforms. Recent surveys show that most enterprise apps are now built outside of IT by business professionals who hold no previous experience in building software. Enterprises are placing developer-level power in the hands of 100x new business developers.. What could go wrong? In short, everything. In this presentation, we will share extensive research on the security of low-code / no-code applications based on scanning >100K applications across hundreds of enterprise environments. We will demonstrate how most applications get identity, access and data flow wrong, cover a wide range of security issues found in real environments, and share their backstories and implications. Finally, we will share the OWASP Low-Code / No-Code Top 10, the first-ever security framework for categorization and mitigation of common security issues with business-led development. We will illustrate why the involvement of AppSec teams is desperately missing from business-led development, and share stories about organizations that got it right.

Presenters:

  • Michael Bargury
    Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure focused on IoT, APIs and IaC. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at RSAC, OWASP, BSides and DEFCON.

Links:

Similar Presentations: