The Security Challenges of AI Copilots and Low-Code Applications
2 Sources
2 Sources
[1]
Copilots and low-code apps are creating a new 'vast attack surface' - 4 ways to fix that
A typical enterprise has 80,000 apps built outside of the traditional development lifecycle, and 62% have vulnerabilities, a new study finds. It doesn't have to be this way. Today's average large enterprise is likely to have nearly 80,000 apps built out of copilots and low-code platforms. This is posing a potential security nightmare, as more than six out of ten, 62%, have security vulnerabilities, a recent study finds. The study released by Zenity finds that enterprise copilots and low-code development are seeing 40% year-to-year growth in the use of these tools. The study is based on data surveyed and gathered from large organizations, but the implications are just as applicable to small to medium-sized businesses. Also: The line between citizen developers and IT pros gets fuzzier Currently, the typical enterprise customer in the study has an average of 79,602 apps built across various copilots and low-code platforms. By comparison, the study's authors estimate that the average large enterprise has at least 473 SaaS-based apps. The study's authors define "copilots" as the range of no-code and low-code tools and platforms including Microsoft Copilot, Power Platform, Salesforce, ServiceNow, Zapier, OpenAI, and more. The average large organization has about seven copilot and low-code platforms in use, they estimate. Among the 80,000 apps and copilots developed outside of the traditional software development lifecycle are roughly 50,000 vulnerabilities, the study concludes. The main risk cited is "business users having the ability to build apps and copilots without needing a coding background and without proper security guardrails in place," the study's authors note. The top technical risks seen with copilot and low-code platforms include authorization misuse, authentication failures, and data and secrets handling, the study finds. "In traditional application development, apps are carefully built throughout the software development lifecycle, where each app is continuously planned, designed, implemented, measured, and analyzed," they explain. "In modern business application development, however, no such checks and balances exists and a new form of shadow IT emerges." Within the range of copilot solutions, "anyone can build and access powerful business apps and copilots that access, transfer, and store sensitive data and contribute to critical business operations with just a couple clicks of the mouse or use of natural language text prompts," the study cautions. "The velocity and magnitude of this new wave of application development creates a new and vast attack surface." Also: The data suggests gen AI boosts software productivity - for these developers Many enterprises encouraging copilot and low-code development are "not fully embracing that they need to contextualize and understand not only how many apps and copilots are being built, but also the business context such as what data the app interacts with, who it is intended for, and what business function it is meant to accomplish." As a result, "there are a lot of vulnerabilities and misconfigurations that are hard to contextualize and sort out who needs to do what to mitigate risk." Untrusted guest access via copilot and low-code apps is another issue. "The average enterprise in the study has over 8,641 instances of untrusted guest users having access to apps that are developed via copilots and low-code," the study shows. More than 72% of those cases "provide privileged access to untrusted guests; meaning unmonitored and unmanaged guests can create, modify, or delete these apps." Also: Code faster with generative AI, but beware the risks when you do Here are some of the steps the study's authors recommend to address these vulnerabilities:
[2]
Why copilots and low-code apps portend a security nightmare
A typical enterprise has 80,000 apps built outside of the traditional development lifecycle, and 62% have vulnerabilities, a new study finds. Here's how to fix this. Today's average large enterprise is likely to have nearly 80,000 apps built out of copilots and low-code platforms. This is posing a potential security nightmare, as more than six out of ten, 62%, have security vulnerabilities, a recent study finds. The study released by Zenity finds that enterprise copilots and low-code development are seeing 40% year-to-year growth in the use of these tools. The study is based on data surveyed and gathered from large organizations, but the implications are just as applicable to small to medium-sized businesses. Currently, the typical enterprise customer in the study has an average of 79,602 apps built across various copilots and low-code platforms. By comparison, the study's authors estimate that the average large enterprise has at least 473 SaaS-based apps. Also: The line between citizen developers and IT pros gets fuzzier - is that a problem? The study's authors define "copilots" as the range of no-code and low-code tools and platforms including Microsoft Copilot, Power Platform, Salesforce, ServiceNow, Zapier, OpenAI, and more. The average large organization has about seven copilot and low-code platforms in use, they estimate. Among the 80,000 apps and copilots developed outside of the traditional software development lifecycle are roughly 50,000 vulnerabilities, the study concludes. The main risk cited is "business users having the ability to build apps and copilots without needing a coding background and without proper security guardrails in place," the study's authors note. The top technical risks seen with copilot and low-code platforms include authorization misuse, authentication failures, and data and secrets handling, the study finds. "In traditional application development, apps are carefully built throughout the software development lifecycle, where each app is continuously planned, designed, implemented, measured, and analyzed," they explain. "In modern business application development, however, no such checks and balances exists and a new form of shadow IT emerges." Within the range of copilot solutions "anyone can build and access powerful business apps and copilots that access, transfer, and store sensitive data and contribute to critical business operations with just a couple clicks of the mouse or use of natural language text prompts," the study cautions. "The velocity and magnitude of this new wave of application development creates a new and vast attack surface." Also: The data suggests gen AI boosts software productivity - for these developers Many enterprises encouraging copilot and low-code development are "not fully embracing that they need to contextualize and understand not only how many apps and copilots are being built, but also the business context such as what data the app interacts with, who it is intended for, and what business function it is meant to accomplish." As a result, "there are a lot of vulnerabilities and misconfigurations that are hard to contextualize and sort out who needs to do what to mitigate risk." Untrusted guest access via copilot and low-code apps is another issue. "The average enterprise in the study has over 8,641 instances of untrusted guest users having access to apps that are developed via copilots and low-code," the study shows. More than 72% of those cases "provide privileged access to untrusted guests; meaning unmonitored and unmanaged guests can create, modify, or delete these apps." Also: Code faster with generative AI, but beware the risks when you do Here are some of the steps the study's authors recommend to address these vulnerabilities:
Share
Share
Copy Link
AI copilots and low-code applications are revolutionizing software development, but they also introduce new security risks. This article explores the potential vulnerabilities and suggests ways to mitigate them.
The Rise of AI Copilots and Low-Code Applications
The software development landscape is undergoing a significant transformation with the advent of AI copilots and low-code applications. These technologies are democratizing coding, allowing non-developers to create applications and experienced developers to work more efficiently. However, this revolution comes with its own set of security challenges that organizations need to address
1
.Expanding Attack Surface
As more individuals gain the ability to create applications, the potential attack surface for cybercriminals expands dramatically. This proliferation of amateur-developed software introduces vulnerabilities that may go unnoticed by inexperienced creators. The situation is further complicated by the fact that AI copilots, while helpful, can sometimes generate insecure code snippets that developers might implement without proper scrutiny
2
.Security Risks of AI-Generated Code
AI copilots, despite their benefits, can inadvertently introduce security flaws into applications. These tools may suggest code that contains vulnerabilities or outdated practices, which could be exploited by malicious actors. Moreover, developers might over-rely on these AI assistants, potentially leading to a decrease in code quality and security awareness
1
.Challenges with Low-Code Platforms
Low-code platforms, while enabling rapid application development, often abstract away important security considerations. This abstraction can lead to applications with weak security postures, especially when created by users without a strong background in cybersecurity. Additionally, the ease of creating and deploying applications may result in a proliferation of shadow IT, making it difficult for organizations to maintain oversight and security standards
2
.Related Stories
Mitigating the Risks
To address these security challenges, experts recommend several strategies:
- Implement robust governance frameworks to oversee the use of AI copilots and low-code platforms.
- Provide comprehensive security training for all users of these technologies, emphasizing the importance of secure coding practices.
- Utilize automated security scanning tools to identify vulnerabilities in generated code and applications.
- Establish clear policies for the use and deployment of AI-assisted and low-code applications within organizations
1
.
The Role of Traditional Development Teams
As these new technologies gain traction, traditional development teams will need to adapt their roles. They may shift towards becoming guardians of code quality and security, reviewing and refining the output of AI copilots and low-code platforms. This evolution will require a blend of technical expertise and mentorship skills to guide less experienced creators towards secure development practices
2
.References
Summarized by
Navi
Related Stories
Weekly Highlights
1
Nvidia Reaches Historic $5 Trillion Valuation Amid Growing AI Investment Concerns
Business and Economy
2
OpenAI Eyes Potential $1 Trillion IPO Amid Massive Losses and Infrastructure Spending
Business and Economy
3
Apple Finalizes $1 Billion Annual Deal with Google to Power AI-Enhanced Siri
Business and Economy
Weekly Highlights
Today's Top Stories
Your Daily Dose of Curated AI News
Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.
