Wing Security announced today that it now offers free discovery and a paid tier for automated control over thousands of AI and AI-powered SaaS applications. This will allow companies to better protect their intellectual property (IP) and data against the growing and evolving risks of AI usage.

SaaS applications seem to be multiplying by the day, and so does their integration of AI capabilities. According to Wing Security, a SaaS security company that researched over 320 companies, a staggering 83.2% use GenAI applications. While this statistic might not come as a surprise, the research showed that 99.7% of organizations use SaaS applications that leverage AI capabilities to deliver their services. This usage of GenAI in SaaS applications that are not ‘pure’ AI often goes unnoticed by security teams and users alike.

70% of the most popular GenAI applications may use your data to train their models, and in many cases it’s completely up to you to configure it differently.

When examining hundreds of AI-using SaaS applications, Wing Security was able to categorize the different ways in which these applications use organizational data, as well as offer a solution to this new threat:

Data storing: In some cases, data is stored by the AI for very long periods of time; in others, it can be stored for short periods only. Storing data allows AI learning models, and future models, to continually train on it. That said, the main concern is when considering the many different types of attacks seen on SaaS applications. When an application is compromised, the data it stores might be compromised too.

Model training: By processing vast amounts of information, AI systems can identify patterns, trends, and insights that may elude human analysis. Through machine learning algorithms, AI models learn from data and adapt over time, refining their performance and accuracy, resulting in better service to their end users. On the downside, allowing these models to learn your code, patents, sales, and marketing know-how provides AI-using applications with the potential means to commoditize your organization’s competitive edge. To some, these knowledge leaks are considered more significant than data leaks

The human element: Certain AI applications leverage human validation to ensure the accuracy and reliability of the data they gather. This collaborative approach, often referred to as human-in-the-loop or human-assisted AI, involves integrating human expertise into the algorithmic decision-making process. This results in higher accuracy for the AI model, but also means a human, working for the GenAI application, is exposed to potentially sensitive data and know-how.

Leveraging automation to combat AI-SaaS risks

Wing’s recently released AI solution guarantees security teams will better adapt to, and control, the ever-growing and practically unstoppable AI usage in their organizations. Their solution follows three basic steps – Know, Assess, Control.

Know: As with many security risks, the first step is to discover them all. In the case of AI, it is not enough to simply flag the “usual suspects” or the pure GenAI applications such as ChatGPT or Bard. With thousands of SaaS applications now using AI to improve their service, discovery must include any application leveraging customer data to improve their models. As with their previous solutions, Wing is offering this first and fundamental step as a free, self-service solution for users to self-onboard and start discovering the magnitude of AI-powered applications used by their employees.

Assess: Once AI-using SaaS has been uncovered, Wing automatically provides a security score and details the ways in which company data is used by the AI: How long is it stored for? Is there a human factor? And perhaps most importantly, is it configurable? Providing a detailed view of the application’s users, permissions, and security information. This automatic analysis allows security teams to make better-informed decisions.

Control: Wing’s discovery and analysis pin-points the most critical issues to address, allowing security teams to easily understand the level of risk and types of actions needed. For example, deciding whether or not they should permit a certain application’s usage or simply configure the AI elements to better match their security policy.

The Secret: Automating All Of The Above

By automating Discovery, Assessment and Control, security teams save time on figuring out where to focus their efforts instead of spreading themselves thin trying to solve a huge and evolving attack surface. Subsequently, this significantly reduces risk.

Wing’s automated workflows also allow for a unique cross-organizational solution: By allowing users to directly communicate with the application’s admin or users, Wing prompts better-informed security solutions alongside a stronger security culture of inclusion rather than simple black or white listing.

In an era where SaaS applications are omnipresent, their integration with artificial intelligence raises a new type of challenge. On the one hand, AI usage has become a great tool for boosting productivity, and employees should be able to use it for its many benefits. On the other hand, as the reliance on AI in SaaS applications continues to surge, the potential risks associated with data usage become more pronounced.

Wing Security has responded to this challenge by introducing a new approach, aimed at empowering organizations to navigate and control the escalating use of AI within their operations, while involving the end users in the loop and ensuring they may use the AI-SaaS they need, safely. Their automated control platform provides a comprehensive understanding of how AI applications utilize organizational data and know-how, addressing issues such as data storing, model training, and the human element in the AI loop. Security teams can save precious time thanks to clear risk-prioritization and user involvement.

Dec 18, 2023The Hacker NewsTechnology / Application Security

Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems?

The simple truth is often swept under the rug. While low-code/no-code (LCNC) apps and robotic process automations (RPA) drive efficiency and agility, their dark security side demands scrutiny. LCNC application security emerges as a relatively new frontier, and even seasoned security practitioners and security teams grapple with the dynamic nature and sheer volume of citizen-developed applications. The accelerated pace of LCNC development poses a unique challenge for security professionals, underscoring the need for dedicated efforts and solutions to effectively address the security nuances of low-code development environments.

Digital Transformation: Trading off Security?

One reason security finds itself in the backseat is a common concern that security controls are potential speed bumps in the digital transformation journey. Many citizen developers strive for quick app creation but unknowingly create new risks simultaneously.

The fact is that LCNC apps leave many business applications exposed to the same risks and damage as their traditionally developed counterparts. Ultimately, it takes a closely aligned security solution for LCNC to balance business success, continuity, and security.

As organizations dive headfirst into LCNC and RPA solutions, it’s time to acknowledge that the current AppSec stack is inadequate for safeguarding critical assets and data exposed by LCNC apps. Most organizations are left with manual, cumbersome security for LCNC development.

Unlocking Uniqueness: Security Challenges in LCNC and RPA Environments

While the security challenges and threat vectors in LCNC and RPA environments might appear similar to traditional software development, the devil is in the details. Democratizing software development across a wider audience, the development environments, processes, and participants in LCNC and RPA introduce a transformative shift. This kind of decentralized app creation comes with three main challenges.

First, citizen and automation developers tend to be more prone to unintentional, logical errors that may result in security vulnerabilities. Second, from a visibility point of view, security teams are dealing with a new kind of shadow IT, or to be more precise, Shadow Engineering. Third, security teams have little to no control over the LCNC app life cycle.

Governance, Compliance, Security: A Triple Threat

The three-headed monster haunting CISOs, security architects, and security teams – governance, compliance, and security – is ever more ominous in LCNC and RPA environments. To illustrate, here are some and, of course, not comprehensive examples:

• Governance challenges manifest in outdated versions of applications lurking in production and decommissioned applications, causing immediate concerns.
• Compliance violations, from PII leakage to HIPAA violations, reveal that the regulatory framework for LCNC apps is not as robust as it should be.
• The age-old security concerns of unauthorized data access and default passwords persist, challenging the perception that LCNC platforms offer foolproof protection.

Four Crucial Security Steps

In the ebook “Low-Code/No-Code And Rpa: Rewards And Risk,” security researchers at Nokod Security suggest that a four-step process can and should be introduced to LCNC app development.

1. Discovery – Establishing and maintaining comprehensive visibility over all applications and automations is essential for robust security. An accurate, up-to-date inventory is imperative to overcome blind spots and ensure the proper security and compliance processes.
2. Monitoring – Comprehensive monitoring involves evaluating third-party components, implementing processes to confirm the absence of malicious code, and preventing accidental data leaks. Effectively thwarting the risk of critical data leaks requires a meticulous identification and classification of data usage, ensuring applications and automation systems handle data under their respective classifications. Governance includes proactively monitoring developer activity, particularly scrutinizing modifications made in the production environment post-publication.
3. Act on Violations – Efficient remediation must involve the citizen developer. Use clear communication in accessible language and with the LCNC platform-specific terminology, accompanied by step-by-step remediation guidance. You must bring in the necessary compensating controls when tackling tricky remediation scenarios.
4. Protecting the Apps – Use runtime controls to detect malicious behavior inside your apps and automations or by apps in your domain.

While the steps outlined above provide a foundation, the reality of a growing attack surface, uncovered by the current application security stack, forces a reevaluation. Manual security processes are not scaling enough when organizations churn out dozens of LCNC applications and RPA automations weekly. The efficacy of a manual approach is limited, especially when companies are using several LCNC and RPA platforms. It is time for dedicated security solutions for LCNC application security.

Nokod Security: Pioneering Low-code/no-code App Security

Offering a central security solution, the Nokod Security platform addresses this evolving and complex threat landscape and the uniqueness of the LCNC app development.

The Nokod platform provides a centralized security, governance, and compliance solution for LCNC applications and RPA automations. By managing cybersecurity and compliance risks, Nokod streamlines security throughout the entire lifecycle of LCNC applications.

Key features of Nokod’s enterprise-ready platform include:

• Discovery of all low-code/no-code applications and automations within your organization
• Placement of these applications under specified policies
• Identification of security issues and detection of vulnerabilities
• Auto-remediation and empowerment tools for low-code / no-code / RPA developers
• Enabling enhanced productivity with lean security teams

Conclusion:

In the dynamic landscape of contemporary business technologies, the widespread adoption of low-code/no-code (LCNC) and robotic process automation (RPA) platforms by organizations has ushered in a new era. Despite the surge in innovation, a critical security gap exists. Enterprises must gain comprehensive insights into whether these cutting-edge applications are compliant, free from vulnerabilities, or harbor malicious activities. This expanding attack surface, often unnoticed by current application security measures, poses a considerable risk.

For more timely information about low-code/no-code app security, follow Nokod Security on LinkedIn.