The Open Web Application Security Project (OWASP) maintains OWASP Low-Code/No-Code Top 10, a list of the most common vulnerabilities associated with low-code/no-code. A team of security researchers has vetted this project, and it stands as a comprehensive checklist of potential concerns. Below, we’ll briefly highlight each vulnerability and present methods to secure low-code environments.
Vulnerability #1: Account Impersonation
This risk stems from an attacker impersonating the application owner’s identity. For example, suppose a developer creates an application and connects to a database using their admin user login. Now, end users use the same identity whenever they access the data. This vulnerability can lead to unauthorized data access and privilege escalation. It also makes it impossible to distinguish between legitimate and malicious usage.
#2: Authorization Misuse
This is a broad risk for low-code/no-code applications; it involves the developer assigning incorrect permissions to end users. For instance, this could be multiple application programming interface (API) connections left “on” through short-lived OAuth tokens. Authorization gaps can mean that users have privileges to access data or functionality that they are not supposed to access.
#3: Data Leakage and Unexpected Consequences
Depending upon the application design, unintended data leakages might occur. This could happen when sharing access to corporate databases with other users or when automated triggers pass data from one application to another. A low-code architecture could easily leak sensitive information if developers are unaware that data replicates in less secure connected environments.
#4: Authentication and Secure Communication Failures
Much can go wrong when setting up connections to data in a low-code context. If best practices, such as encryption, strong authentication, and secure configurations, aren’t applied, the application could be prone to leaking data in transit. Therefore, it’s recommended to have security personnel set up connections or at least review them regularly for security considerations.
#5: Security Misconfiguration
There are numerous ways in which low-code applications might be misconfigured or using default conditions, causing potential security problems. Issues such as oversharing, unprotected endpoints, and exposing secrets to anonymous parties all fall into this risk category. To limit the potential for stealing or manipulating data, it’s recommended to review platform guidelines for configuration best practices and apply careful change management.
#6: Injection Handling Failures
Since many low-code/no-code platforms accept direct user input, they are often prone to injection-style attacks. which involve an attacker inserting malicious code to disrupt the activity of an application or trigger nefarious actions to occur. For example, a system might interpret an injection as code to run and end up deleting database records.
#7: Vulnerable and Untrusted Components
Low-code applications are just as susceptible to supply chain risks as other development styles since they rely on various underlying components and third-party connections. These components may not be fully secured or visible and thus can’t be 100% trusted. In a low-code context, these components could be pre-made widgets in some sort of marketplace.
#8: Data and Secret Handling Failures
Low-code applications sometimes store secrets, such as username and password pairs, API keys to access external systems, or personally identifiable information (PII). Often, this sensitive data ends up sitting unencrypted or is hard-coded into applications or moved around against geographic restrictions. Insecure secrets management could cause secrets to be intercepted by bad actors or cause a company to run afoul of compliance requirements.
#9: Asset Management Failures
Business users can quickly generate low-code/no-code applications. While this advances software democratization, it also means that countless applications could instantly be created without forethought around business continuity or asset management. Without adequate inventory management and maintenance practices, many applications could be left unmaintained and forgotten.
#10: Security Logging and Monitoring Failures
Low-code/no-code applications are inherently usable, yet they often lack visibility into backend logs. Insufficient logging can hinder application owners when trying to track user behaviors or diagnose failures. Conversely, applications might overshare these logs, producing a different kind of risk in terms of oversharing application logic to unauthorized parties.
Ways to Mitigate Low-code/No-code Security Risks
Now that we’re aware of top risks associated with low-code/no-code usage, what are some methods to secure these environments? Here are nine specific ways to mitigate the above risks, according to OWASP:
- Use dedicated application or service accounts rather than user accounts.
- Don’t abuse authorization flows by storing and using short-lived refresh tokens.
- Limit the number of external connectors to sensitive data.
- Only assign connections to users and applications that require them.
- Follow security best practices as prescribed by low-code platform vendors.
- Sanitize the input users enter into the application.
- Be careful connecting third-party components and limit use to trusted dependencies.
- Take inventory of applications and turn off any that are unused.
- Enable application logging and monitoring when possible.
In addition to the above considerations, enterprises might find themselves using multiple low-code/no-code platforms, which will likely require incorporating more governance to centralize policies. In general, many of these cybersecurity practices hinge on following the principle of least privilege. If a zero-trust mindset is adopted, you can narrow the scope and limit the potential attack surface.
Hardening Low-Code/No-Code Strategies
Low-code/no-code usage appears to be increasing, lately accelerated through the use of next-generation AI-like large language models (LLMs). Gartner estimates that by 2025, 70% of applications will be developed using low-code/no-code technologies. With these growth projections, low-code/no-code security must remain a continuous priority.
The OWASP Low-Code/No-Code Top 10 does a good job of outlining the most frequent attack vectors to consider. By following the recommendations above, organizations can harden their citizen development strategy. On the other hand, applying some of these mitigations, such as removing broad authorization scopes, can reduce accessibility and easy access to features. Thus, IT leaders should consider reviewing each threat type in deeper detail to see how their organization can effectively balance security with usability.
