If you’ve followed our last two blog posts, you should already be familiar with the reasons why organizations that are undergoing digital transformation are turning to low-code development. Here at Zenity, we are avid supporters of low-code development, and share the common belief that within a few years, many business applications will be developed using low-code. After all, nothing can beat the simplicity, ease of development and the rapid implementation process offered by low-code platforms.
Having said that, just like any other type of software, low-code applications may contain defects, design flaws, and security vulnerabilities. In recent years, many tutorials, guides and Top-10 security lists have been written on web application security, API security, Cloud native security, and so forth. However, the amount of quality security articles that target low-code security is still quite low.
Our blog in general, and this post in particular, aim to rectify this, by sharing our expertise in this field. Zenity’s low-code security research team is exposed to real world low-code applications on a daily basis, and we’re glad to share our knowledge in this domain in order to help you to design and develop secure low-code applications.
According to Zenity’s low-code security research, the top seven most common risks and concerns for low-code applications are:
To boost innovation, low-code platforms have taken a shortcut to help makers build apps. Apps do not have their own identities, but instead use the identity provided by the maker. A security savvy maker might identify this pitfall and provide a service identity, but unfortunately the vast majority of low-code apps run with personal user credentials. This means that by gaining access to an app, a user gains access to its underlying credentials and in some cases can manipulate and use them however he wishes. This fact makes low-code apps the perfect bed for breaking authorization boundaries. If not careful, users can easily have access to resources they are not authorized to use, and they would access them with another user’s identity. The same mechanism allows attackers to elevate their privileges.
Most low-code platforms have some notion of a default environment where connections to data sources are placed by default. These typically contain access to user accounts, cloud services, SaaS services and many more.
Zenity’s pro tips:
Low-code apps usually revolve around streamlining a business process or automating a task. Many times this is coupled with moving data from A to B or connecting operation C to operation D (if this then that). This also means that data can easily find its way outside of the organizational boundary. Typical examples include moving data to unauthorized services (i.e. shadow IT) and storing business critical data in the wrong place, for example on personal drives.
Zenity’s pro tips:
Low-code apps are not built in silos, they are built on top of the organization’s critical business data. Connections to data sources are defined by low-code makers, which are oftentimes not experts in authentication (e.g. citizen developers). This can result in connections that use HTTP rather than HTTPs, weak encryption ciphers and insecure transmission of secrets.
Zenity’s pro tips:
Low-code platforms provide a wide range of features, some of which control the balance between security and support of specific use cases. For example, Portal Apps by Power Platform allow creating self-service portals for unauthenticated users. However, misconfiguration of those apps could lead to these users having full access to data sources that underlie this app.
Zenity’s pro tips:
Low-code apps have grown to serve critical business needs, and thus they must be scalable and support many different use cases. In order to do that while still being easy and intuitive to use, low-code apps rely heavily on a marketplace ecosystem where the platform and its users can share components, connectors and even ready-to-use apps with each other. This is very similar in nature to OSS (open source software) being used when building business applications with pro code. The security community has made huge strides in addressing the OSS dependency security concern, but unfortunately, these solutions do not cover low-code security vulnerabilities. Low-code platforms allow makers to use marketplace components from any source, including sources outside of the marketplace! This could easily lead to attackers gaining access to and manipulating the application, it’s underlying credentials and those of every user that connects to the application.
Zenity’s pro tips:
To enable fast expansion within the enterprise, low-code platforms make sharing of apps, components and data extremely easy. You can share a connection to a data source, an application, automation, on-prem connection and many more. Sharing with the entire organization may sometimes even be a platform default. Oversharing can easily result in breaking the enterprise permission model.
Zenity’s pro tips:
Because low-code apps are usually developed by the organization, users tend to trust them blindly. However, low-code platforms allow users to upload and deploy an application from an external source, including the platform marketplace. An attacker or a malicious insider could use this blind trust to impersonate a viable app and launch a consent phishing campaign within the organization.
Zenity’s pro tips:
Subscribe to hear more on the research behind each of the 7 sins and follow us for more low-code security insights!
All ArticlesWelcome to the Agentic AI revolution, where AI Agents aren’t just processing information; they’re making decisions,...
Representing Zenity in Washington DC I recently had the fantastic opportunity to represent Zenity in a round of...
AI Agents are not just another tech trend; they are fundamentally reshaping how enterprises operate. These autonomous...
We’d love to chat with you about how your team can secure and govern AI Agents everywhere.
Book Demo