The Rise of Low-Code/No-Code and RPA in Digital Transformation
Technologies such as Low-Code/No-Code (LCNC) and Robotic Process Automation (RPA) have become fundamental in the digital transformation of companies. They continue to evolve and redefine software development, providing new possibilities for organizations of all sizes and sectors. These tools allow users with little or no programming experience (citizen developers) to create applications and automate processes, simplifying complex tasks and optimizing business operations.
Application platforms for these technologies (LCNC and RPA) offer intuitive visual interfaces. These allow anyone, from a business professional to an IT employee, to develop customized applications and to automate repetitive processes quickly and efficiently. This frees up operational teams to focus on more strategic value tasks.
Security Challenges and Risk Assessment
Despite their advantages, the use of LCNC and RPA technologies has challenges, especially regarding information security. These platforms, which aim to simplify and speed up development, can introduce risks related to controlling and protecting corporate data. The agility these tools provide tends to reduce development time and costs compared to traditional models significantly. However, the lack of centralized control, especially in environments where non-technical teams are free to create applications, can generate vulnerabilities and ultimately lead to higher costs.
After conducting several penetration tests and risk assessments in environments using LCNC, RPA, or other forms of automation, I thought it crucial to offer more detailed security considerations for these technologies. Companies must understand the potential risks and impacts that adopting these solutions can bring, ensuring that the benefits of automation do not compromise security and regulatory compliance.
Understanding Data Scraping in Automation
A common use of LCNC and RPA is related to automating data retrieval processes, a technique known as scraping. In many of the instances I have observed these tools scraping data from both internal environments (such as corporate databases), and external ones (API sites, among others). Based on this data, the automated “robot” makes decisions, following the configured workflow, such as carrying out new searches, saving information in files or databases, sending emails, generating alerts, etc.
Legal Considerations in Automated Data Collection
Although scraping is a widely used data collection practice, it can have legal implications. Even without being an expert in the legal field, it is essential to consider that unauthorized, automated collection of data from external sources, or data that is not regarded as public, can represent a legal risk. This is especially relevant when dealing with data protected by copyright or privacy regulations. To avoid potential problems, I recommend that companies consult their legal or risk management department before implementing automation that involves scraping.
That said, I'd like to present additional considerations to help you better protect your company when adopting any automation. Let's start with trust in data integrity, mainly when that data is obtained from third-party websites.
Managing Data Integrity and External Dependencies
As you can imagine, this external dependence can become an absolute nightmare, especially when the organization has no direct control over these services. If the way the data is made available changes unexpectedly, whether the data host alters the addressing, data format, presentation, or removes the data completely, the automation can become vulnerable to critical failures. This external dependency makes the problem even worse if the automation process is based on this data - unavailability can generate errors and allow the “robot” to continue executing the process with incorrect data in a more critical scenario. This can result in damaging actions, such as wrong decisions in sensitive financial or operational processes, potentially severely impacting the organization. Mishandled failures in the automation can also lead to organizational decisions being made with outdated data, or the loss of data by overwriting good records with bad ones.
Therefore, solutions developed with automation must be designed to deal robustly with data unavailability. Automation must be able to detect and handle these scenarios, including the appropriate use of exception and error handling. This will ensure that even when data sources fail, the system can behave safely and predictably, preventing further damage.
Establishing Robust Security Controls
Another crucial point, especially in organizations where the developers of LCNC solutions often lack formal programming experience, is the need to establish internal policies that guarantee the auditing and traceability of automated processes. A best practice is to implement detailed logs of all automation steps. Recording this information will not only allow the IT team or those responsible for security to investigate and correct any faults but will also be essential in resolving future problems, guaranteeing greater transparency and control over automated processes.
Access Management and Script Security
By default, automation processes are run by a specific user account, meaning they are directly linked to the permissions and privileges associated with that account. This is a critical point and must be constantly monitored to avoid risks. In this context, the recommendation to adopt the principle of least privilege is fundamental: to grant the user only the minimum level of permissions necessary to carry out their task. This limits access privileges and helps mitigate the impact if the account is compromised.
In the case of organizations that use automation processes involving scripts and command execution, such as CMD, Python, VBScript, or PowerShell. I recognize that they can be indispensable in some situations, however the recommendation is to reconsider using these technologies whenever possible, as they increase the overall risk considerably. A malicious user could exploit this capability to create harmful scripts and efficiently carry out malicious activities quickly. To protect against this threat, organizations must strictly restrict and monitor access to these environments and any other scripting tools or programming languages used in automation. A good practice is implementing strict access controls in the infrastructure, limiting access to these functionalities, and constantly monitoring their use.
Security Training and Best Practices
As always, I can't stress enough the importance of security training for users and developers of LCNC platforms and other automation processes, such as RPA. In addition to basic information security training, companies must include secure coding practices and emphasize adherence to general security best practices. This ensures that everyone involved in developing and operating automated solutions understands the risks and how to mitigate vulnerabilities.
Data Loss Prevention and Privacy Concerns
As we have seen, LCNC solutions, just like any other automation process, can improve companies' operational efficiency in various sectors. However, they also have significant risks, like data integrity issues and privacy concerns. In this context, it is crucial to understand how these “robots” interact with the data extracted from the organization. Often unintentionally, these processes can result in data evasion. This risk is magnified when automation stores information in external applications or databases. Even if the connection and authentication credentials are stored “securely,” the automation code still directly accesses the data and can be exploited inappropriately.
This is why implementing a well-configured DLP (Data Loss Prevention) is essential. However, it's important to remember that the effectiveness of DLP depends on continuous adjustments and monitoring, as new vulnerabilities can emerge as automation evolves.
Insider Threat Considerations
Consider Low-Code/No-Code (LCNC) platforms as a potential insider threat vector in your network. Historical experience shows that many cyber-attacks begin with the introduction of malicious agents inside corporate networks. These attack vectors can exploit vulnerabilities in internal systems, which happens often enough that you should exercise due care in the design and implementation of any system that handles sensitive data. It is, therefore, prudent to assume that any internal automation, especially those handling confidential information, should be always viewed with the same security caution applied to internal threats.
Policy Development and Documentation
Another crucial point is creating an official document that clearly defines the responsibilities of employees involved in developing automated processes, such as those using LCNC, RPA, and other technologies. This document should ensure that developers properly understand what can and cannot be done within these platforms, and should detail the impacts and risks associated with improper or unsafe use of these tools. This policy helps prevent actions that could compromise security or data integrity.
OWASP Guidelines and Future Considerations
A significant contribution from the security community was the development of the OWASP Top 10 on Low-Code/No-Code. If you are unfamiliar with this document, I strongly recommend you consult it, as it provides a detailed overview of the main security risks associated with these technologies. You can access it at the following link: OWASP Top 10 - Low-Code/No-Code Security Risks.
As mentioned, although LCNC and RPA technologies allow many companies to speed up their development processes and reduce costs, it is essential to remember that security is often overlooked. When this happens, the risks can outweigh the benefits. Organizations must adopt robust and continuous security measures to protect these solutions, preventing security costs from rising exponentially and risks from becoming irremediable.
Jordan Bonagura
Senior Security Consultant at Secure Ideas
Jordan is a Security Consultant at Secure Ideas. If you have any further questions feel free to reach out to him at jordan.bonagura@secureideas.com or you can find him on LinkedIn.
Read More by Jordan:
