Understanding Security's New Blind Spot: Shadow Engineering

In the rush to digital transformation, many organizations are exposed to security risks associated with citizen developer applications without even knowing it.

Yair Finzi, Co-Founder & CEO, Nokod Security

June 6, 2024

4 Min Read
Shadow of a hand over a computer keyboard
Source: blickwinkel via Alamy Stock Photo


"Out of sight, out of mind" is not a good way to approach cybersecurity or a secure software development life cycle. But in the rush to digital transformation, many organizations are unknowingly exposed to security risks associated with citizen developer applications. 

Made possible by low-code/no-code (LCNC) technology that allows individuals without formal coding or software development training to easily build applications, these apps have spawned a new term known as "shadow engineering." By providing intuitive, drag-and-drop, and generative AI (GenAI) interfaces, LCNC platforms enable employees to independently create and deploy apps outside the purview of the security team. 

Despite the associated risks, LCNC applications can play a significant role in driving digital transformation. They offer the potential to generate substantial cost savings and, more importantly, they may form the backbone of the majority of applications used worldwide.

According to Gartner, almost two-thirds of chief information officers (CIOs) say their organizations plan to deploy LCNC platforms in the next two years or already have deployed them. In the report, CIOs cited excelling in customer or citizen experience, improving operating margins, and generating revenue as the most critical outcomes from digital technology investments.

LCNC and robotic process automation (RPA) have democratized application development, putting it within reach of users without coding skills. However, shadow engineering is also creating a security blind spot that is exposing organizations to risks they can't anticipate. 

Using low-code/no-code application platforms (LCAP) — such as Microsoft Power Apps and Power Automate, UiPath, Automation Anywhere, or ServiceNow — business users are creating apps and automations that bypass the established software development life cycle (SDLC) and its security assurance processes. 

Shadow engineering leaves security teams with little or no control over LCNC apps that citizen developers can deploy. These apps also bypass the usual code tests designed to flag software vulnerabilities and misconfigurations, which could lead to a breach. This lack of visibility prevents organizations from enforcing policies to keep them in compliance with corporate or industry security standards. 

For example, a low-code automation created by the sales team to process credit card payments could leak sensitive data and violate PCI DSS requirements while being invisible to the security operations team. 

Shining a Light on Shadow Engineering

Addressing the risks associated with shadow engineering requires applying traditional application security principles to LCNC apps, which include the following best practices:

  • Discover and track: Lack of visibility is the leading risk posed by shadow engineering, and a good place to start mitigating risks. Discover and inventory all LCNC applications and automations to identify and eliminate any redundant or outdated ones, and single out any live apps that should be under the company's policy control. 

  • Protect applications: LCNC apps have many of the same problems found in conventionally developed software, such as hard-coded or default passwords and leaky data. A simple application asking employees for their T-shirt size for a company event could give hackers access to their HR files and protected data. LCNC apps should routinely be evaluated for threats and vulnerabilities, so they can be detected and remediated. Meanwhile, runtime controls can be used to detect malicious behavior inside the apps and automations or by apps in the domain.

  • Enforce compliance: Citizen developers may not be aware of regulations such as GDPR, CCPA, HIPAA, PCI DSS, etc. Create and enforce LCNC security policies to detect and prevent violations.

  • Empower citizen developers: Give citizen developers guidance in easy-to understand terms to help them remediate risks themselves as quickly and easily as possible. Collaborate with business developers to ensure that security is integrated into the development process of LCNC applications going forward.

  • Monitor regularly: Security is never a one-and-done. Conduct regular monitoring of the application development process and carry out regular security assessments and audits of LCNC applications. Inspect applications and automations to identify security vulnerabilities, such as default passwords. Evaluate their third-party components to identify malicious code or vulnerabilities, and check their data usage to stop data leaks. Monitor developer activity, looking for modifications, especially after applications have been published. 

The democratization of software development made possible by LCNC and RPA can be a positive development, as long as organizations maintain the visibility needed to implement governance and security controls. But in most large organizations, the risks associated with citizen developer apps are often undetected or neglected, and they remain unmitigated.

The steps described above provide a strong foundation for securing LCNC applications and RPA. To rein in security risks, begin with a structured process for performing discovery, assessment, remediation, and governance of LCNC apps and RPA tasks.

About the Author(s)

Yair Finzi

Co-Founder & CEO, Nokod Security

Yair Finzi is a technology entrepreneur with more than 15 years of experience in cybersecurity. Prior to Nokod Security, he co-founded SecuredTouch and served as its CEO until the company’s acquisition by Ping Identity. Later, Yair served as a product leader at Meta, focusing on its global app for crowdsourcing. He started his career in the Israel Defense Force's (IDF) elite cybersecurity unit and eventually became a head of department at the Intelligence Corps. Yair holds a B.Sc. in Electronics Engineering and an MBA with honors from Tel Aviv University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights