Cybersecurity has been around for decades but the focus has been centered on it right now. As businesses shifted to rushed digitization during the pandemic, the most important aspect of security has often been overlooked. This opened the window for opportunistic individuals who targeted small to medium businesses to health infrastructure. By end of 2021, 281.5 million people have been impacted by a data breach in 2021 and cybercrime costs companies $1.79 million per minute. This year, a survey showed that 25% of executives will be increasing their cybersecurity budgets to address these issues and keep customer confidence in their businesses.
As no-code opened the doors for citizen development, many cybersecurity analysts worry that it is not safe. Even though users of no-code are not dealing with codes, there’s still code in there but it was just hidden and made easy with drag and drop. These lines of hidden code can be vulnerable to attacks and other malicious intent.
No-code continues to grow this 2022 and for sure, more people from the tech and non-tech sides will start to use it. Its benefits can mean a difference to NGOs or even startups so we simply can’t ignore it. In this article, we will explore the pitfalls of no-code and what can we do about it.
Open Web Application Security Project (OWASP) listed several security risks for no-code/low-code to educate organizations planning to use them. We have also listed some vulnerabilities of using no-code in a previous article, What are the Limitations and Workarounds of Low-Code/No-Code?
Insecure authentication exploits vulnerable authentication schemes by faking or bypassing authentication which can happen through brute force attacks and other techniques. Connections to data sources are defined by no-code/low-code makers, which are not authenticated since it is oftentimes made by citizen developers. These missing steps can result in connections that use HTTP rather than HTTPs, weak encryption ciphers and insecure transmission of secrets.
Apps usually don’t have their own identities and use the ones provided by their maker. Those with cybersecurity backgrounds will provide a service identity to mitigate this pitfall. However, no-code/low-code apps usually run with personal user credentials. This means that by gaining access to an app, a user can also access its underlying credentials and can potentially manipulate it. This perfect storm makes no-code/low-code apps perfect for breaking authorization boundaries where unauthorized users can access resources and even do it with another user’s identity. Most no-code/ low-code platforms have some notion of a default environment for data sources that contain access to user accounts, cloud services, SaaS services and a lot more.
Components, connectors and ready-to-use apps are usually available in a no-code platform in an effort to support scalability and customization. This is very similar in nature to OSS (opensource software) being used when building business applications with code. Overtime, there have been huge efforts to improve and secure the OSS dependency concern, but these solutions do not cover no-code/low-code vulnerabilities. Since anyone can upload components in the marketplace there is no guarantee that the app’s underlying credentials and user data can be safe.
When the potential to be beneficial outweighs the risk, people will still be drawn to it. More and more no-code platforms are being launched so we can’t simply say don’t use no-code. What we need is responsible development that also can include app and website security.
App and website permissions help support user privacy by protecting access to restricted data and prevent restricted actions on your behalf. Refrain from asking permission outside your app or website’s function.
Consider building a fortresswithin your app/website. Have a well-implemented data encryption when the information is being transferred between devices using firewalls and securitytools whenever necessary.
Include security testing as a regular check-up for your app or website. This type of testing is usually performed by security specialists who ensure that sensitive data is secure and secured from the possibility of fraudulent activity. There are also different website vulnerability scanning tools to check.
These are usually the security tests to consider
Businesses who want to use no-code can also mitigate the risks for no-code. As we mentioned in our previous article (read HERE) , one of the key things to do is analyze and know your vendor. You can ask for security scanning results for code that is used within the platform. These static and dynamic application security testing (SAST/DAST) scan results can give end-consumers some semblance of security. Don’t forget to do due diligence on the organization and its development team as well.
Stacking cybersecurity components can also be a viable but complicated solution to this. This can be done through webhooks. Webhooks is a web development is a method of augmenting or altering the behavior of a web page or web application with custom callbacks.
Another way is to invest in security awareness. If you are planning to introduce no-code inside your organization or planning a hyperautomation program, having a team like this will be return your investments overtime. This includes getting security-skilled developers who can act as defenders against potential vulnerabilities like poor access control, broken authentication, or potentially dangerous API connectivity.
No-code is considered in its infancy in the tech’s lifecycle so there’s still a lot of improvement in it and it needs to be resolved quickly. Although some CISOs and IT teams see no-code platforms as more secure since there’s less actual code-writing involved, this is not usually the case. As everyone rallies, the growth of no-code, the community especially the platforms should take greater strides in improving cybersecurity so more peoplecan embrace no-code.
You may also want to read