Webinar Recap: Navigating the Risks of Citizen Development

The LCNC Revolution

In recent years, Low-Code/No-Code platforms (LCAPs) have surged in popularity within enterprise environments. Platforms such as Microsoft Power Apps & Power Automate, UiPath, ServiceNow, Salesforce, and Automation Anywhere propel organizations toward a swift digital transformation.

Across the organization, these platforms empower various business units and citizen developers (aka, business developers or builders) to turn manual tasks into automated digital workflows, create apps to improve customer experiences, and enhance efficiency and productivity. LCNC fosters new and exciting digital opportunities for organizations. Industry analysts predict that by 2025, most new applications will leverage these LCNC technologies. [Gartner].

The appeal of LCNC platforms lies in their ability to enable non-technical users to quickly create and deploy applications without coding knowledge or reliance on IT departments and professional software developers.

The Security Challenges of LCNC App Development

Looking at the cybersecurity implications of citizen development, it becomes evident that this powerful approach has its challenges. AppSec leaders must address this shift from traditional, centralized software engineering to a dispersed “shadow engineering” process across departments and the unique challenges that come with it.

To an even greater extent, this shift in the software development landscape requires a rethinking of traditional application security strategies to ensure that the benefits of LCNC are balanced with robust risk management and cybersecurity measures.

Decentralization and Lack of Security Training

The rapid proliferation of LCNC-built applications, most of the time outside the purview of security teams, creates blind spots and increases the attack surface for potential cyber threats.

The crux lies in the very decentralized nature of LCNC development. This decentralized approach to application development can make it difficult for security professionals to maintain visibility, control, and governance over this new software ecosystem.

In addition, individuals crafting these solutions are typically not software professionals and certainly no security experts. The lack of formal training in application security among citizen developers poses a substantial risk to the organization’s cybersecurity posture.

Scale Begets Gaps

Another hurdle for security teams is the sheer scale of new apps that must be monitored, evaluated, and secured. With the help of LCNC platforms, a significantly more significant number of individuals are creating more apps and automations than ever. This democratization of development leads to an exponential increase in the number of applications and automations being deployed—often tenfold compared to traditional methods.

The Need for Speed

An additional pressing issue is the speed at which LCNC development operates. The journey from conceptualization to deployment is remarkably swift. Ideas are rapidly designed, tested (let us add – tested in a best-case scenario), and then deployed organization-wide at the click of a button. This velocity makes it challenging for security teams to adequately protect and monitor the application lifecycle. You can even argue that the SDLC doesn’t apply to LCNC development.

Furthermore, the ease of use and rapid deployment enabled by LCNC platforms may lead to disregarding security considerations during development. In pursuit of delivering business value quickly, citizen developers sometimes don’t make room to familiarize themselves with critical security best practices. Other citizen developers know security practices, but in their rush to deliver apps fast, they “cut corners” and compromise security measures. This can lead to applications with weaknesses that can be exploited by malicious actors, putting the organization’s data and systems at risk.

Traditional AppSec Proves Unfit

Complicating matters further is the inadequacy of traditional security processes within the LCNC domain. In the LCNC ecosystem, we encounter a new scenario. Here, there is no ‘code’ in the traditional sense. Instead, we have abstract representations of applications and automations. These representations are often proprietary and not publicly disclosed, which means they lack the well-defined structure that scanning and analysis tools require.

This disconnect creates a significant void in the toolset available to developers and security professionals. In a world where applications are built at an unprecedented rate and speed, the absence of suitable tools to analyze and secure these applications is a glaring issue.

Attackers have An Unfair Advantage

The advent of Low-Code/No-Code (LCNC) development has inadvertently tipped the scales in favor of malicious actors. The rapid expansion of the attack surface and the persistence of well-known vulnerabilities such as those listed in the OWASP Top 10 presents a daunting challenge for enterprise security.

The novelty of the LCNC domain doesn’t hinder hackers. They possess both the knowledge and the tools to exploit applications and automation created on LCNC platforms. An SQL injection remains a potent threat, irrespective of whether the application was developed using standard programming languages or through LCNC platforms. The vulnerability—and the exploit—remain fundamentally the same.

While hackers adapt quickly, enterprise security teams are playing catch-up. They find themselves in unfamiliar territory, lacking the necessary processes and tools to safeguard against these threats effectively.

Supply Chain Attacks – A Hackers Infiltration Highway

While LCNC comes with many vulnerabilities (check out this blog on SQL injections), governance, and compliance issues, we  singled out supply chain attacks for this webinar. Reasons are:

• They are all about choices and trust. In these cases, bad choices and incautious trust by the citizen and automation developers. The remaining question is how fast the security teams find out about these choices, review them, and mitigate them.
• From the hackers’ perspective, it is hitting the weakest links once for a rich return. Supply chain attacks allow hackers to target multiple organizations or individuals simultaneously. By compromising a single point in the supply chain, they can infiltrate numerous downstream systems with very little effort.
• And most importantly,  the usage and integration of third-party components has become a standard practice in all LCNC and RPA platforms. These platforms feature dedicated marketplaces where users can access an array of community-contributed templates, components, and widgets. By leveraging these shared resources, users can kickstart their automation initiatives or application development, streamlining their workflows and benefiting from collective expertise. For attackers, marketplaces and third-party components are a great entry point.

For the demonstrations of the supply chain attacks, please watch the webinar recording.  Demonstrations included were examples from various LCAPs:

• Pre-usage infections – how to compromise the local development environment without ever using a component
• Dependency confusion – how to deliver malicious version packages
• The dangers of public feeds
• Dependency confusion in the cloud
• and more.