BLOG

Low-code Security Risks: 7 Sins and How to Overcome Every Single One

Written by
Michael Bargury
December 29, 2021

Low-code security vulnerabilities can be deadly - but not for you. Learn how to mitigate all the risks involved by downloading our free whitepaper “7 Deadly Sins of Low-Code Security and How to Avoid Them”.

If you’ve followed our last two blog posts, you should already be familiar with the reasons why organizations that are undergoing digital transformation are turning to low-code development. Here at Zenity.io, we are avid supporters of low-code development, and share the common belief that within a few years, many business applications will be developed using low-code. After all, nothing can beat the simplicity, ease of development and the rapid implementation process offered by low-code platforms.

Having said that, just like any other type of software, low-code applications may contain defects, design flaws, and security vulnerabilities. In recent years, many tutorials, guides and Top-10 security lists have been written on web application security, API security, Cloud native security, and so forth. However, the amount of quality security articles that target low-code security is still quite low. 

Our blog in general, and this post in particular, aim to rectify this, by sharing our expertise in this field. Zenity’s low-code security research team is exposed to real world low-code applications on a daily basis, and we’re glad to share our knowledge in this domain in order to help you to design and develop secure low-code applications. 

According to Zenity’s low-code security research, the top seven most common risks and concerns for low-code applications are:

  1. Privilege escalation
  2. Data leakage
  3. Insecure authentication
  4. Misconfigurations
  5. Dependency injection
  6. Oversharing
  7. Application impersonation

Low-Code Security Sin #1: Privilege Escalation

To boost innovation, low-code platforms have taken a shortcut to help makers build apps. Apps do not have their own identities, but instead use the identity provided by the maker. A security savvy maker might identify this pitfall and provide a service identity, but unfortunately the vast majority of low-code apps run with personal user credentials. This means that by gaining access to an app, a user gains access to its underlying credentials and in some cases can manipulate and use them however he wishes. This fact makes low-code apps the perfect bed for breaking authorization boundaries. If not careful, users can easily have access to resources they are not authorized to use, and they would access them with another user’s identity. The same mechanism allows attackers to elevate their privileges. 

Most low-code platforms have some notion of a default environment where connections to data sources are placed by default. These typically contain access to user accounts, cloud services, SaaS services and many more.

Low-Code Security Sin #2: Data Leakage

Data Leakage

Low-code apps usually revolve around streamlining a business process or automating a task. Many times this is coupled with moving data from A to B or connecting operation C to operation D (if this then that). This also means that data can easily find its way outside of the organizational boundary. Typical examples include moving data to unauthorized services (i.e. shadow IT) and storing business critical data in the wrong place, for example on personal drives.

Low-Code Security Sin #3: Insecure authentication

Low-code apps are not built in silos, they are built on top of the organization’s critical business data. Connections to data sources are defined by low-code makers, which are oftentimes not experts in authentication (e.g. citizen developers). This can result in connections that use HTTP rather than HTTPs, weak encryption ciphers and insecure transmission of secrets.

Low-Code Security Sin #4: Misconfigurations

Low-code platforms provide a wide range of features, some of which control the balance between security and support of specific use cases. For example, Portal Apps by Power Platform allow creating self-service portals for unauthenticated users. However, misconfiguration of those apps could lead to these users having full access to data sources that underlie this app.

Low-Code Security Sin #5: Dependency injection

Low-code apps have grown to serve critical business needs, and thus they must be scalable and support many different use cases. In order to do that while still being easy and intuitive to use, low-code apps rely heavily on a marketplace ecosystem where the platform and its users can share components, connectors and even ready-to-use apps with each other. This is very similar in nature to OSS (open source software) being used when building business applications with pro code. The security community has made huge strides in addressing the OSS dependency security concern, but unfortunately, these solutions do not cover low-code security vulnerabilities. Low-code platforms allow makers to use marketplace components from any source, including sources outside of the marketplace! This could easily lead to attackers gaining access to and manipulating the application, it’s underlying credentials and those of every user that connects to the application.  

Low-Code Security Sin #6: Oversharing

To enable fast expansion within the enterprise, low-code platforms make sharing of apps, components and data extremely easy. You can share a connection to a data source, an application, automation, on-prem connection and many more. Sharing with the entire organization may sometimes even be a platform default. Oversharing can easily result in breaking the enterprise permission model.

Oversharing

Low-Code Security Sin #7: App impersonation

Because low-code apps are usually developed by the organization, users tend to trust them blindly. However, low-code platforms allow users to upload and deploy an application from an external source, including the platform marketplace. An attacker or a malicious insider could use this blind trust to impersonate a viable app and launch a consent phishing campaign within the organization.

Now that you’re aware of the 7 deadly sins, don’t you want to know how to mitigate these risks? Receive free, actionable tips from our research team on how to mitigate these risks right here.

About the Author

Michael Bargury
Michael Bargury is an industry expert in cybersecurity, with 10 years of experience in the field. Prior to Zenity, Michael was a senior architect at Azure Security CTO Office, Microsoft, where he founded Azure Defender for loT. He holds 15 patents in the field of cloud security, network security, confidential computing and threat hunting.
TABLE OF CONTENTS

All the news straight to your inbox. Signup for Zenity’s weekly newsletter.

Don’t miss a single opportunity to get knowledge.

    vertex venturesupwest
    menu