Low-Code/No-Code App Dev’s Inherent Security Risks – Security Boulevard

Posted under Programming, Technology On By James Steward

The Home of the Security Bloggers Network
Home » Security Boulevard (Original) » Low-Code/No-Code App Dev’s Inherent Security Risks
Businesses can use low-code/no-code development platforms to create apps that digitalize and automate manual and paper-based processes. They can be used in developing customer engagement tools. They can build apps that make it easy to share data with business partners.
This is because low-code/no-code technology places the power in the hands of the business users who are the best people to decide what the company needs to build next. Now they have the power to build it themselves.
As with every major technology wave, innovation can also come with new risks, and low-code/no-code technology is no exception. The security risks of citizen development are real and can offset the advantages.
Here’s a rundown of the different points that highlight the risk propensity of low-code/no-code app development and its resulting applications.
Like the public cloud, no-code/low-code platforms make it easier and faster to develop applications and automation (for different users and different use cases), but this again comes with a security cost.
Low-code/no-code platforms are in charge of making sure that their platforms couldn’t be hacked. The problem that organizations are facing is about the way pro and citizen developers are using those platforms and the way they build/implement applications and automation. It is also about the business logic that is implemented.
When a pro or a citizen developer creates an app that exposes an organization to security or compliance risks, such as an app that exposes admin credentials to any user, automation that moves sensitive data to an uncontrolled location or an app that mishandles PII, it is the organization’s responsibility to track such threats and drive remediation.
One of the issues with no-code/low-code development is the fact that security teams lack visibility. As cloud security expert Chris Hughes explains, “You’re consuming the software and therefore don’t know about the source code, associated vulnerabilities, or potentially the level of testing and rigor the platform has undergone.” This is because platforms abstract away the “code”, leaving you unable to enable traditional methods that rely on inventorying and scanning the code.
No-Code/low-Code platforms are everywhere: From SaaS solutions that are already available in the business such as those from Microsoft, Salesforce or ServiceNow, to platforms like Zapier that are adopted directly in the business. Security teams are left with no ability to know what is used, who are the makers, if business-critical applications are developed with such tools and if they involve sensitive data.
To address this challenge of lack of visibility and difficulty in governance, the most viable solution is to choose a low-code/no-code platform that comes with features that support visibility, like the ability to integrate with existing security controls or with third-party cloud-based security validation tools. Integration with security solutions or platforms is important to have the ability to keep track of the low-code apps being deployed, particularly the data they generate, process, store and transmit.
At the rate low-code/no-code apps are churned out, especially among large and complex organizations, organizations should not be surprised to see their shadow IT growing bigger and bigger. A study by the Everest Group indicates that shadow IT constitutes 50% or more of IT expenditure. This does not bode well for cybersecurity, especially in view of Gartner’s prediction that around 30% of security breaches are attributable to shadow IT.
To emphasize, shadow IT is about the use of IT systems, from hardware to software, that do not have the explicit or clear approval of the IT department. This is what typically happens with the development and use of low-code/no-code applications. It would be inexpedient to disassociate low-code/no-code with the problem of shadow IT.
Shadow IT is not good for organizations for many reasons. Most notably, it results in the following:
The inability to know and monitor IT assets infers the failure to see the big picture. It prevents organizations from clearly knowing what they have and what they need to protect.
Shadow IT makes it difficult to identify threats and effectively anticipate, stop, or mitigate them. Apps that form part of shadow IT can become the origin of data leaks, but the IT departments or cybersecurity teams may have a hard time pinpointing them and addressing the problem accordingly.
Having more software usually means more points of failure. There are cases when low-code/no-code apps are no longer monitored because they are thought of as insignificant or benign, only to end up becoming vulnerabilities because they leak data or allow script injection.
Also, shadow IT is an uncontrollable factor in organizational processes. Low-code/no-code apps under the veil of shadow IT cannot be made to align with the security posture of an organization and cannot be easily traced and fixed if they are creating security problems. The only way to rein them in is to bring these shadow IT components to the light, which means they have to stop becoming shadow IT.
Many IT experts echo the idea that shadow IT is not the problem itself, but a symptom. It would not exist if employees are getting the IT resources they need from the known IT setup and resources of an organization. Low-code/no-code apps do not have to become part of shadow IT with proper governance and security validation.
Users do not need profound technical know-how to figure out how to use low-code/no-code development platforms, let alone the cybersecurity savviness to make sure that they do not build and deploy apps that can create security vulnerabilities or conflicts with the security posture of their organizations.
This is clearly an inherent security risk for any organization. Anybody can now build apps through intuitive interfaces, but almost all of them do not have any clue about the potential risks. It is not going to be easy to teach and learn the foundations of secure app development.
The OWASP Top 10 low-code/no-code security risks list captures the different risks that can be attributed to the lack of cybersecurity knowledge of low-code/no-code users. There is a tendency to create apps with insecure authentication, data leakage issues, oversharing of apps and components, data and secret handling failures, misconfiguration, dependency injection risks, unmanaged custom mode and vulnerabilities that enable privilege escalation.
Ordinary users probably have not even heard of these security risks. It is unlikely that they would know the measures necessary to avoid these. Even if app development platforms come with wizards that offer reminders on security concerns, many users would probably be clueless about what they mean.
The problem with low-code/no-code app development security risks is not insurmountable, though. Many platforms are already starting to become more conscious of the security repercussions. The leading platforms are now designed with cybersecurity in mind.
The problems described here are by no means implicit deterrents for those who want to try low-code app building platforms. The risks are real, but they are not without corresponding effective solutions. With the right cybersecurity knowledge and security validation tools, organizations can benefit from low-code/no-code apps and app development without security issues.
Ben Kliger is the CEO and Co-Founder of Zenity, the first governance and security solution for low-code/no-code applications. Ben is a cybersecurity expert, with over 16 years of experience in the field. He is passionate about the intersection of technology democratization, digital transformation and cyber security.
ben-kliger has 1 posts and counting.See all posts by ben-kliger
More Webinars
Security Boulevard Logo White
DMCA

source

Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.