TL;DR:
- What is a Low-Code, No-Code platform?
- Understanding the difference between Low-Code and No-Code
- WordPress as a case study
- Takeaways: No-code does NOT mean no vulnerabilities.
Low-Code No-Code (LCNC) platforms provide a graphical user interface (GUI) that allows users to create custom applications without the need to write code. These popular platforms contain pre-built templates, components, plugins, and themes to expedite the development process and cut costs.
The concept of Low-Code, No-Code platforms has been around for decades. It began with the first high-level programming languages using visual interfaces and pre-built components.
LCNC platforms have become very popular among organizations and individuals for building marketing websites, business applications, blogs, simple websites, and more.
So, what’s the difference between Low-Code and No-Code?
Low-Code platforms are designed to strike a balance between traditional coding elements, such as control over the code, flexibility in making changes, and the simplicity of the user interface. The platforms provide users with broad functionality and pre-built functions. They allow them to make edits and modifications as well as to add custom code. One of the most popular and famous Low-Code examples is WordPress.
No-Code platforms, on the contrary, are very simple and allow non-technical users to build applications without the need to write any code whatsoever. They have intuitive user interfaces and emphasize their user-friendliness. One of theie disadvantages is that they do not offer much flexibility with custom code. Some popular No-Code platforms are Shopify, Mailchimp, Notion, and more.
Just as every coin has two sides, Low-Code, No-Code platforms have their pros and cons.
Their main pro is that they allow users to build applications in a short time and maintain low costs. Their main con affects the programming aspect since this provides limited flexibility and lacks customization options.
However, one critical downside of these platforms is security. The platforms introduce security vulnerabilities that could pose a critical risk for the organization and its customers.
Awareness of potential security risks and the knowledge of how to mitigate them will protect your site/platform from becoming the next casualty of a cyber attack.
Nicole Sheinin, OP Innovate
Low-Code, No-Code != No vulnerabilities
It is important to remember that even though these platforms do not require advanced coding skills, the simplicity of these platforms leaves them vulnerable to security shortfalls.
The main risk of LCNC platforms is that the software can have vulnerabilities in its pre-built functionalities, such as templates, plugins, and themes. Often the developers that create them favored usability over security, so common vulnerabilities such as cross-site scripting (XSS), injections, remote code execution are rife.
WordPress: A Security Case Study
WordPress is one of the most popular LCNC platforms. According to W3Techs, it is used by 43% of all websites on the internet – to give a sense of perspective, that means there are nearly half a billion sites using WordPress at the time of writing.
WordPress, like most other software, is not entirely secure. WordPress vulnerabilities are discovered on a daily basis, either on the platform itself or in third-party plugins.
Common vulnerabilities in plugins and themes typically arise from poor coding practices. The first step to mitigate this risk is to limit the use of reputable plugins from trusted sources. The second step is to implement WordPress best practices for developers.
When a vulnerability is found, and a fix is released, both are made public. Attackers scan the internet looking for low-hanging fruits in the form of unpatched sites in order to exploit this now known vulnerability with minimal effort.
Our research team often finds outdated WordPress instances, however our mission is to secure the site and its users, in contrast to an attacker’s nefarious goals. It is essential to maintain WordPress installations, plugins, and themes so they’re up to date and the website is protected against known vulnerabilities.
As active members of the international cyber security community, OP Innovate’s researchers invest time hunting for vulnerabilities in open-source projects that are relied upon by a great number of users worldwide. The research team recently discovered four vulnerabilities in WordPress plugins. The team promptly reported the findings to the relevant software vendors and publicly disclosed them once patches were released.
Recent WordPress plugins vulnerabilities found by the team:
- CVE-2022-3144 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
- CVE-2022-4410 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- CVE-2022-4207 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- CVE-2022-4171 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Takeaways
- Low-Code, No-Code platforms are very commonly used and make life easier for organizations, individuals, and developers who need to build and manage websites or platforms.
- Despite these advantages, there is one critical disadvantage that everyone should be aware of – No code does NOT mean no vulnerabilities.
- Awareness of potential security risks and knowing how to mitigate them will protect your site/platform from becoming the next casualty of a cyber attack.