Organizations are embracing low-code/no-code (LCNC) platforms and robotic process automations (RPAs) at an unprecedented pace, often underestimating the security risks they introduce. These platforms promise rapid development and empower employees to build applications without deep technical expertise, but this very convenience leads to critical oversights.
That’s because security teams assume that assets used in LCNC applications and RPAs operate solely in an “internal” corporate scope (i.e. accessible only to corporate employees). In reality, LCNC apps and RPAs are frequently exposed to the outside world, creating attack surfaces that are poorly understood and largely unprotected.
Also Read: Quantum Computing In The Now
We have seen enterprises where nearly 25% of LCNC apps and RPAs are exposing data externally, this amounts to hundreds of software modules in mid-size organizations and thousands in larger environments.
The Myth of Internal-Only LCNC Apps
Many LCNC apps are exposed externally, whether intentionally or unintentionally. For example, a company might publish a Power BI report to the web for easy access, unknowingly exposing a wide range of sensitive data through its APIs. Or an RPA system designed to automate responses to customer emails might inadvertently expose critical business functions to manipulation.
From a threat actor’s perspective, it makes no difference whether an application was developed using Java – a traditional coding language – or a low-code platform. What matters is the presence of vulnerabilities. Given the rapid and often unregulated development process within LCNC environments, vulnerabilities are more likely to surface here than in traditional applications which are typically subjected to rigorous security checks.
A New Attack Surface
The LCNC external attack surface can take many forms—web applications, APIs, automation processes, and even AI-driven tools like chatbots. Vulnerabilities within these exposed assets can lead to data leakage, unauthorized access, or even more dangerous exploits like injection attacks.
LCNC applications are subject to the same risks found in traditional software: SQL injection, HTML injection, OData injection, and OS command injection. In AI-integrated systems, prompt injection is another emerging threat, as well as the possibility of data leakage. For instance, consider a chatbot connected to an internal database. An attacker simply needs to ask the right question, and sensitive data may be revealed.
A specific case involves Power BI vulnerabilities, where APIs used to generate reports could expose a much larger set of data than what is visible in the reports themselves. Attackers exploiting these APIs can access sensitive corporate information with minimal effort.
The RPA Risk
RPAs present a particularly stealthy risk because they often process inputs from external users—customer complaints, feedback forms, or data collected through social media and CRM systems. These automations are frequently left unsecured, making them prime targets for attackers looking to exploit vulnerabilities in external user input.
For instance, imagine an Power Automate flow that’s built to process customer emails sent to complaints@my-organization.com. If vulnerable to SQL injection, such a flow could disclose sensitive information if some of its output is sent back to the complaining individual. Alternatively, a UiPath automation designed to collect documents from customers for tax filings that is vulnerable to OS command injection would enable attackers to modify tax returns or even take control of the processing environment.
Addressing LCNC Security Risk
Securing LCNC platforms and RPAs begins with awareness and visibility. Organizations need to have a clear understanding of what assets are exposed externally, a task that is often neglected in LCNC environments. Mapping this new external attack surface requires a deep understanding of RPA logic and LCNC platform settings and configurations. Scanning of network domains and APIs using attack surface management tools is insufficient. Instead, security teams must extract data directly from the LCNC platforms themselves to gain visibility into what applications, automations, and APIs are exposed.
In addition to maintaining visibility in LCNC apps and RPAs, organizations should:
1. Manage Exposure: If an application or automation doesn’t need to be public, don’t expose it. Simple configuration changes, such as ensuring Power BI reports are not exposed to the web unless necessary, can significantly reduce the attack surface.
2. Fix Vulnerabilities: In cases where an application or automation must remain public, it’s essential to assess it for vulnerabilities and remediate them in a timely fashion. For injection attacks, this might involve validating, sanitizing, and escaping user inputs. To prevent data leakage, restrict API access, reconfigure data sources and remove unnecessary access.
Also Read: A Comprehensive Guide to DDoS Protection Strategies for Modern Enterprises
Safely Empowering Citizen Developers
LCNC platforms exist to empower citizen developers. However, expecting these developers to be security experts is unrealistic. Therefore, organizations must provide them with tools to detect and guide them through how to fix issues. This could involve step-by-step instructions for remediating specific vulnerabilities or making configuration changes to reduce exposure to external threats. The key is to strike a balance between enabling innovation and maintaining security, so citizen developers have the freedom to build and deploy applications.
The Role of Security Teams
While citizen developers play a critical role in expanding business capabilities, security teams must provide the tools and resources needed to keep LCNC apps safe. This involves not only creating the policies and rules for LCNC app development but also monitoring these applications to ensure compliance. Security teams must also track whether vulnerabilities are addressed and ensure that citizen developers follow best practices.
In short, the responsibility for securing LCNC and RPA applications cannot be left solely in the hands of those creating the applications. Security teams need to ensure continuous oversight, visibility, and remediation.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
