The 7 Deadly Sins of Low-Code Security and How to Avoid Them
If you’ve followed our last two blog posts, you should already be familiar with the reasons why organizations that are undergoing digital transformation are turning to low-code development. Here at Zenity, we are avid supporters of low-code development, and share the common belief that within a few years, many business applications will be developed using low-code. After all, nothing can beat the simplicity, ease of development and the rapid implementation process offered by low-code platforms.
Having said that, just like any other type of software, low-code applications may contain defects, design flaws, and security vulnerabilities. In recent years, many tutorials, guides and Top-10 security lists have been written on web application security, API security, Cloud native security, and so forth. However, the amount of quality security articles that target low-code security is still quite low.
Our blog in general, and this post in particular, aim to rectify this, by sharing our expertise in this field. Zenity’s low-code security research team is exposed to real world low-code applications on a daily basis, and we’re glad to share our knowledge in this domain in order to help you to design and develop secure low-code applications.
According to Zenity’s low-code security research, the top seven most common risks and concerns for low-code applications are:
- Privilege escalation
- Data leakage
- Insecure authentication
- Misconfigurations
- Dependency injection
- Oversharing
- Application impersonation
Low-Code Security Sin #1: Privilege Escalation
To boost innovation, low-code platforms have taken a shortcut to help makers build apps. Apps do not have their own identities, but instead use the identity provided by the maker. A security savvy maker might identify this pitfall and provide a service identity, but unfortunately the vast majority of low-code apps run with personal user credentials. This means that by gaining access to an app, a user gains access to its underlying credentials and in some cases can manipulate and use them however he wishes. This fact makes low-code apps the perfect bed for breaking authorization boundaries. If not careful, users can easily have access to resources they are not authorized to use, and they would access them with another user’s identity. The same mechanism allows attackers to elevate their privileges.
Most low-code platforms have some notion of a default environment where connections to data sources are placed by default. These typically contain access to user accounts, cloud services, SaaS services and many more.
Zenity’s pro tips:
- Assess the connections that are in your default environment
- Avoid running applications with real user credentials, use system roles with least-privileged access permissions
Low-Code Security Sin #2: Data Leakage
Low-code apps usually revolve around streamlining a business process or automating a task. Many times this is coupled with moving data from A to B or connecting operation C to operation D (if this then that). This also means that data can easily find its way outside of the organizational boundary. Typical examples include moving data to unauthorized services (i.e. shadow IT) and storing business critical data in the wrong place, for example on personal drives.
Zenity’s pro tips:
- Leverage data loss prevention policies provided by low-code platforms
- Limit connector usage to authorized connectors only
Low-Code Security Sin #3: Insecure authentication
Low-code apps are not built in silos, they are built on top of the organization’s critical business data. Connections to data sources are defined by low-code makers, which are oftentimes not experts in authentication (e.g. citizen developers). This can result in connections that use HTTP rather than HTTPs, weak encryption ciphers and insecure transmission of secrets.
Zenity’s pro tips:
- Review connections to FTP(s) and HTTP(s) and make sure they use secure authentication methods
Low-Code Security Sin #4: Misconfiguration
Low-code platforms provide a wide range of features, some of which control the balance between security and support of specific use cases. For example, Portal Apps by Power Platform allow creating self-service portals for unauthenticated users. However, misconfiguration of those apps could lead to these users having full access to data sources that underlie this app.
Zenity’s pro tips:
- Most platforms provide security guidelines for their configuration. Use the guidelines to correctly configure your applications, or use a continuous monitoring solution in order to do so.
Low-Code Security Sin #5: Dependency injection
Low-code apps have grown to serve critical business needs, and thus they must be scalable and support many different use cases. In order to do that while still being easy and intuitive to use, low-code apps rely heavily on a marketplace ecosystem where the platform and its users can share components, connectors and even ready-to-use apps with each other. This is very similar in nature to OSS (open source software) being used when building business applications with pro code. The security community has made huge strides in addressing the OSS dependency security concern, but unfortunately, these solutions do not cover low-code security vulnerabilities. Low-code platforms allow makers to use marketplace components from any source, including sources outside of the marketplace! This could easily lead to attackers gaining access to and manipulating the application, it’s underlying credentials and those of every user that connects to the application.
Zenity’s pro tips:
- Review the source of all Custom Connectors used by your low-code developers
- Develop & follow a security 3rd party component vetting process for your low-code applications
Low-Code Security Sin #6: Oversharing
To enable fast expansion within the enterprise, low-code platforms make sharing of apps, components and data extremely easy. You can share a connection to a data source, an application, automation, on-prem connection and many more. Sharing with the entire organization may sometimes even be a platform default. Oversharing can easily result in breaking the enterprise permission model.
Zenity’s pro tips:
- Review production apps and search for apps that have more than two administrators. Are they all required?
- Make sure that your sharing and security settings are as strict as needed and only provide access to applications and data to those who require it
Low-Code Security Sin #7: App impersonation
Because low-code apps are usually developed by the organization, users tend to trust them blindly. However, low-code platforms allow users to upload and deploy an application from an external source, including the platform marketplace. An attacker or a malicious insider could use this blind trust to impersonate a viable app and launch a consent phishing campaign within the organization.
Zenity’s pro tips:
- Some platforms allow admins to make the consent process implicit, meaning users grant consent to application as soon as they login and without notice. Make sure these options are turned off.
Next steps
Subscribe to hear more on the research behind each of the 7 sins and follow us for more low-code security insights!