How Low-Code/No-Code Development Can Make You Cry (or Laugh) About Cyber Security

Low-code/no-code development is all the rage these days. It allows you to create applications and automation without writing a single line of code. Sounds awesome, right? Well, not so fast. Before you jump on the low-code/no-code bandwagon, you might want to consider the cyber security implications of this approach. You see, low-code/no-code development is not a magic bullet that solves all your problems. It can also introduce new ones, especially when it comes to cyber security, information security, and data privacy. In this blog post, we will explore some of the challenges and risks of low-code/no-code development for cyber security, with a particular emphasis on GDPR. We will also give you some tips on how to avoid them, or at least laugh about them.

What is low-code/no-code development and why should you care?

Low-code/no-code development is a way of creating applications and automation using a graphical user interface (GUI) instead of traditional hand-coded programming. ² Such platforms reduce the amount of coding required, enabling faster and easier delivery of business solutions. Low-code/no-code development can be used for various purposes, such as:

• Building web and mobile apps
• Automating workflows and processes
• Integrating data and systems
• Enhancing user experience and engagement
• Developing prototypes and proofs of concept

Low-code/no-code development can offer many benefits, such as:

• Lowering the barrier to entry for non-technical users
• Reducing the dependency on IT resources and developers
• Accelerating the time-to-market and innovation
• Improving the agility and scalability of solutions
• Enabling customization and flexibility

However, low-code/no-code development also comes with some drawbacks, such as:

• Increasing the complexity and maintenance of solutions
• Limiting the functionality and performance of solutions
• Creating compatibility and interoperability issues
• Lacking transparency and control over the code
• Exposing security and privacy vulnerabilities

What are the cyber security challenges and risks of low-code/no-code development?

Low-code/no-code development can pose several cyber security challenges and risks, such as:

• Account impersonation: Low-code/no-code platforms often rely on user accounts and roles to access and manage applications and data. However, these accounts can be compromised or misused by malicious actors or insiders, leading to unauthorized access, data breaches, or fraud. ²
• Authorization misuse: Low-code/no-code platforms often provide granular permissions and access controls for applications and data. However, these permissions can be configured incorrectly or abused by users, leading to excessive privileges, data leakage, or unexpected consequences. ²
• Data leakage and unexpected consequences: Low-code/no-code platforms often enable users to integrate data from various sources and systems. However, this data can be exposed or mishandled by users or third parties, leading to data leakage, compliance violations, or unexpected consequences. ²
• Authentication and secure communication failures: Low-code/no-code platforms often require users to authenticate themselves and communicate securely with applications and data. However, these mechanisms can fail or be bypassed by attackers, leading to identity theft, man-in-the-middle attacks, or data interception. ²
• Security misconfiguration: Low-code/no-code platforms often provide default settings and options for security features and functions. However, these settings can be misconfigured or overlooked by users, leading to security gaps, vulnerabilities, or errors. ²
• Injection handling failures: Low-code/no-code platforms often allow users to input data or commands into applications or databases. However, these inputs can be maliciously crafted or manipulated by attackers, leading to injection attacks, such as SQL injection or cross-site scripting (XSS). ²
• Vulnerable and untrusted components: Low-code/no-code platforms often rely on reusable code or components from external sources or libraries. However, these components can be vulnerable or untrusted by nature or design, leading to exploits, backdoors, or malware.
• Data and secret handling failures: Low-code/no-code platforms often require users to store or transmit data or secrets, such as passwords, keys, or tokens. However, these data or secrets can be stored or transmitted insecurely or improperly by users, leading to data loss, theft, or exposure.
• Asset management failures: Low-code/no-code platforms often enable users to create and manage multiple applications and assets, such as code, data, or configurations. However, these applications and assets can be poorly managed or maintained by users, leading to asset sprawl, duplication, or obsolescence.
• Security logging and monitoring failures: Low-code/no-code platforms often provide security logging and monitoring capabilities for applications and data. However, these capabilities can be insufficient or ineffective by design or implementation, leading to security blind spots, incidents, or breaches.

How can you avoid or mitigate the cyber security challenges and risks of low-code/no-code development?

Low-code/no-code development can be a great way to create applications and automation quickly and easily. However, it can also introduce new cyber security challenges and risks that need to be addressed and managed. Here are some tips on how to avoid or mitigate them:

• Choose a reputable and secure low-code/no-code platform: Not all low-code/no-code platforms are created equal. Some may offer better security features and functions than others. Do your research and compare different platforms before choosing one. Look for platforms that have security certifications, accreditations, or endorsements from trusted sources. Also, check for platforms that have regular security updates, patches, and audits.
• Follow the best security practices and standards for low-code/no-code development: Just because you are using a low-code/no-code platform does not mean you can ignore the best security practices and standards for application development. You still need to follow the principles of secure design, development, testing, deployment, and maintenance. For example, you should apply the principle of least privilege, encrypt sensitive data at rest and in transit, validate user inputs and outputs, use secure coding techniques and libraries, test your applications for vulnerabilities and bugs, deploy your applications in secure environments, and update your applications regularly.
• Educate yourself and your users on cyber security awareness and skills: One of the main advantages of low-code/no-code development is that it empowers non-technical users to create applications and automation. However, this also means that these users may lack the necessary cyber security awareness and skills to do so securely. Therefore, it is important to educate yourself and your users on the basics of cyber security concepts, threats, risks, and best practices. You should also provide training and guidance on how to use the low-code/no-code platform securely and responsibly.
• Collaborate with your IT and security teams: Low-code/no-code development can enable business users to create applications and automation without relying on IT and security teams. However, this does not mean that you should bypass or ignore them altogether. You should still collaborate with your IT and security teams to ensure that your applications and data are aligned with your organization’s security policies, standards, and requirements. You should also seek their advice and support on how to secure your applications and data, and how to handle any security incidents or issues that may arise.
• Comply with the relevant laws and regulations for data privacy and protection: Low-code/no-code development can involve collecting, processing, storing, or sharing personal or sensitive data from your users or customers. Therefore, you need to comply with the relevant laws and regulations for data privacy and protection, such as GDPR. You should also respect the rights and preferences of your data subjects, such as obtaining their consent, providing them with information and access, and honouring their requests for deletion or correction.

Conclusion

Low-code/no-code development can be a fun and easy way to create applications and automation for your business needs. However, it can also be a nightmare for your cyber security if you are not careful. You need to be aware of the cyber security challenges and risks that low-code/no-code development can pose, and how to avoid or mitigate them. You also need to comply with the relevant laws and regulations for data privacy and protection, such as GDPR. By following these tips, you can enjoy the benefits of low-code/no-code development without compromising your cyber security.

References

(1) OWASP Low-Code/No-Code Top 10 | OWASP Foundation. https://owasp.org/www-project-top-10-low-code-no-code-security-risks/

(2) Low-Code/No-Code App Dev’s Inherent Security Risks. https://bing.com/search?q=low-code+%2f+no-code+development+cyber+security

(3) Low code/no code and security implications – CyberTalk. https://www.cybertalk.org/2021/12/06/low-code-no-code-and-security-implications/

(4) Low or No Code Development and Cybersecurity – Cipher. https://cipher.com/blog/low-or-no-code-development-and-cybersecurity/

(5) Top Security Concerns for Low-Code/No-Code development | Comidor. https://www.comidor.com/blog/low-code/low-code-security-concerns/