Security for Citizen Developers: Low-Code/No-Code Cybersecurity Threats

by Ziv Daniel Hagbi

Hello to all Citizen Developers out there!

Are you using Low-Code/No-Code platforms to accelerate your digital adoption? That is a question I would ask if this was 2021. 2024 has proven that it is no longer a question of “If”, but of volume (how much do you use it) and depth (how much do you depend on it for your business process)? While this monumental leap in productivity is great for business, and you personally, you should be mindful of the responsibility you now have securing your application and business.

As low-code/no-code platforms become the go-to solution for many companies, security isn’t always the first thing on the minds of business users. Yet, the simplicity of drag-and-drop functionalities and minimal to no coding requirement does not eliminate the risks associated with application development. It just hides it. This is even heightened with the introduction of generative AI as an enabler for citizen developers. Today, more than ever, citizen developers should ask themselves, “Is my app secured?”

The OWASP Low-Code/No-Code Top 10 can help you navigate major cybersecurity risks and how to mitigate them. Here's an overview:

1. Account Impersonation (LCNC-SEC-01): Be vigilant about who can act as whom within your applications.
2. Authorization Misuse (LCNC-SEC-02): Ensure proper controls are in place to prevent unauthorized access.
3. Data Leakage (LCNC-SEC-03): Secure your data from unintentional exposure due to misconfigurations or errors.
4. Authentication and Communication Security (LCNC-SEC-04): Strengthen your authentication processes and secure all communications.
5. Security Misconfiguration (LCNC-SEC-05): Avoid default settings and configure all security settings appropriately.
6. Injection Handling Failures (LCNC-SEC-06): Be careful with data input and outputs that could be manipulated.
7. Vulnerable Components (LCNC-SEC-07): Use trusted and up-to-date components in your applications.
8. Data and Secret Handling (LCNC-SEC-08): Manage sensitive data and secrets securely.
9. Asset Management Failures (LCNC-SEC-09): Keep a tight inventory and control over your digital assets.
10. Security Logging and Monitoring (LCNC-SEC-10): Implement robust logging and monitoring to enable auditing while securely handling sensitive data in logs.

Read the whole OWASP Low-Code/No-Code Top 10 here.

Understanding these risks is just the beginning. You should integrate security best practices into your development process, and make sure you keep your knowledge and applications up-to-date. Remember, security is a moving target. Exploring resources from OWASP can help you stay in the know. By adopting a security-minded approach, you not only protect your apps but also enhance the overall security posture of your organization.

Welcome to the world of secure application development!

--

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.