Michael Bargury

Security research, hacking, AppSec, primarily focused on AI agents.

10 minute read

The Edge Logo

Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Major Security Breach From Business Users’ Low-Code Apps Could Come in 2023, Analysts Warn

Here’s what that means about our current state as an industry, and why we should be happy about it.

Picture of Michael Bargury

Michael Bargury, CTO & Co-Founder, Zenity

November 21, 2022

5 Min Read

Low Code software development platform technology concept, businessman holding phone

Source: Murrstock via Adobe Stock

LinkedinFacebookTwitterRedditEmail

In a recent report, Forrester analysts warned of a looming major security breach at a large enterprise in 2023 rooted in business users using low-code/no-code (LCNC). The first part of this prediction is, unfortunately, a shared industry assumption: It would be surprising if we had an entire year without major headline security breaches. But the second part — forecasting that this major breach would be the result of business users, aka citizen developers, using LCNC — is an extraordinary attempt to wake up the security community before it’s too late.

This prediction is so powerful since it comes in strong contrast to the tendency some security teams have to treat apps built by business users as toys or POCs rather than critical infrastructure. This assumption, warns Forrester, is wrong and will lead to dire results. In recent years, LCNC has become a reality in the enterprise, and business users have been building impactful apps that large organizations now rely on — with or without the security team’s knowledge.

To understand why Forrester is issuing this warning, we must unpack its underlying assumptions. Doing so will show that it is full of new information about the analysts’ reading and assumption of the market, which the reader is free to evaluate.

When a Security Breach Becomes a Major Headline

Consider the factors it takes for a security breach to become a major headline. First, obviously a breach needs to occur. While this assumption is trivial, note that it relies on an underlying assumption that hackers are focusing their efforts on LCNC apps and finding success in breaking them. For hackers to focus their efforts on LCNC, the perceived reward needs to be big enough compared to the perceived difficulty — which means hackers must be convinced that LCNC holds significant business data or facilitate important business workflows for them to be a worthy target. Success in breaching LCNC apps means that hackers can exploit either platform or app-level vulnerabilities to own these apps.

Since business users are not security experts and often lack guidance, this is unfortunately an easy assumption to make. In fact, in a case documented by the Microsoft Detection and Response team, an APT group used live-off-the-land on some LCNC to remain hidden and persistent within a multinational organization for more than six months while defenders were actively trying to kick them off. In another case last year, a simple misconfiguration resulted in almost 40 million confidential records being exposed to the Internet.

Second, the breach must involve business-critical apps or data; otherwise the story just won’t be as interesting for a major headline. The criticality of the app or data needs to be rooted in the business’ value proposition for it to be obvious to every external security practitioner that this will have significant business impact on the breached company. LCNC and citizen development has grown significantly in recent years, delivering on its promise of empowering business users to address their own needs. Business-led development has become a strategic initiative in some organizations. Many large organizations have a dedicated group of admins who manage and operate these LCNC citizen development platforms, which are sometimes called Centers of Excellence.

Third, the breach needs to be detected. A breach could be announced publicly by hackers willfully publishing it to hurt the breached company or push the company to yield to the hacker’s demands. It could also be detected inside the breached company if business-critical apps have stopped working or security teams have identified it. In any case, breach detection comes seven months after hackers had their initial successful access, on average. Doing the math, and considering the predicted headlines are to come in 2023, this means that hackers may have already breached business-critical LCNC apps.

Lastly, and again trivially, the breach needs to be publicized. Of course, any organization that suffered a major breach would be happy if the news of its unfortunate event did not reach major news outlets. Assuming that the breached organization would work against it, and that not all major breaches are reported on, this means that next year should bring far more than one major security breach resulting from business users building with LCNC.

Unpacking the Forrester prediction for 2023 reveals a set of assumptions about the world we live in now. Business users are building business-critical apps with LCNC. Hackers are acutely aware of and have probably developed dedicated tools and exploits to breach such apps across the industry. Some security teams are probably dealing with a detected breach at this very moment.

Why We Should Be Happy About the Prediction

While discussing a predicted major breach feels gloomy and pessimistic, the larger message is positive: Business users are succeeding in moving the needle in the enterprise using LCNC and solving problems on their own.

There has long been a gap between business users who can articulate the problems they need solved to do their job better — thus making the business stronger — and IT teams that are failing under the pressure and have limited capability, which renders them unable to meet most of those requirements. LCNC is the latest development trying to bridge that gap by empowering business users to address their problems as they see fit. The business empowerment goal, part of IT decentralization, has been pursued by endless innovation waves, including productivity tools like Office, application generators, visual coders, and lately RPA and LCNC. As we saw above, this prediction is predicated on the amazing fact that LCNC is actually succeeding in empowering business users, and that they in turn succeed in changing business outcomes.

Like every new technology, LCNC comes with a new set of challenges. While we’ve been successful at leveraging LCNC for business impact, we haven’t been as good at making sure those apps, the identities they use, and the data they handle are secure. This will not be an easy task, as security teams are not used to monitoring and guiding business users and the apps they develop. However, our role as security teams is to enable the business, and the business clearly shows it wants LCNC.

LinkedinFacebookTwitterRedditEmail

About the Author

Michael Bargury

Michael Bargury

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

See more from Michael Bargury

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

More Webinars

Events

More Events

You May Also Like

Edge Picks

thumbnail Cyber Risk

Browser Extensions Pose Heightened, but Manageable, Security Risks Browser Extensions Pose Heightened, but Manageable, Security Risks

URL bar of a browser showing part of a website address Endpoint Security

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028 Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Icons for Chrome, Edge, and Firefox browsers on a screen Endpoint Security

ClickFix Spin-Off Attack Bypasses Key Browser Safeguards ClickFix Spin-Off Attack Bypasses Key Browser Safeguards

Stream of 0s and 1s running alongside padlock icons Endpoint Security

Extension Poisoning Campaign Highlights Gaps in Browser Security Extension Poisoning Campaign Highlights Gaps in Browser Security

Latest Articles in The Edge

5 Min Read

5 Min Read

6 Min Read

2 Min Read

Read More The Edge

Cookies Button

About Cookies On This Site

We and our partners use cookies to enhance your website experience, learn how our site is used, offer personalised features, measure the effectiveness of our services, and tailor content and ads to your interests while you navigate on the web or interact with us across devices. By clicking “Continue” or continuing to browse our site you are agreeing to our and our partners use of cookies. For more information see Privacy Policy

CONTINUE

Company Logo

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

More information

Allow All

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.    You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

Always Active

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.    All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Functional Cookies

Always Active

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages.    If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

Always Active

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.    They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Back Button

Search Icon

Filter Icon

Clear

checkbox labellabel

ApplyCancel

ConsentLeg.Interest

checkbox labellabel

checkbox labellabel

checkbox labellabel

Confirm My Choices

Powered by Onetrust

Updated:

You May Also Enjoy