Why Low-Code/No-Code Apps are the Achilles Heel of Security

Posted on by Yair Finzi

Low-code/no-code (LCNC) development is taking the corporate world by storm. The initial goal of LCNC platforms was to let non-technical people develop their own apps and robotic process automations (RPAs) for streamlining business processes and tasks. According to one study, 41% of firms now have active “citizen development” initiatives. But LCNC has also found its way into IT organizations, with 57% of developers using LCNC tools. That number will surely increase.

The primary benefits of LCNC development are simplicity and speed. LCNC platforms feature visual, AI and drag-and-drop interfaces that let users assemble apps with pre-coded building blocks for workflows, UI elements, data exchange, and everything else that makes up a business process. 

Low code application platforms (LCAPs) allow individuals with little to no coding or technical knowledge to easily create and rapidly deploy apps for personal or enterprise-wide use. At a time when programming resources are at a premium, this “democratization” of development gives organizations a huge advantage on the path to digital transformation. 

Unfortunately, LCNC and RPAs also introduce dangerous risks that traditional security solutions don’t address. Hard-coded passwords, vulnerabilities, and even malicious components can go undetected. There are three specific reasons why LCNC is being termed the Achilles heel of cybersecurity.

  • Unlike traditional apps, LCNC apps aren’t generated line by line and use proprietary logic to which there is no straightforward access. Even with appropriate access, decrypting what LCNC apps are doing and what risk they introduce requires dedicated cybersecurity research expertise. As a result, traditional scanning tools that are designed to inspect standard code can’t detect vulnerabilities in LCNC apps and RPAs.
  • In addition, LCNC platforms typically don’t allow integration into runtime environments. As a result, dynamic application security testing (DAST) tools designed and built to scan apps in the runtime environment, are of no use with LCNC apps.
  • Beyond these technical hurdles, organizations must address a deeper cultural problem. As cybersecurity risks have increased over the years, developers have been trained to incorporate security into the coding process so that security is built in, not bolted on. Citizen developers, however, have no such training or awareness of security issues. 

In the decentralized environment of shadow engineering LCNC apps and RPAs are developed outside a formal engineering structure. This makes the common practice of peer code review impractical, or virtually possible. Meanwhile, security teams may not even be aware of the existence of some LCNC apps and RPAs, which results in their lack of appropriate controls.

As the popularity and acceptance of LCNC development continue to grow, organizations should implement a proactive LCNC security program that includes processes, procedures, and tools to:

  • Create, track, and maintain an up-to-date inventory of all LCNC apps and RPAs 
  • Detect security vulnerabilities and compliance issues in LCNC apps and RPAs
  • Provide citizen developers with clear remediation instructions, with a clear context, when an application or RPA violates security policy
  • Track all LCNC and RPA integrations with existing systems that contain sensitive data

Just as Achilles' heel was a small yet fatal vulnerability, LCNC applications and RPAs represent a hidden but significant enterprise security risk. Despite the development simplicity and speed provided by LCNC platforms, which are invaluable in today’s fast-paced digital world, the proliferation of shadow engineering and its lack of security oversight can lead to substantial vulnerabilities. By acknowledging these risks and implementing comprehensive security programs that involve both IT professionals and citizen developers, organizations can enjoy the benefits of LCNC platforms without compromising their security posture. 

Yair Finzi

CEO & Co-Founder, Nokod Security LTD

Business Perspectives DevSecOps & Application Security

software code vulnerability analysis secure coding mobile applications Artificial Intelligence / Machine Learning supply chain risk & vulnerability assessment Application Security Testing

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs