{"id":3919,"date":"2024-06-06T09:00:00","date_gmt":"2024-06-06T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/understanding-security-new-blind-spot-shadow-engineering"},"modified":"2024-06-06T09:00:00","modified_gmt":"2024-06-06T14:00:00","slug":"understanding-securitys-new-blind-spot-shadow-engineering","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/06\/understanding-securitys-new-blind-spot-shadow-engineering\/","title":{"rendered":"Understanding Security’s New Blind Spot: Shadow Engineering"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

“Out of sight, out of mind” is not a good way to approach cybersecurity or a secure software development life cycle. But in the rush to digital transformation, many organizations are unknowingly exposed to security risks associated with citizen developer applications. <\/span><\/p>\n

Made possible by low-code\/no-code (LCNC) technology that allows individuals without formal coding or software development training to easily build applications, these apps have spawned a new term known as “shadow engineering.” By providing intuitive, drag-and-drop, and generative AI (GenAI) interfaces, LCNC platforms enable employees to independently create and deploy apps outside the purview of the security team. <\/span><\/p>\n

Despite the associated risks, LCNC applications can play a significant role in driving digital transformation. They offer the potential to generate substantial cost savings and, more importantly, they may form the backbone of the majority of applications used worldwide.<\/span><\/p>\n

According to Gartner<\/a><\/span>, almost two-thirds of chief information officers (CIOs) say their organizations plan to deploy LCNC platforms in the next two years or already have deployed them. In the report, CIOs cited excelling in customer or citizen experience, improving operating margins, and generating revenue as the most critical outcomes from digital technology investments.<\/span><\/p>\n

LCNC and robotic process automation (RPA) have democratized application development, putting it within reach of users without coding skills. However, shadow engineering is also creating a security blind spot that is exposing organizations to risks they can’t anticipate. <\/span><\/p>\n

Using low-code\/no-code application platforms (LCAP) \u2014 such as Microsoft Power Apps and Power Automate, UiPath, Automation Anywhere, or ServiceNow \u2014 business users are creating apps and automations that bypass the established software development life cycle (SDLC) and its security assurance processes. <\/span><\/p>\n

Shadow engineering leaves security teams with little or no control over LCNC apps that citizen developers can deploy. These apps also bypass the usual code tests designed to flag software vulnerabilities and misconfigurations, which could lead to a breach. This lack of visibility prevents organizations from enforcing policies to keep them in compliance with corporate or industry security standards. <\/span><\/p>\n

For example, a low-code automation created by the sales team to process credit card payments could leak sensitive data and violate PCI DSS requirements while being invisible to the security operations team. <\/span><\/p>\n

Shining a Light on Shadow Engineering<\/h2>\n

Addressing the risks associated with shadow engineering requires applying traditional application security principles to LCNC apps, which include the following best practices:<\/span><\/p>\n

\n