Securing The SDLC For No-Code Environments
Introduction During Cybersecurity Awareness Month, we tend to underscore the critical importance of implementing robust cybersecurity practices. As cyber threats evolve at an unprecedented rate, organizations and security teams must adapt swiftly to safeguard their assets and data effectively. Citizen development is the most significant paradigm shift in application development with a rapidly growing attack […]
Introduction
During Cybersecurity Awareness Month, we tend to underscore the critical importance of implementing robust cybersecurity practices. As cyber threats evolve at an unprecedented rate, organizations and security teams must adapt swiftly to safeguard their assets and data effectively. Citizen development is the most significant paradigm shift in application development with a rapidly growing attack surface.
In response to these challenges, Nokod Security is happy to introduce its growing suite of Power Platform assessment tools this month. These tools are designed to assist security teams in evaluating risks within Power Platform development environments, providing valuable insights to address the growing concern of shadow engineering.
Nokodβs New Security Discovery Tool for Power Platform
When discussing the security risks of citizen-developed apps and automations on Power Platform, security professionals often find themselves in a challenging position. While they understand the potential threats, they frequently lack the necessary visibility and tools to assess the scope and impact of these risks within their organization. This knowledge gap creates a significant barrier to prioritizing this growing attack surface and leaves many vulnerabilities without effective risk management and mitigation.
To address this issue, Nokod offers its open-source, lightweight discovery and assessment tool. It provides security teams with much-needed insights into their organizationβs Power Platform usage, scope, and seize of their internal and external attack surface, as well as highlights sample vulnerabilities.
Unlike tools that require full integration into the Power Platform, Nokodβs tool runs from a local machine with read-only permission, ensuring a lightweight and quick assessment.
And we kept it easy: Users only need to run simple Python commands to execute a scan, making the tool accessible even for those with less technical expertise. Youβll find information about the tool (incl. links to GitHub, installation video, etc.)
Insights Gained from Your Power Platform Scan Results
Running the quick assessment generates a report that gives you an overview of the current situation. Besides the total number of environments in your organization, the report lists the following data points for your top ten environments:
- Name, type, creator, creation, and last activity time of the environment
- What components like canvas apps, could flows, desktop flows, and model-driven apps exist, and how are they distributed across the top-ten environments
- Number of connectors used per environment
- User statistics such as internal vs. guest users, enabled vs. disabled, user status on Active Directory
- Number of developers in the three biggest environments
- Top three most used connectors
Discovering all Power Platform assets, the report also provides insights into potential risks, such as:
- Deleted or Guest Users Developing Apps: The tool identifies apps created by users no longer with the organization, which may pose a security risk.
- Untrusted and Deprecated Connectors: It detects connectors that could introduce vulnerabilities or allow unauthorized access.
- Bypass Consent: This compliance issue arises when the application owner has access to or can change information on behalf of the application users without their consent.
Power BI Analyzer β Completing the Picture
Attackers can easily find countless Power BI reports published on the web with the help of search engines.
This project contains two tools for detecting unused data sources in your Power BI (Microsoft Fabric) reports. These tools analyze the reportsβ data models and identify columns not used in visualizations. Unwanted access to this data can pose a security risk, and it is essential to identify and remove unused columns to reduce the risk of data breaches.
On June 19, 2024, Nokod Security published a warning about the easy exploitation of a data leakage vulnerability in the Microsoft Power BI service. This vulnerability potentially affects tens of thousands of organizations and allows anonymous Internet viewers to access sensitive data, including employee and business data, PHI, and PII.
Power BI Analyzer offers two simple, open-source tools for organizations to assess their exposure to this vulnerability. It is available on GitHub.β¨β¨
TOOL 1 – INTERNAL, OVER-SHARED REPORTS
This tool includes a Python module that interacts with the Power BI API. It sends requests to get the list of all reports shared with the entire organization and analyzes them to detect unused data sources.β¨β¨
TOOL 2 – REPORTS PUBLISHED TO THE WEB
This tool includes a Python module that processes a CSV file with a list of all the URLs of reports published to the web in your company and analyzes the reports to detect unused data sources.
Take a Proactive Security Approach
Nokodβs open-source suite of discovery tools for Power Platform and Power BI is primarily designed for security teams, who are at the forefront of tackling shadow engineering. However, platform administrators and the owners of a companyβs Power Platform environment can also benefit from their use.
Our goal is to help security teams quickly assess the size and scope of the attack surface created by citizen development within their organization. By offering visibility and identifying potential vulnerabilities, we hope to enable security professionals to take a more informed and active approach to protecting their critical assets and data.
For further inquiries, please contact us at [email protected] or schedule a demo
