Low-code and no-code technologies are being embraced across the world, but there’s one LCNC platform that stands out, with significant growth and enterprise adoption – and that’s Microsoft’s Power Platform.

Hello everyone! I’m Yuval Adler, Customer Success Director at Zenity. I’m inviting you to read my blog series where I share new Microsoft Power Platform DLP Bypass findings we uncovered.

2022 was a momentous year in many ways. One of the most significant shifts of 2022 is so substantial – and so successful – that many businesses are already taking it for granted. Low-code/no-code (LCNC) is here to stay! As we predicted early this year, 2022 was the year that LCNC became almost taken for granted, a ubiquitous and empowering trend across businesses.

Security of our platform and customer data has always been a core focus at Zenity and a north star that we continue to follow, and today we’re excited to announce that we are now SOC 2 Type II certified. This certification demonstrates Zenity’s commitment to ensuring the security of our systems and the data of our customers and partners.

International Data Corporation (IDC) published its annual Innovators report last Friday, November 18th and named Zenity as one of the top five innovative vendors offering a unique PaaS (Platform as a Service) solution that developers are using to accelerate their application development and deployment processes.

To understand this headline better we need to have a better understanding of the traditional ways we think about Software-as-a-Service (SaaS) platforms and public cloud platforms. The difference lies in the starting point of these two solutions, while SaaS started as an extension of the corporate network, the public cloud started as an extension of the data center.

In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom code as part of a Zap. Exploiting this vulnerability, any user could take full control over the execution environment of their entire account allowing them to manipulate results and steal sensitive data. For example, a Zapier user could take control over the admin’s custom code execution environment.

Software-as-a-Service (SaaS) applications are built on the premise of streamlining business practices to improve productivity. Microsoft 365, Salesforce, and similar SaaS platforms commonly integrate automation tools that allow business users to develop the tools that they need to do their jobs. The latest iteration of this is the integration of low-code/no-code platforms into these SaaS solutions.

When it comes to cybersecurity, businesses typically want to assume that every user is a special snowflake. The premise that each user has a unique identity, and that cybersecurity teams can manage access permissions and identify anomalous activity based on that identity, is a cornerstone of modern security operations.

Zenity research team has recently discovered a potential customer data leakage in Storage by Zapier, a service used for simple environment and state storage for Zap workflows. With only a few simple steps and no authentication, we were able to access sensitive customer data. Given the nature of this flaw, it would be easy for bad actors to recreate our approach and access the same sensitive data without significant expertise.