Low-code/no-code (LCNC) development platforms have become increasingly popular in recent years, as they allow business users to build software without specialized technical expertise. While this can provide benefits in terms of accelerated application development and increased efficiency, it also presents challenges when it comes to ensuring the security of these applications.
One significant challenge is the lack of security expertise among business users who may be building LCNC apps. These users may not have the same level of knowledge about security best practices as IT professionals, which can make it difficult to ensure that their apps are adequately protected against threats. This lack of expertise can lead to a range of security risks, including the use of weak passwords, the mishandling of sensitive data, and the failure to properly configure security controls.
Another challenge is that security teams are often unaware of business LCNC development projects, or if they are aware, they may overlook these projects as “proof of concepts” and fail to recognize their potential as critical crown jewels. This lack of visibility and understanding can lead to a lack of proper security controls being put in place for these applications, leaving them vulnerable to attacks.
The consequences of these risks can be severe, as low-code applications are often used to handle sensitive data and facilitate important business processes. A security breach involving an LCNC app could result in the loss of confidential information, financial damage, and reputational harm.
The Rise of LCNC Development and Its Impact on Security
Low-code/no-code (LCNC) development platforms have gained widespread adoption in recent years, as they provide a way for business users to build software without the need for specialized technical expertise. These platforms typically use a graphical user interface (GUI) to allow users to create applications by dragging and dropping pre-built blocks of code, rather than writing code from scratch.
The rise of LCNC has been driven by a number of factors, including the need for organizations to deliver applications faster and more efficiently, the increasing complexity of traditional software development, and the desire to empower business users to solve their own problems without relying on IT departments.
The popularity of LCNC has led to the emergence of a wide range of platforms and tools, ranging from simple drag-and-drop builders for simple apps to more advanced platforms for building complex applications. These platforms have been embraced by a wide range of organizations, including large enterprises, small businesses, and government agencies.
While the benefits of LCNC are significant, the adoption of these platforms also presents challenges from a security perspective. One of the main challenges is the lack of security expertise among business users who may be building these apps. These users may not have the same level of knowledge about security best practices as IT professionals, which can make it difficult to ensure that their apps are adequately protected against threats. This lack of expertise can lead to a range of security risks, including the use of weak passwords, the mishandling of sensitive data, and the failure to properly configure security controls.
The Lack of Security Expertise Among Business Users Building LCNC Apps
One of the main challenges of securing low-code/no-code (LCNC) applications is the lack of security expertise among business users who may be building these apps. These users may not have the same level of knowledge about security best practices as IT professionals, which can make it difficult to ensure that their apps are adequately applying secure development best practices.
There are a number of reasons why business users may lack security expertise when it comes to building LCNC apps. One reason is that these users may not have received formal training in software development or security. They may also be focused on delivering business value and meeting specific business needs, rather than considering security as a primary concern.
In addition, LCNC platforms are often designed to be user-friendly and easy to use, which can make them accessible to users without a technical background. While this is a positive aspect of LCNC, it also means that users may not be aware of the potential security implications of the decisions they are making. For example, they may not understand the importance of using strong passwords or properly to spend time configuring security controls.
These risks can have significant consequences for organizations, as LCNC apps are often used to handle sensitive data and facilitate important business processes. LCNC app are not just fast-coded Proof-of-Concept. They may be one of the organization Crow Jewels.
The Consequences of bad LCNC Security
The consequences of poor security in low-code/no-code (LCNC) applications can be significant, as these apps are often used to handle sensitive data and facilitate important business processes. A security breach involving an LCNC app can have serious consequences for an organization, including financial losses, reputational damage, and regulatory penalties.
One example of the consequences of poor LCNC security is the incident handled by Microsoft’s Detection and Response Team (DART). In this case, a nation-state backed adversary was able to gain access to a large multinational organization using a password spray attack and leverage Microsoft’s low-code platform, Power Platform, to exfiltrate sensitive data and maintain complete Office 365 access for 240 days. The attackers were able to remain persistent within the environment for more than seven months while the security investigation was already ongoing. It is unclear how much time the attacker remained undetected before the investigation even started.
This incident highlights the importance of proper security in LCNC applications, as the attackers were able to exfiltrate sensitive data and maintain persistent access to the organization’s systems without the need to install any malware or access the corporate network. It also illustrates the challenges of detecting and responding to attacks involving LCNC platforms, as traditional security solutions are often based on either host or network agents and may not be able to detect such attacks.
The consequences of poor LCNC security can be significant Organizations must take steps to ensure that their LCNC apps are secure. This may involve providing training and guidance to business users building these apps, implementing appropriate security controls, and regularly reviewing and testing the security of LCNC apps. By taking these steps, organizations can mitigate the risks associated with LCNC and protect against potential security breaches.
Solutions and Challenges for Security Teams
Securing low-code/no-code (LCNC) applications can be a challenge for security teams, particularly due to the lack of security expertise among business users who may be building these apps and the fact that LCNC apps can quickly become critical systems within an organization. There are a number of solutions and challenges that security teams must consider in order to adequately protect LCNC apps.
Security teams lack visibility into the development and use of these apps. They may be unaware of business LCNC development projects and when they do become aware of them, they may overlook them as Proofs of Concept and not see the potential rise of a critical crown jewels
One solution is to provide training and guidance to business users building LCNC apps. It is also important that businesses inform about the project and include it is the Security-by-Design Development Lifecycle. This can help to ensure that these users have a basic understanding of security best practices and can make informed decisions when building their apps.
Another solution is to implement appropriate security controls for LCNC apps. This may involve implementing authentication and access controls, as well as monitoring and detection systems to identify and respond to potential threats. It may also involve regularly reviewing and testing the security of LCNC apps to ensure that they are adequately protected. Security teams can refer to resources such as the OWASP Top 10 Low-Code/No-Code Security Risks. This framework provides information about the most prominent security risks for LCNC applications and guidance on how to mitigate these risks.
Conclusions
Low-code/no-code (LCNC) development platforms provide organizations with the ability to accelerate the delivery of business applications and empower business users to address their own needs. However, it is important that security teams understand the security risks associated with LCNC apps and take steps to mitigate them.
These risks include the lack of security expertise among business users building LCNC apps and the lack of visibility into the development and use of these apps, which can make it difficult for security teams to identify and respond to potential threats.
To address these challenges, security teams can provide training and guidance to business users building LCNC apps, implement appropriate security controls, and refer to resources such as the OWASP Top 10 Low-Code/No-Code Security Risks.
