Welcome to the era of enterprise copilots and low-code development. Today, the average large enterprise boasts nearly 80,000 apps crafted using these platforms. But with great innovation comes great risk – a recent study reveals that over 60% of these apps harbor security vulnerabilities.
The study by Zenity sheds light on the exponential growth, with a 40% year-to-year surge in the adoption of enterprise copilots and low-code tools. While the data is based on surveys from large organizations, the insights are equally pertinent for small to medium-sized businesses.
Enterprise customers are now managing an average of 79,602 apps across various copilots and low-code channels, far outnumbering the 473 SaaS-based apps typically used. “Copilots” encompass a spectrum of no-code and low-code solutions like Microsoft Copilot, Power Platform, and Salesforce, with the average organization leveraging around seven such platforms.
However, the convenience of these platforms comes at a steep price – approximately 50,000 vulnerabilities lurk within the 80,000 apps developed outside the conventional software development lifecycle. The primary danger stems from non-technical users building apps without sufficient security protocols.
Unlike traditional app development, where each stage is meticulously scrutinized, modern copilot tools lack this oversight, giving rise to shadow IT. This laissez-faire approach paves the way for authorization misuse, authentication lapses, and data mishandling.
The study authors caution that this laissez-faire approach can lead to a vast attack surface, exposing sensitive data and key business operations. To mitigate these risks, enterprises must rethink their security strategies. Here are some key recommendations:
- Configure for security up front: Implement stringent controls to identify and rectify any security loopholes in apps. Prioritize proper authentication for apps accessing sensitive data.
- Establish guardrails: Enforce strict guidelines to prevent oversharing and unauthorized data access via copilots and AI.
- Regulate guest access: Limit guest user privileges to prevent unauthorized app modifications.
- Rethink connectors to sensitive data: Evaluate and secure app connections to sensitive data, emphasizing HTTPS calls for data transfers.
Enterprises must address these vulnerabilities to safeguard their data and operations, as the age of copilots and low-code development ushers in a new paradigm of risk and innovation.