Introduction
Low-code, no-code development platforms are visual software-creating environments that allow users to design mobile and web apps through the drag-and-drop technique. These platforms enable one to develop application software through a graphical user interface instead of software language such as JavaScript.
Discussion
The standard low-code no-code approach allows professionals of any industry to exercise minimal effort in little time to build software applications, relieving its users of the need to learn programming languages (Harper, 2022). It also enables small businesses and others who lack the skills or experience in the software development lifecycle to write computer programs to build and test their software rapidly. Some of the most common low-code no-code platforms include Wix and WordPress. Even though this technique accelerates the application development process, the platforms are sometimes fraught with vulnerabilities.
The low-code no-code applications can be less secure than those built using manual programming. The vendors of these platforms incorporate security features; nevertheless, these platforms are vulnerable to hacks, including account impersonation, authorization misuse, and data leakage (Bargury et al., 2021). Most organizations are misguided to believe that security management is solely in the hands of the platform’s vendors; there will always be a need to test and secure the platform appropriately. Low-code, no-code applications include serious visibility concerns (Shridhar, 2021). Many people create apps without understanding their source code, vulnerabilities, and potential risks, which can pose a significant danger to businesses as it can expose enterprise data.
The most significant concern with low-code no-code platforms is the integrity of both dependencies and plugins. Even though the platform allows the development of apps without programming, the application produced still requires plugins that vendors have made available to use the pre-provided plugin functionality. The main concern comes when the plugin is malicious or critically insecure; vulnerabilities and exploits can extrapolate across millions of organizations, as in the case of the recently discovered Elementor plugin RCE vulnerability (PV, 2022). The Elementor plugin vulnerability affected 5+ million organizations and existed in versions 3.6.0 – 3.6.4 before remediation.
It is also worth noting that these platforms are software as a service (SaaS), which alone presents many security risks and warrants proper governance. Without proper vetting, SaaS programs can expose an organization to undue risk. The assumption by a user is that at least the most common vulnerabilities are mitigated on the software created using low-code no-code SaaS platforms. The truth is that even commonly identified issues, for example, injection handling failures, can be present. Often, user-supplied input can be used in different ways, including querying a database or parsing a document, possibly allowing malicious payloads that introduce risk to the application (Bargury et al., 2021). A recent swamp of CVEs affecting the WordPress plugin Transposh Translation Filter exemplifies the risk involved in improper user input sanitization (Ahrens, 2022). Transposh came with a weak default configuration that allows users to submit new translation entries, resulting in eight vulnerabilities that could allow malicious actors to go from unauthenticated visitors to admin.
Conclusion
In conclusion, the cyber security risks of using low-code no-code platforms can be significant. While users find it easy to design software without much skill in programming languages, they should understand the security implications of low-code, no-code platforms. Individuals looking to create mobile and web apps using the low-code no-code technique must consult with the vendors to ensure that all associated security issues are remediated (Harper, 2022). Businesses using this software-building technique might face serious security threats unless careful security measures are taken, and all utilized software is up to date.
References
Ahrens, J., (2022). RCE Security – Remote Code Execution Techniques and more. Web.
Bargury, M., Segal, O., Willits, D., (2021). The Open Source Foundation for Application Security. Web.
Harper, A. (2022). Security risks of low-code/no-code development platforms. Evalian. Web.
PV., (2022). Plugin Vulnerabilities – A service to protect your site against vulnerabilities in WordPress plugins. Web.
Shridhar, S. (2021). Analysis of low code-no code development platforms in comparison with traditional development methodologies. International Journal for Research in Applied Science and Engineering Technology, 9(12), 508–513. Web.