Zenity
announced the release of its report, The State
of Enterprise Copilots and Low-Code Development in 2024. The
report's data, surveyed and gathered from many of the world's largest
organizations across technology, healthcare, manufacturing, energy, and
financial services, found that enterprise copilots and low-code development is
evolving at a pace never seen before, and that correspondingly they are exposed
to a high number of vulnerabilities.
Across
Microsoft Copilot, Power Platform, Salesforce, ServiceNow, Zapier, OpenAI, and
more, anyone can now build or leverage enterprise copilots and business apps.
Through drag and drop interfaces and natural language text prompts, internal or
external users can create or manipulate apps that are built to access, transfer
and store sensitive data and contribute to critical business
operations. However, there is a lack of security guardrails and threat
detection mechanisms in the development lifecycle within copilots and low-code
platforms that could result in critical risks and malicious activities.
The problem is
beyond control with the velocity and magnitude of this new world of
business-led development and creates a new and vast attack surface that
enterprises need to be aware of.
Among the
report's key findings:
-
As adoption and growth kicked
into hyperdrive, so did risk - The average large enterprise is approaching 80,000 apps
and copilots that have been developed outside of the traditional software
development lifecycle (SDLC). Among these 80,000 apps and copilots are roughly
50,000 vulnerabilities.
-
AI adoption (and risk) is
significant - The average large organization has developed 2,600+ of their own active
copilots using low-code platforms; however, 63% of them were overshared to
members of both the enterprise and the public creating risks for prompt
injection and data leakage.
-
Guest access provides
unmonitored access to internal resources - Armed with a single guest account
and a trial license to a low-code platform, all an attacker needs to do is log
in to the enterprise copilot or low-code platform, switch to the target
directory, and can essentially possess domain admin-level privileges on the
platform. The average enterprise has upwards of 6,200 guests that have
privileged access to copilots and low-code apps.
-
Supply chain risks run rampant
in low-code - The average enterprise has nearly 2,000 applications that contain
open-source components drawn in from decentralized libraries, which could be
laced with malware that steals passwords and other sensitive data. These
present opportunities for attackers to easily inject open-source components
with risky and dangerous software that create a ripple effect across different
enterprises.
Ben Kliger, co-founder and CEO, Zenity, said: "While
enterprise copilot and low-code development platforms bring innovation and
productivity, they also introduce new significant risks. If you're a large
enterprise, you have a lot of copilots, apps, automations and reports that are
being built outside of your knowledge by business users in your LoBs. We are
proud to support our customers to responsibly adopt these powerful business
enablement tools and contribute this research back to the community to help
raise awareness of the unique risks for today's enterprises."