Low-Code Tools in Microsoft Azure Allowed Unprivileged Access
Using the API Connections for Azure Logic Apps, a security researcher found unauthenticated users could access sensitive data of other customers.
Low-code platforms can speed software delivery but may introduce security risks through misconfigured workflows, exposed data, and weak access controls.
Search across headline titles and summaries.
Background for this topic.
Low-code platforms let developers build applications largely through visual workflows, data models, and prebuilt components, with limited hand-written code. They are used for internal tools, business processes, and customer-facing services; “no-code” platforms are the more restrictive version. Security depends not only on the generated application but also on the platform, its connectors, and the configuration chosen by its users.
Material risks include excessive permissions, insecure API connections, exposed credentials, and unintended access to sensitive data when workflows or sharing settings are misconfigured. Abstracted logic can also make it harder to review authorization, input validation, and third-party components. Security teams should inventory low-code applications, assess platform and connector vulnerabilities, enforce least-privilege identities and secret management, review configurations and generated code where possible, and retain audit logs for investigation. Vendor update practices, data residency, deletion, and export capabilities also affect vulnerability management, privacy, and compliance.
Weekly headline count for the current query.
Using the API Connections for Azure Logic Apps, a security researcher found unauthenticated users could access sensitive data of other customers.
No-code and low-code platforms offer undeniable benefits. But when security is an afterthought, organizations risk deploying vulnerable applications that expose sensitive data and critical systems.
Low-code/no-code (LCNC) and robotic process automation (RPA) technologies allow companies to speed up development processes and reduce costs, but security is often overlooked. When this happens, the risks can outweigh the benefits.
While low-code/no-code tools can speed up application development, sometimes it's worth taking a slower approach for a safer product.
As the adoption of LCNC grows, so will the complexity of the threats organizations face.
A few default guest setting manipulations in Azure AD and over-promiscuous low-code app developer connections can upend data protections.
Nokod Security is building a platform that enables organizations to secure in-house low-code/no-code custom applications by scanning for security and compliance issues and applying remediation policies
With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.
Getting a handle on the new risks facing appsec by low-code/no-code development patterns
How can we build security back into software development in a low-code/no-code environment?
By authenticating and authorizing every application, and by maintaining data lineage for auditing, enterprises can reduce the chances of data exfiltration.
Here's what that means about our current state as an industry, and why we should be happy about it.
Automating security for OT infrastructure can help organizations combat a rising volume of cyber threats in an era when security professionals are in short supply.
Security teams that embrace low-code/no-code can change the security mindset of business users.
How a well-meaning employee could unwittingly share their identity with other users, causing a whole range of problems across IT, security, and the business.
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
Low-code/no-code platforms allow users to embed their existing user identities within an application, increasing the risk of credentials leakage.
To see why low-code/no-code is inevitable, we need to first understand how it finds its way into the enterprise.