Low-Code/No-Code App Dev’s Inherent Security Risks
Shadow IT is not good for organizations for many reasons. Most notably, it results in the following:
The inability to know and monitor IT resources suggests that one does not see the big picture. It prevents organizations from clearly knowing what they have and wthe hat they need to protect.
Shadow IT makes it difficult to identify threats and effectively anticipate, stop or mitigate them. Apps that are part of shadow IT can be the source of data leaks, but the IT departments or cyber security teams may have ard time to find them and address the problem accordingly.
Having more software usually means more points of failure. There are cases where low code/no code apps are no longer monitored because they are considered insignificant or benign, only to e.g.and become vulnerabilities because they leak data or allow script injection.
Shadow IT is also an uncontrollable factor in organizational processes. Apps with low code or no code under the veil of shadow IT cannot be adapted to the security posture of an organization and cannot be easily traced and fixed if they create security problems. The only way to rein them in is to bring these shadow IT components into the light, which means they must stop becoming shadow IT.
Many IT experts echo the ideaa that shadow IT is not the problem itself, but a symptom. It would not exist if employees get the IT resources they need from the known IT setup and resources of an organization. Low-code/no-code apps do not need to become part of shadow IT proper governance and security validation.
Lack of cybersecurity expertise
Users don’t need in-depth technical knowledge to figure out how to use low-code/no-code development platforms, let alone the cybersecurity knowledge to ensure they don’tfire and distribute apps that could create security vulnerabilities or conflict with the security posture of their organizations.
This is clearly an inherent security risk for any organization. Anyone can now build apps through intuitive interfaces, but almost all of them have no idea about the potential risks. Teaching and learning the basics of secure app development is not going to be easy.
OWASP Top 10 Low Code/No Code Security Risk List captures the various risks attributable to a lack of cybersecurity knowledge to low-code/non-code users. There is a tendency to create apps with insecure authentication, data leakage issues, oversharing of onepps and components, data and secret handling errors, misconfiguration, dependency injection risks, unmanaged custom mode, and vulnerabilities that enable privilege escalation.