LOW Code /No Code Threats and mitigations

Eray ALTILI
6 min readMay 14, 2024

Account Impersonation

Low-code/no-code applications can use a developer account that is shared by all users of the application. This exposes a Privilege Escalation risk, where an attacker can impersonate another user and bypass conventional security measures.

Mitigations

Only give the minimum access needed to connect to databases/services/SaaS/PaaS

Use separate service or application accounts instead of user accounts for applications

Make sure applications have one identity that they use for all their connections, not a separate identity for each one. Use a specific service or app account for those connections

Keep a clear record of who performed the actions using the shared connection, whether those connections are shared because users are using the application or because users have been given access to that connection directly

Improper Use of Access

An application should check who a user is (Authentication) and what they can access or do in the application (Authorization). Authorization misuse happens when the application doesn’t set the right access privileges for a user. Most low-code/no-code platforms have many connectors, which are API wrappers that make connectivity easy. Connectors and user credentials make connections, which are mostly first-class objects in most low-code/no-code platforms. This means that connections can be…

--

--

Eray ALTILI

I am passionate about Technology, Cloud Computing, Machine Learning, Blockchain and Finance. All opinions are my own and do not express opinions of my employer.