LOW Code /No Code Threats and mitigations
Account Impersonation
Low-code/no-code applications can use a developer account that is shared by all users of the application. This exposes a Privilege Escalation risk, where an attacker can impersonate another user and bypass conventional security measures.
Mitigations
Only give the minimum access needed to connect to databases/services/SaaS/PaaS
Use separate service or application accounts instead of user accounts for applications
Make sure applications have one identity that they use for all their connections, not a separate identity for each one. Use a specific service or app account for those connections
Keep a clear record of who performed the actions using the shared connection, whether those connections are shared because users are using the application or because users have been given access to that connection directly
Improper Use of Access
An application should check who a user is (Authentication) and what they can access or do in the application (Authorization). Authorization misuse happens when the application doesn’t set the right access privileges for a user. Most low-code/no-code platforms have many connectors, which are API wrappers that make connectivity easy. Connectors and user credentials make connections, which are mostly first-class objects in most low-code/no-code platforms. This means that connections can be…