The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
By topic
- DarkReading 22
- No Code 20
- Low Code 18
- Hacking 16
- Red Team 15
- Microsoft 13
- Citizen Development 12
- Vulnerability Management 11
- AI 10
- Application Security 9
- Vulnerability Disclosure 8
- Media 8
- Security Governance 6
- Cloud Security 4
- BlackHat 4
- IAM 3
- Zapier 3
- SDLC 2
- Threat Intel 2
- SaaS 2
- AAD / EntraID 2
- Risk Management 1
- Windows 1
- RPA 1
- Formal Verification 1
- Password Management 1
- TheRegister 1
- OWASP 1
- RSAC 1
DarkReading
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Security Must Empower AI Developers Now Permalink
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
Remediation Ballet Is a Pas de Deux of Patch and Performance Permalink
AI-generated code promises quicker fixes for vulnerabilities, but ultimately developers and security teams must balance competing interests.
Generative AI Empowers Users but Challenges Security Permalink
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
Despite Breach, LastPass Demonstrates the Power of Password Management Permalink
What’s scarier than keeping all of your passwords in one place and having that place raided by hackers? Maybe reusing insecure passwords.
No One Wants to Be Governed, Everyone Wants to Be Helped Permalink
Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.
Are 100% Security Guarantees Possible? Permalink
Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these p...
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
Embracing the Next Generation of Business Developers Permalink
Security teams that embrace low-code/no-code can change the security mindset of business users.
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
3 Ways No-Code Developers Can Shoot Themselves in the Foot Permalink
Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the tec...
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
You Can’t Opt Out of Citizen Development Permalink
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
No Code
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
No One Wants to Be Governed, Everyone Wants to Be Helped Permalink
Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
Embracing the Next Generation of Business Developers Permalink
Security teams that embrace low-code/no-code can change the security mindset of business users.
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
3 Ways No-Code Developers Can Shoot Themselves in the Foot Permalink
Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the tec...
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
You Can’t Opt Out of Citizen Development Permalink
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
The 7 Deadly Sins of Low-Code Security and How to Avoid Them Permalink
Seven significant security risks in low-code development, such as insecure authentication and data leakage plus practical advice for mitigating these vulnera...
Low-Code for Dummies – An Overview of Low-Code Through Examples Permalink
Clear examples of why low-code / no-code is so cool.
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Low Code
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
The 7 Deadly Sins of Low-Code Security and How to Avoid Them Permalink
Seven significant security risks in low-code development, such as insecure authentication and data leakage plus practical advice for mitigating these vulnera...
Low-Code for Dummies – An Overview of Low-Code Through Examples Permalink
Clear examples of why low-code / no-code is so cool.
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Hacking
Safe Web Browsing for Copilots
Allowing a copilot to search the web at will is extremely dangerous. Here are two somewhat-understood vulnerabilities and how to mitigate them. Note: this is...
Power Platform DLP Bypass via Copy-And-Paste
Last August I gave a talk at BlackHat USA titled All You Need Is Guest. In it, I showed how simple guest access to EntraID could be escalated into full contr...
All You Need Is Guest
This is a long overdue blog version of a talk I gave at BlackHat USA 2023 titled All You Need Is Guest. Slides and video recording are available as well.
Copilot exfiltrates High Restricted SharePoint files to any user on the Internet, no auth required
Microsoft Copilot Studio allows users to quickly build enterprise Copilots on top of their business data. Every enterprise user can now plug enterprise data ...
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Red Team
Safe Web Browsing for Copilots
Allowing a copilot to search the web at will is extremely dangerous. Here are two somewhat-understood vulnerabilities and how to mitigate them. Note: this is...
Power Platform DLP Bypass via Copy-And-Paste
Last August I gave a talk at BlackHat USA titled All You Need Is Guest. In it, I showed how simple guest access to EntraID could be escalated into full contr...
All You Need Is Guest
This is a long overdue blog version of a talk I gave at BlackHat USA 2023 titled All You Need Is Guest. Slides and video recording are available as well.
Copilot exfiltrates High Restricted SharePoint files to any user on the Internet, no auth required
Microsoft Copilot Studio allows users to quickly build enterprise Copilots on top of their business data. Every enterprise user can now plug enterprise data ...
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Microsoft
Safe Web Browsing for Copilots
Allowing a copilot to search the web at will is extremely dangerous. Here are two somewhat-understood vulnerabilities and how to mitigate them. Note: this is...
Power Platform DLP Bypass via Copy-And-Paste
Last August I gave a talk at BlackHat USA titled All You Need Is Guest. In it, I showed how simple guest access to EntraID could be escalated into full contr...
All You Need Is Guest
This is a long overdue blog version of a talk I gave at BlackHat USA 2023 titled All You Need Is Guest. Slides and video recording are available as well.
Copilot exfiltrates High Restricted SharePoint files to any user on the Internet, no auth required
Microsoft Copilot Studio allows users to quickly build enterprise Copilots on top of their business data. Every enterprise user can now plug enterprise data ...
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
My intense 2am conversation with MSRC a week before BlackHat
Research as usual
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Citizen Development
The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Generative AI Empowers Users but Challenges Security Permalink
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
No One Wants to Be Governed, Everyone Wants to Be Helped Permalink
Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.
Embracing the Next Generation of Business Developers Permalink
Security teams that embrace low-code/no-code can change the security mindset of business users.
3 Ways No-Code Developers Can Shoot Themselves in the Foot Permalink
Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the tec...
You Can’t Opt Out of Citizen Development Permalink
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.
Low-Code for Dummies – An Overview of Low-Code Through Examples Permalink
Clear examples of why low-code / no-code is so cool.
Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Vulnerability Management
My intense 2am conversation with MSRC a week before BlackHat
Research as usual
Remediation Ballet Is a Pas de Deux of Patch and Performance Permalink
AI-generated code promises quicker fixes for vulnerabilities, but ultimately developers and security teams must balance competing interests.
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
3 Ways No-Code Developers Can Shoot Themselves in the Foot Permalink
Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the tec...
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
The 7 Deadly Sins of Low-Code Security and How to Avoid Them Permalink
Seven significant security risks in low-code development, such as insecure authentication and data leakage plus practical advice for mitigating these vulnera...
AI
Safe Web Browsing for Copilots
Allowing a copilot to search the web at will is extremely dangerous. Here are two somewhat-understood vulnerabilities and how to mitigate them. Note: this is...
The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
Security for AI is the Next Big Thing! But we don’t really know what it means yet
As AI continues to capture everyone’s attention, security for AI becomes a popular topic in the market. Security for AI is capturing the media cycle, AI secu...
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
Copilot exfiltrates High Restricted SharePoint files to any user on the Internet, no auth required
Microsoft Copilot Studio allows users to quickly build enterprise Copilots on top of their business data. Every enterprise user can now plug enterprise data ...
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Security Must Empower AI Developers Now Permalink
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
Remediation Ballet Is a Pas de Deux of Patch and Performance Permalink
AI-generated code promises quicker fixes for vulnerabilities, but ultimately developers and security teams must balance competing interests.
Generative AI Empowers Users but Challenges Security Permalink
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
Application Security
The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Security Must Empower AI Developers Now Permalink
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
Vulnerability Disclosure
Power Platform DLP Bypass via Copy-And-Paste
Last August I gave a talk at BlackHat USA titled All You Need Is Guest. In it, I showed how simple guest access to EntraID could be escalated into full contr...
All You Need Is Guest
This is a long overdue blog version of a talk I gave at BlackHat USA 2023 titled All You Need Is Guest. Slides and video recording are available as well.
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
Microsoft Power Pages: Low-code Misconfiguration Remains a Top Security Risk Permalink
Despite Microsoft’s efforts to enhance security features, the Zenity research team found that Power Pages is still prone to security risks due to misconfigur...
The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now? Permalink
In late August 2021, a data leak exposed 38 million private records via Microsoft’s Power Apps portals. Discovered by UpGuard, this misconfiguration is one o...
Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners Permalink
Last year, Microsoft’s Detection and Response Team (DART) published the timeline of an attack which leveraged Power Platform, Microsoft’s low-code platform. ...
Media
The Challenges of AI Security Begin With Defining It Permalink
Security for AI is the Next Big Thing! Too bad no one knows what any of that really means.
Move Fast and Break the Enterprise With AI Permalink
The tantalizing promise of true artificial intelligence, or at least decent machine learning, has whipped into a gallop large organizations not built for spe...
Enterprise Generative AI Enters Its Citizen Development Era Permalink
Business users are building Copilots and GPTs with enterprise data. What can security teams do about it?
Security Must Empower AI Developers Now Permalink
Enterprises need to create a secure structure for tracking, assessing, and monitoring their growing stable of AI business apps.
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
Security Governance
Generative AI Empowers Users but Challenges Security Permalink
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
AI Has Your Business Data Permalink
No-code has lowered the barrier for non-developers to create applications. Artificial intelligence will completely eliminate it.
No One Wants to Be Governed, Everyone Wants to Be Helped Permalink
Here’s how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.
Embracing the Next Generation of Business Developers Permalink
Security teams that embrace low-code/no-code can change the security mindset of business users.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Cloud Security
Despite Breach, LastPass Demonstrates the Power of Password Management Permalink
What’s scarier than keeping all of your passwords in one place and having that place raided by hackers? Maybe reusing insecure passwords.
Are 100% Security Guarantees Possible? Permalink
Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these p...
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
Addressing the Low-Code Security Elephant in the Room Permalink
The danger of anyone being able to spin up new applications is that few are thinking about security. Here’s why everyone is responsible for the security of l...
BlackHat
Security Conferences Keep Us Honest Permalink
Conferences are where vendors and security researchers meet face to face to address problems and discuss solutions — despite the risks associated with public...
My intense 2am conversation with MSRC a week before BlackHat
Research as usual
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
IAM
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
Watch Out for User Impersonation in Low-Code/No-Code Apps Permalink
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Credential Sharing as a Service: The Hidden Risk of Low-Code/No-Code Permalink
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Zapier
ZAPESCAPE: Vulnerability Disclosure Permalink
This document is the vulnerability disclosure report once the vulnerability was discovered.
ZAPESCAPE: Organization-wide control over Code by Zapier Permalink
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom cod...
Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices Permalink
Zenity research team discovers a vulnerability in Zapier’s storage solution that exposes sensitive customer data. Despite Zapier’s efforts to mitigate the is...
SDLC
Where There’s No Code, There’s No SDLC Permalink
How can we build security back into software development in a low-code/no-code environment?
Low-Code SDLC – Build Fast, Stay Secure Permalink
Low-code application development provides a solution for a wide range of business needs, from business applications through process automation and integratio...
Threat Intel
Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn Permalink
Here’s what that means about our current state as an industry, and why we should be happy about it.
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
SaaS
We’re Thinking About SaaS the Wrong Way Permalink
Many enterprise applications are built outside of IT, but we still treat the platforms they’re built with as point solutions.
You Can’t Opt Out of Citizen Development Permalink
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.
AAD / EntraID
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
Rogue Azure AD Guests Can Steal Data via Power Apps Permalink
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
Risk Management
Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps Permalink
IT departments must account for the business impact and security risks such applications introduce.
Windows
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
RPA
A Windows 11 Automation Tool Can Easily Be Hijacked Permalink
Hackers can use Microsoft’s Power Automate to push out ransomware and key loggers—if they get machine access first.
Formal Verification
Are 100% Security Guarantees Possible? Permalink
Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these p...
Password Management
Despite Breach, LastPass Demonstrates the Power of Password Management Permalink
What’s scarier than keeping all of your passwords in one place and having that place raided by hackers? Maybe reusing insecure passwords.
TheRegister
M365 guest accounts + Power Apps = security nightmare Permalink
A login, a PA trial license, and some good old hacking are all that’s needed to nab SQL databases
OWASP
Followup links for OWASP Global AppSec DC 2023
Assorted links for OWASP Global AppSec DC 2023:
RSAC
Followup links for All You Need Is Guest RSAC 2024
Assorted links for All You Need Is Guest @ RSAC 2024: