RSAC Blog Diary: Day 2

Back from the show floor on the second full day of RSAC 2023 and it was another action-packed day talking with organizations of all shapes and sizes about low-code/no-code development. It was great to get feedback in real-time about how organizations are modernizing application development, enabling professional and citizen developers, and how they are in need of visibility, security, and governance of all the applications, connections, bots, workflows, and more that are being built using Microsoft Power Platform, Salesforce, ServiceNow, Zapier, Appian, Mendix, and more. 

We had a blast together talking with customers, prospects, partners, and more. Here are our three key takeaways today’s festivities:

• AI, AI, and more AI. Unsurprisingly, artificial intelligence is the talk of the conference. Lots of vendors are promoting really interesting technology to help companies promote and integrate AI into their workflows. Security leaders have also voiced their concerns as to how to properly harness the power of these tools, particularly in how professional and citizen developers are using generative language models to do things like build applications, connections, and integrations. The main concerns are rooted in how data is flowing not only to the AI service providers, but also in how resources are being built using simple text prompts. Powerful business-critical applications can now be created with a couple of clicks of the mouse and security teams need ways to maintain visibility. 

• Leaving development on the table. With emerging technologies like AI and low-code/no-code development moving so fast, some organizations are responding by blocking or severely limiting who can use these tools. For some, it is an unfortunate reality that this harsh action must happen, but it does not always have to be this way. The trick is to put strong governance in place to enforce least privilege, which can seem easier said than done. Within application modernization, particularly low-code/no-code and/or AI development, where apps are developed outside of the traditional software development lifecycle (SDLC), being able to identify what is being created in real-time and assigning risk scores can provide security teams with the confidence they need to fully harness these tools, rather than living in fear. 
• An eye on compliance. The last thing we heard a lot about on day 2 on the show floor was the rising awareness of low-code/no-code development’s impact on potential compliance findings. With more and more applications being created this way, there are an explosive number of resources that are querying databases, remitting or receiving sensitive data (like PII), and accessing data that needs to be deemed compliant by auditors. By being on the lookout for common security vulnerabilities within these applications and mapping risks to accepted frameworks, security and GRC teams can gain insights into what business resources are doing what. 

We are excited to see what the final day holds, and hope to speak with as many folks as we can at booth N-6579.

—

Original post from April 25.

With the first full day of RSAC 2023 in the books, we wanted to publish a running diary of some of the key takeaways and themes that we are hearing on the show floor and at the various sessions we’re attending. 

But first, a quick recap from the days leading into the show. Our CTO Michael Bargury gave several excellent talks at the SANS Cybersecurity Leadership Summit in the UK, and BSides NY and SF, respectively. The high-level takeaway from these talks was that not only are organizations continuing to lean on low-code/no-code development platforms to drive efficiency in day-to-day tasks, but that professional and citizen developers are also using these tools to create business critical applications, workflows, connectors, bots, and more. These applications are often interacting with business sensitive data, PII, and more that are security risks and potentially compliance failure points. 

As the founding member of the OWASP Low-Code/No-Code Top 10, Michael provides a lot of assistance and education for organizations looking to adopt Low-Code/No-Code development platforms and we’re excited to be continuing those conversations in San Francisco this week. Here are three of our top observations from the show floor:

1. Rise in the number of low-code/no-code development platforms. A lot of organizations we talked to today told us that they are using multiple platforms for low-code/no-code development. Among the most popular are Microsoft Power Platform, Salesforce, ServiceNow, Zapier, and Workato, but the use cases are countless. Organizations are increasingly reliant on different platforms to enable different populations of their workforce, whether they are outsourced IT, professional developers, marketers, front-line workers or other citizen developers. What became clear in our conversations is that visibility amongst this increasingly fragmented and disparate world of application modernization is that security teams need visibility as to who is creating what, where, and in what fashion. 
2. Risk mitigation remains critical. At every booth, there is some iteration of ‘you can’t secure what you don’t know exists’ being proclaimed (see trend 1 above, in fact). However, all the data in the world can fall on deaf ears if there is no clear path to action. As mentioned above, many security teams know they are flying blind when it comes to low-code/no-code development, but they all are looking to solve this problem, ideally automatically and without human intervention. There is always a fine line of getting ‘too many alerts,’ however, and security teams need a way to prioritize the most critical alerts without getting beaten down by alert overload that requires lengthy remediation steps.
3. To build a strong security culture, education remains top of mind. Within the world of application development, the software development lifecycle (SDLC) puts in place checks and balances to ensure that throughout the application development process, there is proper testing and security in place. However, in the world of low-code/no-code development, the traditional SDLC is passed over in the name of speed and efficiency. This can cause friction for security teams as they seek to educate citizen developers as to how to make more secure applications, workflows, connectors, bots, and more, when there is no defined process. We talked a lot about the need to identify ‘top builders’ within the world of low-code/no-code so that if common mistakes are identified, such as someone continually injecting their personal identities into the builds of apps, that security teams can intervene and educate the creator for how to do it better next time. 

Stay tuned throughout the week for our key findings and common talking points that we’re noticing on the show floor at Moscone Center. If you’re in the Bay Area, please feel free to stop by our Booth #6579 and chat with us about all things low-code/no-code development, and check back on our blog each day for a new post.