Member-only story
LOW Code /No Code Threats and mitigations
Account Impersonation
Low-code/no-code applications can use a developer account that is shared by all users of the application. This exposes a Privilege Escalation risk, where an attacker can impersonate another user and bypass conventional security measures.
Mitigations
Only give the minimum access needed to connect to databases/services/SaaS/PaaS
Use separate service or application accounts instead of user accounts for applications
Make sure applications have one identity that they use for all their connections, not a separate identity for each one. Use a specific service or app account for those connections
Keep a clear record of who performed the actions using the shared connection, whether those connections are shared because users are using the application or because users have been given access to that connection directly
Improper Use of Access
An application should check who a user is (Authentication) and what they can access or do in the application (Authorization). Authorization misuse happens when the application doesn’t set the right access privileges for a user. Most low-code/no-code platforms have many connectors, which are API wrappers that make connectivity easy. Connectors and user credentials make connections, which are mostly first-class objects in most low-code/no-code platforms. This means that connections can be shared among applications, users, or organizations.
Many low-code/no-code platforms misuse OAuth authorization flows by getting and storing user refresh tokens, and using them again to save time and work faster. This lets business users make connections quickly without worrying about secrets or permissions; but, connections have user identities that are hard to track or remove.
Mitigations
Limit or track the use of connections that are shared implicitly
Give access to environments that might have shared connections only as needed
Watch out for no-code/low-code platforms that have too many shared connections
Teach business users about the dangers of sharing connections and how it is related to sharing credentials
Regularly re-authenticate connections to renew OAuth tokens
