Navigating the Risks of Shadow Engineering in Cybersecurity

In the era of digital transformation, the proliferation of low-code/no-code (LCNC) technology has led to the rise of "shadow engineering," a phenomenon where individuals without formal coding skills can easily create and deploy applications outside the traditional security oversight. This trend, while driving innovation and efficiency, exposes organizations to significant cybersecurity risks as these citizen-developed applications often bypass standard security checks and compliance protocols.
Gartner’s recent survey highlights that nearly two-thirds of chief information officers (CIOs) are planning to deploy or have already deployed LCNC platforms, underscoring their importance in enhancing customer experiences, operating margins, and revenue generation. However, the ease of use and accessibility of LCNC and robotic process automation (RPA) tools have created a security blind spot for organizations, as applications and automations developed by business users circumvent established security processes inherent in the software development life cycle (SDLC).
The risks associated with shadow engineering include the potential for data breaches, non-compliance with regulatory standards like GDPR, CCPA, HIPAA, PCI DSS, and other security vulnerabilities that could compromise sensitive information. For instance, a simple low-code automation created for processing credit card payments could inadvertently expose customer data without the knowledge of the security team.
Addressing these risks involves integrating traditional application security principles into the development and monitoring of LCNC applications. Key strategies include:

1. Discovering and tracking all LCNC applications to ensure they comply with company policies and eliminate outdated or redundant apps.
2. Protecting applications by routinely evaluating them for security threats, using runtime controls to detect malicious behavior, and remediating vulnerabilities.
3. Enforcing compliance with relevant regulations by creating and applying LCNC security policies.
4. Empowering citizen developers with the knowledge and tools to identify and mitigate risks themselves, fostering a culture of security awareness.
5. Regular monitoring and assessment of LCNC applications for security vulnerabilities, malicious code, and data leaks, and keeping a vigilant eye on developer activity.
   The democratization of software development through LCNC and RPA presents both opportunities and challenges. By maintaining visibility and implementing rigorous governance and security controls, organizations can harness the benefits of citizen development while mitigating the associated risks.