Will Low Code/No Code (LCNC) Become the Next Darling of Cyber Attackers?
June 20, 2024

Dotan Nahum
Check Point Software Technologies

Have you ever spent hours writing an automation script, only to dream of a more straightforward solution?

We've all been there. Building automation can be a huge time investment, but its efficiency boost is undeniable. That's why the rise of low-code/no-code (LCNC) platforms is such a welcome development.

By 2025, a whopping 70% of new applications developed by organizations will utilize low-code or no-code platforms. These tools prioritize ease of use, allowing developers to create powerful automation and build applications with minimal hand-coding. However, as exciting as this low-code/no-code (LCNC) revolution may seem, it also brings a unique set of risks to the table, changing the cybersecurity landscape in ways we can't fully anticipate yet.

The Rising Popularity of Low Code/No Code

The low-code/no-code (LCNC) movement is changing application development by making it more accessible than ever. These user-friendly platforms empower developers and other teams within organizations to automate various stages of the Software Development Lifecycle (SDLC).

For example, low-code platforms might help the finance department replace manual report generation with LCNC. Finance teams can build their own automation to pull data, format reports, and even schedule deliveries — all without needing extensive coding knowledge. This ease of use frees up valuable developer time for complex tasks and fosters collaboration across departments.

Similarly, LCNC platforms often integrate seamlessly with security tools. It enables developers to weave dependency scanning directly into their CI/CD pipelines for continuous vulnerability detection, ensuring newly built applications remain secure throughout the development process. So, LCNC isn't just about writing less code — it's about empowering teams and building a more secure development environment.

Security Risks Run Rampant

From a compliance standpoint, the rise of LCNC platforms introduces a new set of risks that organizations must carefully navigate, such as injection flaws, broken access control, and security misconfigurations. With traditional coding, developers are intimately familiar with the intricacies of the languages and frameworks they work with, making it easier to adhere to compliance requirements. However, LCNC platforms often abstract away many of these details, potentially leading to unintended violations. For instance, a healthcare application built on an LCNC platform might unknowingly fail to meet HIPAA's strict data privacy and security standards, exposing the organization to hefty fines and legal repercussions.

Similarly, LCNC platforms improperly handling data is another area of concern. Consider a scenario where a new application is built to store personal data about EU residents. The developer, unfamiliar with GDPR's intricate rules, fails to implement a process for deleting user data upon request. This oversight forces the business to manually process these requests, leading to inconsistent adherence and potential penalties.

The ease of use offered by LCNC platforms introduces an additional attack vector that security teams need to actively monitor. Malicious actors could potentially exploit vulnerabilities within LCNC platforms or leverage them to build applications with malicious intent.

Mitigation Strategies 101

Adopting LCNC platforms demands a proactive approach to security. Here are four key steps you can take to mitigate associated risks.

1. Continuous Scrutiny

While the adoption of LCNC platforms accelerates, organizations must still implement rigorous processes like vulnerability scanning, code/logic review, and penetration testing for continuously detecting and scrutinizing new tools and applications developed using these platforms. Establishing a comprehensive inventory and regularly assessing the security posture of LCNC assets is crucial to identifying and mitigating potential vulnerabilities.

2. Limiting Public Exposure

Since most data providers don't offer explicit security controls, such as encryption or data masking, to their low-code/no-code customers, it is imperative to limit the public exposure of these applications wherever possible. This process could involve implementing strict access controls, leveraging virtual private clouds (VPCs), and ensuring that sensitive data is never exposed to the public internet.

3. Leveraging Secret Scanning

LCNC platforms often lack robust built-in security features, making it easier for developers to inadvertently expose sensitive information like API keys, database credentials, and other secrets. This is where dedicated scanners can prove invaluable, offering advanced secret scanning capabilities to detect leaks as they happen, allowing organizations to respond swiftly and mitigate the risk of data breaches.

4. Shift-Left Compliance

Considering the compliance risks associated with LCNC development, organizations should leverage platforms that enable them to meet regulatory requirements in a "shift-left" fashion.

By integrating compliance checks and security controls into the development process from the outset, businesses can ensure that their LCNC applications are built with compliance in mind, reducing the risk of costly violations and penalties down the line

A proactive, multi-layered approach to LCNC security is essential for organizations seeking to reap the benefits of these powerful platforms while minimizing the associated risks. By combining cutting-edge security solutions, robust processes, and a culture of continuous vigilance, businesses can navigate the LCNC landscape with confidence and resilience.

Securing the Future of Automation

LCNC presents a fascinating double-edged sword. While it democratizes development, increases agility, and reduces shadow IT, it also demands a shift in security mindset. From ensuring regulatory compliance and safeguarding sensitive data to continuously monitoring for vulnerabilities and secret leaks, a proactive, in-depth defense approach is vital.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

July 25, 2024

Backslash Security introduced its Fix Simulation and AI-powered Attack Path Remediation capabilities.

July 25, 2024

Check Point® Software Technologies Ltd. announced the appointment of Nadav Zafrir as Check Point Chief Executive Officer.

July 25, 2024

Sonatype announced that Sonatype SBOM Manager, its Enterprise-Class Software Bill of Materials (SBOM) solution, and its artifact repository manager, Nexus Repository, are now available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

July 24, 2024

Broadcom unveiled the latest updates to VMware Cloud Foundation (VCF), the company’s flagship private cloud platform.

July 24, 2024

CAST launched CAST SBOM Manager, a new freemium product designed for product owners, release managers, and compliance specialists.

July 24, 2024

Zesty announced the launch of its Insights and Automation Platform.

July 23, 2024

Progress announced the availability of Progress® MarkLogic® FastTrack™, a UI toolkit for building data- and search-driven applications to visually explore complex connected data stored in Progress® MarkLogic® platform.

July 23, 2024

Snowflake will host the Llama 3.1 collection of multilingual open source large language models (LLMs) in Snowflake Cortex AI for enterprises to easily harness and build powerful AI applications at scale.

July 23, 2024

Secure Code Warrior announced the availability of SCW Trust Agent – a solution that assesses the specific security competencies of developers for every code commit.

July 23, 2024

GFT launched AI Impact, a new solution that leverages artificial intelligence to eliminate technical debt, increase developer efficiency and automate critical software development processes.

July 23, 2024

Code Metal announced a $13M seed, led by Shield Capital.

July 22, 2024

Atlassian Corporation has achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status and is now listed on the FedRAMP marketplace.

July 18, 2024

Mission Cloud announced the launch of Mission Cloud Engagements - DevOps, a platform designed to transform how businesses manage and execute their AWS DevOps projects.

July 18, 2024

Accelario announces the release of its free TDM solution, including database virtualization and data anonymization.