"Major Security Breach From Business Users' Low-Code Apps Could Come in 2023, Analysts Warn"
Forrester analysts recently warned of a possible major security breach at a large enterprise in 2023 caused by business users employing low-code/no-code (LCNC). The first part of this prediction is a common industry assumption that it would be unusual to go an entire year without major headline security breaches. The second part, which predicts that business users, also known as citizen developers, will cause this major breach using LCNC, is an attempt to wake up the security community before it is too late. This prediction is powerful because it counters the tendency of some security teams to treat apps built by business users as toys or proof-of-concepts (POCs) rather than critical infrastructure. Forrester warns that this assumption is incorrect and will have disastrous consequences. LCNC has become a reality in the enterprise in recent years, and business users have been creating impactful apps on which large organizations now rely, with or without the security team's knowledge. It is essential to unpack Forrester's underlying assumptions to understand why it is issuing this warning. Consider the factors that contribute to a security breach becoming a major news story. First, there must be a breach, and while this assumption is trivial, it is important to note that it is based on the underlying assumption that hackers are focusing their efforts on LCNC apps and succeeding in breaking them. For hackers to focus on LCNC, the perceived reward must be greater than the perceived difficulty, which means hackers must be convinced that LCNC holds significant business data or facilitates important business workflows for them to be a worthy target. In order to gain control of LCNC apps, hackers must exploit either platform or app-level vulnerabilities. Because business users are not security experts and often lack guidance, this is an easy assumption to make. In one case documented by the Microsoft Detection and Response Team (DART), an Advanced Persistent Threat (APT) group used live-off-the-land tactics on some LCNC to remain hidden and persistent within a multinational organization for over six months while defenders actively attempted to kick them off. Another incident occurred last year when a simple misconfiguration exposed nearly 40 million confidential records to the Internet. This article continues to discuss Forrester analysts' prediction of a major security breach at a large enterprise in 2023 rooted in business users utilizing LCNC.