Shadow Engineering Casting a Giant Shadow on AppSec

In recent years, Shadow Engineering has become a development practice exponentially growing inside organizations using low-code/no-code development platforms.

What is Shadow Engineering

In recent years, Shadow Engineering has become a development practice exponentially growing inside organizations. Shadow IT, Shadow Data, and now Shadow Engineering? Be sure this isn’t another marketing or sales hype. It’s real, huge, and has an imminent impact on application security. According to Gartner, 70% of new applications developed by enterprises will use low-code or no-code technologies in 2025, up from less than 25% in 2020.

The fast adoption of low-code/no-code application platforms (LCAP) – think Microsoft PowerApps, UiPath, ServiceNow, and the like – created a huge wave of applications and automations that are created by business users who are outside the control of Application Security and do not follow the hard-fought-for and established software development life cycle (SDLC).

That is Shadow Engineering.

Before we dive deeper, it’s important to notice that Shadow Engineering isn’t a subset or a derivative of Shadow IT. It is a separate practice with different problems and distinct stakeholders.

A Matter of Perception and Perspective

When exploring Shadow Engineering and its impact on security, we must first acknowledge that “shadow” is a relative term, not an absolute term. It depends on the viewer’s whereabouts and perspective. Just like a real shadow, the fact that something is hidden from a specific viewer doesn’t mean it’s hidden from all other viewers. Those placed inside the shadow might not even be aware that someone from the outside considers them to be in a shadow.

Returning to the organizational world, we would call an activity happening in the shadows when it is unseen by a specific function or by a specific team with the mandate to see and control it. At the same time, the very same activity can be extremely clear, important, and in the spotlight for another function or team.

For instance, a finance team can rely on PowerAutomate flows to approve procurement requests and generate POs for suppliers, while the security team isn’t aware of it and can not control the technological and security aspects of this implementation.

Outside the Realm of Formal Engineering

Within an organization, a well-established and structured engineering practice is led by a dedicated engineering team. This team focuses on building new products, features, and systems to drive business growth and support various organizational initiatives. Over the years, and still an ongoing effort, engineering and security teams have been aligned and worked together to create, protect, and maintain essential business applications.

In practice, however, it happens over and over that security teams aren’t aware, cannot secure, and cannot govern engineering activities that take place outside of the scope of the formal engineering team. And this is exactly what takes place today on an unprecedented scale. The vast majority of this activity is driven by employees who leverage low-code/no-code and RPA platforms to create software that runs also in production.

From the security team’s perspective, this kind of engineering activity is unseen and unmonitored and hence considered Shadow Engineering. At the same time, for business users, sometimes called “citizen developers” or “business developers”, ‘shadow’ is likely the last thing that comes to their mind to frame their efforts. Their work, applications, and automations drive digital transformation at the core of the business, save billions of dollars, and in fact, construct the vast majority of applications in the world today.

(SaaS) Security Lost in Confusion

Time to bust a myth. While most LCAPs are SaaS, SaaS security will not improve your security posture related to low-code/no-code applications.

SaaS security is to Shadow Engineering what OS security is to Web applications. In other words: The fact that the low-code/no-code and RPA tools are mostly SaaS platforms doesn’t mean that SaaS security covers the risks stemming from the creation of apps and automations on top of them.

Let’s assume for a moment that the platforms themselves are fully secured, have no vulnerabilities, and all access and interfaces are hermetically secured. So from the SaaS point of view, your organization is covered. Even given this hypothetical, complete security, you now have an employee creating a PowerApp application, for example, legitimately using a database connector, applying whatever logic on top of the data, and publishing it and sharing it with some relevant users or audience.

No SaaS security tool can see the insides of that new low-code/no-code application, can tell if there’s a vulnerability like injection or unauthorized data access exposure, or whether the app violates the governance policy of the organization.

For those familiar with the networking layers approach, the low-code/no-code and RPA SaaS platforms naturally live in Layer 7, the Application Layer. However, it generates a full ecosystem of apps, flows, automation creation, and run-time on top of it. We can see it as Layer 7.5 which has its own life – Layer 7.5’s garden in the shade.

Easy to use. Hard to see. Difficult to secure.

The goal of low-code/no-code application platforms (LCAPs) is to simplify the creation of applications and to empower non-technical employees to solve business challenges quickly without the help of a professional engineering team. And they are good at what they are designed to do. While the engineering team may be off the hook, security teams are not.

If you’re a cyber security executive, Application Security professional, or a Security Architect who isn’t aware of the activity and the risks coming from the low-code/no-code / RPA environments in your organization, it might be because these are in your shadows – aka Shadow Engineering. And remember: It is hidden in the shadow, and its threats trail behind you.

Shedding Light on LCNC Apps. Gain Visibility.

You should strive to bring unregulated LCAP usage and LCNC apps out of the shadows to be able to start assessing associated risks. A first strategic step – like in the case of Shadow IT – is to take a proactive approach to gain visibility and focus on governance and control. 

Armed with a comprehensive view, aka constantly up-to-date inventory, of all your low-code/no-code apps across all LCAPs, you can get ready to secure them. But what to look out for? 

Sign up to our newsletter, and get notified of my next post.

Stay in the know

Sign up for our newsletter filled with industry and security trends, events details and company news. 

More News from Nokod

Black Hat Europe 2024

Meet us in London. Black Hat Europe, part of the globally renowned Black Hat conference series, brings together the information security community to share cutting-edge research, tools, and insights in cybersecurity.

The Attacker’s Path to Hacking UiPath RPAs

Leaving the attack surface created by UiPath robotic process automations unattended is more dangerous than you might think.
In this webinar, security expert Amichai Shulman demonstrates key RPA weaknesses, such as SQL injection, command injection, supply chain vulnerabilities, and container security flaws.

Scroll to Top

Become an Insider

Join the movement! Sign up for our newsletter and keep up-to-date with the latest LCNC security trends.