How security startup Zenity is set to make low-code/no-code better than ever

Low-code/no-code (LCNC) app development is expected to dominate enterprises. Gartner predicts that by 2025, 70 percent of the new applications created by organizations will employ LCNC technologies, triple its 25 percent level in 2020. There’s no doubt that it will be the major driver of citizen development, as more employees take part in building business apps without the need to learn how to code.

Bespoke business apps are the ideal option for businesses with specific needs. Third-party software rarely addresses the unique functional requirements of organizations. There are instances when apps have the features an organization requires, but these apps also have many other unnecessary functions that create unwanted complexities and lengthy steps to go to the specific functions employees want to use.

With LCNC app development platforms, almost anyone can become an app developer without the need to learn to use programming languages. The problem is that these platforms do not guarantee security and proper app governance.

Zenity: the first and only LCNC governance and security platform

Zenity emerges as the pioneering solution to this lack of suitable app governance and security. It provides a simple and convenient way to spot policy violations, unveil shadow IT business apps, drive automatic remediation processes, and detect anomalous application behavior.

The brainchild of two online entrepreneurs and experienced IT security experts, Zenity was founded in 2021 by CEO Ben Kliger and CTO Michael Bargury in response to the rise of low-code/no-code technology for pro and citizen developers. Kliger and Bargury established the startup after noticing how existing apps and app development security solutions were still too focused on traditional app development and had minimal-to-no innovations to meet LCNC needs.

How Zenity works

LCNC apps can be likened to workers secretly outsourced by a well-intentioned department head because they get the job done at a lower cost. The supervisors and general manager are unaware of the outsourcing, so they do not take extra precautions with regard to the unaccounted-for workers. If these outsourced workers wittingly or unwittingly commit mistakes that lead to unwanted consequences, it will be difficult for the management to trace the source and provide the appropriate solution.

It is extremely difficult to solve a problem that originates from or is brought about by an invisible source. In cybersecurity, this invisible or hidden potential source of security problems is called shadow IT. This is what Zenity is trying to address with its discover-mitigate-govern-protect approach in securing low-code/no-code applications.

Discover – Zenity facilitates the inventorying of all LCNC apps, app creators, and data across different platforms. This cross-platform visibility ensures that there are no data leaks, suspicious activities, and vulnerabilities that can be attributed to low-code apps. The data exchanged between on-prem endpoints or SaaS apps is also monitored to prevent threats from breaching cyber defenses and actually inflicting damage. After all apps are discovered or accounted for, Zenity shows charts of security policy violation statuses, risk statuses, risky resources, and top policy violations.

Mitigate – The mitigation step is about reducing the risk or attack surfaces by continuously conducting risk evaluations for all low-code/no-code apps and their components. Here, the platform identifies configuration drifts, vulnerabilities in third-party app components, and unsafe app usage. Zenity raises alerts for possible environment mismatch, for example. It then shows the possible actions that can be undertaken, the details of the security policy violation, and a summary of the remediation steps that will be undertaken.

Govern – Zenity plays an important role in proper app governance. It helps organizations in designing and implementing suitable governance policies that are most suitable to the needs and unique circumstances of an enterprise. It also supports the configuration of security controls to automate responses to threats depending on the environment and app usage. With proper app governance, organizations can get rid of the risks without disrupting business operations.

Protect – Zenity is designed to meticulously scan low-code/no-code apps for possible malicious activity. The platform is useful in detecting and preventing supply chain attacks, data leakage, and the deceptive behavior of malware as it tries to infect systems. Zenity shows alerts for various risks, including anomalous data movements. These alerts come with urgency indicators, threat descriptions, and other significant details that can help in addressing security issues.

The problems Zenity solves

Zenity’s low-code security research reveals seven major risks and threats that are resolved by using the platform. These problems coincide with what is listed in the OWASP Low-Code/No-Code Security Risks.

• Privilege escalation – Threat actors can escalate the privileges they can use by exploiting vulnerabilities or issues in the apps built with them.
• Data leakage – A very common issue among low-code/no-code apps, data leakage usually happens when data is transmitted through unauthorized services and kept in risky cloud-based storage.
• Insecure authentication – Some low-code/no-code app development platforms produce apps that use HTTP for connections (not secure HTTPS). There are those that utilize weak encryption ciphers, which constitute authentication insecurity.
• Misconfigurations – Bad configurations or mistakes in configuration can result in the granting of excessive privileges, which can be exploited by cybercriminals to gain access to supposedly restricted data.
• Dependency injection – Threat actors can spot weaknesses in a low-code app that enables dependency injection, which can result in granting access for app manipulation.
• Oversharing – Low-code/no-code apps that are considered as part of shadow IT can become vehicles for the unregulated and excessive sharing of information or privileges.
• Application impersonation – Many tend to be confident in using low-code apps because these apps were developed by fellow employees who are unlikely to be regarded as threat actors. This creates opportunities for cybercriminals to impersonate the LCNC app.

Enhancing low-code/no-code tech significantly

Security and governance may sound humdrum, but they are crucial for the success of LCNC technology. Citizen development has progressed considerably over the years, but it’s only recently that the idea of adequately secure and well-governed self-built apps has been given the attention it deserves.

The founders of Zenity take pride in offering a trailblazing solution, highlighting that  “Zenity is the first and only security governance solution for low-code/no-code applications, and doesn’t have direct competition.” Many cybersecurity products were launched over the past few years, but they have focused on SaaS security, protection for SaaS automation, and defense against SaaS third-party risks.

“Such companies might also protect SaaS low-code/no-code automation platforms from a DLP perspective, but no company offers a holistic security governance solution for any kind of low-code/no-code platform, be it LCAP, workflow automation, iPaaaS or RPA,” Zenity’s founders say.

The security and governance advantage that Zenity brings to LCNC technology is more profound than the simplistic or straightforward kind of security offered by conventional app security solutions. It provides governance and security for all apps created with Citizen Automation and Development Platforms (CADP) and Low-Code Application Platforms (LCAP). It covers a wide range of situations where low-code/no-code is put to use. Furthermore, it helps secure interconnected business apps as well as hyper-automation (enabled by these LCNC apps) to support organizations as they make the most out of citizen development.

Zenity provides protection for Robotic Process Automation (RPA) bots and virtual agents. It can account for all bots or virtual agents built with an RPA platform and spot risky practices in the use of credentials and identities. This allows organizations to securely take advantage of bots in their operations to free human resources for other more important tasks.

Moreover, Zenity brings governance and security to Integration Platform as a Service (iPaaS) as well as to Intelligent Business Process Management Systems (iBPMS). With these, organizations are assured that the sensitive data exchanged between SaaS apps and on-prem endpoints is safe. Also, it enables developers to automate complex business workflows and stimulate business growth.

Convenient and cost-efficient security and governance solution

Zenity is making low-code/no-code better than ever, mainly by ascertaining that the resulting interconnected applications are secure and do not have vulnerabilities that can be taken advantage of by cybercriminals. It provides cross-platform visibility and takes low-code/no-code apps out of shadow IT to allow organizations to build their security posture without missing anything.

Additionally, Zenity achieves all of these at minimal costs. As a SaaS solution, users only pay whenever they use the platform. There is no hefty flat fee that is essentially wasted when the solution is only used a few times. Organizations also do not need to significantly change the way they build apps with LCNC platforms. Zenity is utilized as a supplemental solution and does not entail costly upfront costs, multiple on-prem software installations, and training costs before deployment.