Today’s average large enterprise is likely to have nearly 80,000 apps built out of copilots and low-code platforms. This is posing a potential security nightmare, as more than six out of ten, 62%, have security vulnerabilities, a recent study finds. The study released by Zenity finds that enterprise copilots and low-code development are seeing 40% year-to-year growth in the use of these tools. The study is based on data surveyed and gathered from large organizations, but the implications are just as applicable to small to medium-sized businesses.
Currently, the typical enterprise customer in the study has an average of 79,602 apps built across various copilots and low-code platforms. By comparison, the study’s authors estimate that the average large enterprise has at least 473 SaaS-based apps. The study’s authors define “copilots” as the range of no-code and low-code tools and platforms including Microsoft Copilot, Power Platform, Salesforce, ServiceNow, Zapier, OpenAI, and more. The average large organization has about seven copilot and low-code platforms in use, they estimate.
Among the 80,000 apps and copilots developed outside of the traditional software development lifecycle are roughly 50,000 vulnerabilities, the study concludes. The main risk cited is “business users having the ability to build apps and copilots without needing a coding background and without proper security guardrails in place,” the study’s authors note. The top technical risks seen with copilot and low-code platforms include authorization misuse, authentication failures, and data and secrets handling, the study finds.
1. Set Up Security from the Start
Given that more than 62% of these apps have security vulnerabilities, a robust initial setup for security controls is paramount. One of the foremost recommendations is to flag any app that contains a hard-coded secret or insecure step in how it retrieves credentials. This preventive measure helps in mitigating fundamental security lapses that could lead to grave consequences. Contextualizing the apps that are being built is also crucial, particularly to ensure that critical business apps interacting with sensitive internal data have proper authentication controls. By embedding security into the initial stages of app development, companies can significantly mitigate risks.
Ensuring that proper authentication is continually in place for apps requiring access to sensitive data should be a top priority. When security measures are established upfront, not only is business data protected, but the overall integrity and reliability of the app ecosystem are strengthened. Moreover, this step supports a proactive stance towards security, rather than a reactive one, thereby placing companies on a firmer footing when it comes to protecting their digital assets. Making security an inherent part of the app development lifecycle ensures that vulnerabilities are minimized from the get-go.
2. Implement Safety Measures
Due to the nature of copilots and AI in general, strict guardrails need to be in place to prevent oversharing apps, unnecessarily bridging access to sensitive data via AI, and sharing end-user interactions with copilots. Without these safety mechanisms, enterprises face increased risks of malicious prompt injection and data leakage. The speed and ease with which business users can build these applications make it essential to establish stringent security frameworks. Implementing these guardrails involves setting up policies that define acceptable use and access controls, and ensuring that these policies are adhered to rigorously.
Another critical aspect of implementing safety measures is the continuous monitoring and auditing of these low-code platforms and the apps built on them. Regular security assessments can unveil potential vulnerabilities and provide insights for further tightening security measures. Training and educating the workforce on the significance of these safety measures and best practices can also go a long way in maintaining a secure app environment. By embedding a culture of security awareness, organizations can ensure that their employees are not just compliant but also vigilant, further reducing the risk of security breaches.
3. Control Guest Permissions
Guest users often present a unique challenge in the context of security. These users are typically held to different security standards than full-time employees, yet may still possess privileged access to apps and copilots built across low-code platforms. Limiting application and copilot access to only those who need them to perform their respective duties is critical. This involves implementing role-based access controls (RBAC) to ensure that users have the minimum necessary permissions to carry out their tasks, thereby reducing the potential for unauthorized access or misuse.
Additionally, monitoring and managing guest access should be an ongoing process. Regular audits of guest permissions can help identify and rectify any discrepancies or lapses in security protocols. It’s also beneficial to have a formal process for granting and revoking access, ensuring that permissions are updated in real-time as users’ roles change. By controlling guest permissions diligently, enterprises can significantly mitigate the risks associated with external users having access to their critical apps and data, thereby bolstering their overall security posture.
4. Reevaluate Data Connectors
Today’s average large enterprise boasts nearly 80,000 apps developed using copilots and low-code platforms, posing potential security concerns. According to a recent Zenity study, 62% of these apps have security vulnerabilities. The use of enterprise copilots and low-code development tools is growing at a rate of 40% year-over-year. While the data was collected from large organizations, the findings are relevant to small and medium-sized businesses as well.
On average, enterprises have around 79,602 apps built across various copilot and low-code platforms, compared to at least 473 SaaS-based apps. “Copilots” include tools like Microsoft Copilot, Power Platform, Salesforce, ServiceNow, Zapier, and OpenAI, among others. Typically, large organizations employ about seven different copilot and low-code platforms.
The study highlights that within these 80,000 apps, there are about 50,000 vulnerabilities. The primary risk is business users creating apps and copilots without coding expertise or proper security measures. Key technical risks include authorization misuse, authentication failures, and poor data and secrets handling.
