Unveiling the Hidden Dangers of Low-Code & No-Code App Development

Table of Contents

1. Introduction
2. Background of Low Code/No Code Development
3. Security Risks Associated with Low Code/No Code Platforms
   • Account impersonation
   • Authorization misuse
   • Data leakage and unexpected consequences
   • Authentication and secure communication failures
   • Security misconfigurations
   • Injection handling failures
   • Vulnerable and untrusted components
   • Data and secret handling failures
   • Asset management failures
   • Security logging and monitoring failures
4. Mitigating Security Risks in Low Code/No Code Development
   • Application risk profiling
   • Threat modeling
   • Education and guidance for citizen developers
5. The Sam Model for Secure SDLC
6. Immediate Actions for Securing Low Code/No Code Environments
   • Application risk profiling and questionnaire
   • Building threat models
   • Providing education and guidance
7. Future Trends in Low Code/No Code Development
8. Conclusion

Security Risks with Low Code/No Code Application Development

In recent months, the usage of low code and no code application development environments has been on the rise. While these platforms offer the promise of faster and more efficient application development, they also bring along security risks that need to be addressed. In this article, we will explore the security risks associated with standard configurations in low code/no code platforms and provide suggestions on how to recognize and reduce those risks. We will also discuss the importance of secure software development life cycle (SDLC) practices in mitigating security risks.

Introduction

As an experienced IT and software development professional with over 25 years in the industry, I have noticed the increased usage of low code and no code development environments. Today, I want to highlight the security risks that come with these platforms and provide actionable steps to reduce those risks. My focus in the app sec consulting world is on secure SDLC assessments and hardening plans, with a particular interest in policy standards and compliance.

Background of Low Code/No Code Development

Low code/no code development refers to the use of platforms that enable users to Create applications without the need for extensive coding knowledge. These platforms offer pre-built components, data connectors, and user-friendly interfaces that allow both coders and non-coders to contribute to application development and deployment. They promise faster development, lower costs, and increased productivity. However, it is important to understand that low code/no code does not mean low to no security.

Security Risks Associated with Low Code/No Code Platforms

1. Account impersonation: In low code/no code platforms, applications may embed the developer's account information, which can be used by any user of the application. This poses a risk of unauthorized access and misuse of permissions.

2. Authorization misuse: The OAuth authorization flows used in these platforms can be abused by storing user refresh tokens and reusing them. This can lead to unauthorized access and compromise of sensitive data.

3. Data leakage and unexpected consequences: Low code/no code applications may access data from underlying services but can also serve as conduits to backend systems for unanticipated actions. This can result in data leakage beyond the intended security boundaries.

4. Authentication and secure communication failures: Applications developed using low code/no code platforms may have insecure communication configurations and authentication methods. This leaves them vulnerable to unauthorized access and data breaches.

5. Security misconfigurations: These platforms often allow for application-level configurations by citizen developers, leading to misconfigured security settings and unprotected endpoints. This increases the risk of unauthorized access and data exposure.

6. Injection handling failures: Low code/no code applications may ingest data in various ways, but if they fail to properly handle injections, they become susceptible to injection-Based attacks that can compromise data integrity and security.

7. Vulnerable and untrusted components: These platforms heavily rely on ready-made components, some of which may be untrusted or contain vulnerabilities. Using such components can introduce supply chain risks and potential security flaws.

8. Data and secret handling failures: Low code/no code applications may store data and secrets insecurely or fail to adhere to data protection policies. This can lead to unauthorized access, data loss, and compliance violations.

9. Asset management failures: Low code/no code applications are prone to abandonment while remaining active, leading to unmanaged and overlooked applications. This increases the attack surface and hinders business continuity.

10. Security logging and monitoring failures: Low code/no code applications often lack comprehensive audit trails and sufficient logging capabilities. This hampers security investigations and detection of security incidents.

Mitigating Security Risks in Low Code/No Code Development

To mitigate the security risks associated with low code/no code development, it is crucial to incorporate secure software development life cycle (SDLC) practices. Here are the steps You can take:

1. Application risk profiling: Create application risk profiles based on the Software Assurance Maturity (SAM) model to understand the security requirements, data handling, authentication, authorization, and compliance considerations for each application.

2. Threat modeling: Build threat models for each application using the information from the risk profiles. Identify potential threats, attack vectors, and vulnerabilities associated with the application's design, data flows, and dependencies.

3. Education and guidance for citizen developers: Provide training and awareness to citizen developers on security policies, standards, compliance obligations, and best practices specific to the low code/no code platforms they use. Foster open communication between security teams and citizen developers to create a culture of shared responsibility for security.

The SAM Model for Secure SDLC

The SAM model provides a framework for assessing and improving the maturity of security practices in the software development life cycle. It consists of five business functions, each with three security practices, totaling 15 practices. By following the SAM model, you can systematically enhance security throughout your SDLC. Some of the SAM model's security practices directly relate to mitigating the security risks in low code/no code development.

Immediate Actions for Securing Low Code/No Code Environments

If you already have low code/no code apps in your environment and want to take immediate actions to enhance security, consider the following steps:

1. Application risk profiling and questionnaire: Develop a questionnaire based on the application risk profiles to Gather information about each application's purpose, user access, authentication methods, data handling, compliance considerations, and log configurations.

2. Building threat models: Utilize the information from the risk profiles to create threat models for each application. Identify potential threats, attack vectors, and vulnerabilities specific to the application's design, data flows, and dependencies.

3. Providing education and guidance: Use the risk profiles and threat models to educate and guide citizen developers on the security controls, best practices, and mitigation techniques required to protect the applications and data they develop.

Future Trends in Low Code/No Code Development

The popularity of low code/no code platforms is expected to grow significantly in the coming years. According to Gartner, the growth rate is estimated to reach 20% by 2023 and Continue to rise until 2026. As more organizations embrace low code/no code development, it becomes crucial to prioritize security practices within these platforms and ensure their integration into the overall SDLC.

Conclusion

While low code/no code development offers advantages in terms of speed and efficiency, it also introduces security risks that need to be addressed. By following secure SDLC practices, such as application risk profiling, threat modeling, and education for citizen developers, organizations can mitigate these risks and build secure low code/no code environments. Embracing a culture of shared responsibility for security and staying informed about future trends in low code/no code development will further enhance the protection of applications and data.