4 Common LCNC Security Vulnerabilities and How To Mitigate Them

Written by Amichai Shulman, co-founder and CTO of Nokod Security

Low-Code/No-Code (LCNC) platform adoption has surged as digital transformation accelerates across virtually every industry. They empower employees, often termed citizen developers, to create applications and automate processes without coding knowledge. While this democratization of software development accelerates innovation and efficiency, it also introduces security challenges.

In many organizations, security teams still underestimate the risks of LCNC platforms because the apps they generate are considered internal, local, and non-critical. As a result, organizations rarely apply application security practices to them due to a lack of tools and interest. To illustrate the impact of LCNC platforms and robotic process automation (RPA) on the enterprise attack surface, let’s explore common mistakes that introduce security risks.

1. Client-side data access restrictions

Data access mishandling is a common source of unintentional vulnerabilities in LCNC environments that can lead to data leakage and compliance violation issues. The issue arises because LCNC platforms allow citizen developers to include corporate data in an application by simply dragging it into the canvas.

While LCNC platforms allow access restrictions on the data, they are applied on the client side by default. Unfortunately, a user with access to the application can bypass these restrictions and gain unauthorized access to the underlying data sources. Citizen developers might not be aware of the risk associated with default settings when configuring access rules. This can cause an external breach if the application is accessible over the internet or a report is published on the web.

Related:AI-Assisted Development Tools vs. Low-Code/No-Code: What to Use When

For example, consider an application created by the HR department to collect employees' T-shirt sizes for an upcoming company event. The developer drags only minimal details from an employee record into the display and sets up an access restriction on the data displayed to match the current employee’s ID. When the application is shared with the entire organization, employees can bypass client-side controls and access other employees’ data, including details not displayed.

2. Injection attacks

Apps and automation created on LCNC platforms are not immune to traditional web application vulnerabilities such as SQL injection. Consider a form for collecting user complaints that can be exploited by injecting SQL code, allowing an attacker from the internet to retrieve sensitive data, including usernames and salaries, from the database. This vulnerability arises when developers include user input directly in SQL queries without proper parameterization.
Meanwhile, an HTML injection in the same complaint form can lead to the delivery and execution of malicious links in emails sent internally to the department responsible for handling the complaints. It poses a severe phishing risk when HTML code is rendered and executed as part of the email display, illustrating the importance of sanitizing and validating all user inputs.

Related:Why Prompt Injection Is a Threat to Large Language Models

Injection vulnerabilities, including operating system command injection, become a significant concern when input is taken from external-facing resources such as public web forms, email messages, and social media content. This exposure turns LCNC applications or RPAs into parts of the external attack surface.

3. Unintended public exposure of internal resources

Citizen developers who inadvertently publish company confidential outputs (reports, graphs, applications, etc.) from LCNC applications to the internet can make sensitive data accessible to unauthorized users. This can occur because most modern LCNC platforms are cloud-based and make external sharing very easy.

Developers (particularly citizen developers) commonly share applications anonymously via platforms like Outsystems and ServiceNow AppEngine or publish Microsoft Power BI reports to the web. The root cause of this vulnerability can be traced back to the fact that developers are setting their access policies, which often do not follow security best practices.

Related:Data Privacy Quick Reference Guide

4. Data leakage mistakes

Citizen developers mistakenly use LCNC applications and automation to send sensitive data through personal emails, store corporate data insecurely in public network drives, and generate and distribute anonymous access links to corporate resources. All these actions violate security and data privacy best practices and can expose confidential information to external, unauthorized use.

Mitigating LCNC Security Risks

Addressing LCNC security risks associated with these common vulnerabilities requires integrating a shift-left approach to development processes. To allow citizen developers to innovate rapidly without compromising security, consider implementing the following secure development and deployment best practices: 

While the rise of LCNC platforms has revolutionized the way organizations approach software development, it has also created a new attack surface that should not be overlooked. Understanding LCNC risks and proactively implementing mitigation strategies is essential for preventing data leakage and securing an organization’s digital assets. The five best practices outlined above can serve as a foundation for establishing a comprehensive LCNC security program.

About the Author

Amichai Shulman is the co-founder and CTO of Nokod Security, an application security provider for low-code/no-code custom applications. Shulman has more than 25 years of experience in research and innovation for data and application cybersecurity. He co-founded and was CTO of AirEye, a startup providing network airspace protection, and Imperva, a data protection startup acquired by Thoma Bravo. He started his career in the Israel Defense Forces, where he conducted defensive research and the design of secure military systems.