Published June 17th, 2024 by Bayonseo

Shadow engineering refers to the practice of employees creating and deploying applications using low-code/no-code (LCNC) platforms like Microsoft Power Apps, OutSystems, and Mendix, without the oversight or knowledge of the IT and security departments. 

Low-code/no-code platforms empower individuals without formal coding experience to create applications quickly and independently through intuitive, drag-and-drop interfaces and generative AI tools.

LCNC technology and robotic process automation (RPA) significantly enhance digital transformation efforts by cutting costs and boosting efficiency. Gartner reports that nearly two-thirds of CIOs plan to deploy or have already deployed LCNC platforms within two years. These tools are vital for enhancing customer experiences, improving operational margins, and driving revenue.

The democratization of app development through Low-Code/No-Code (LCNC) platforms has led to their widespread use. However, these applications often bypass traditional software development life cycle (SDLC) processes, which include essential security checks and compliance measures. As a result, they may have vulnerabilities such as hard-coded passwords, data leaks, or insufficient encryption. Developed outside the security team's oversight, these apps might not undergo rigorous testing, potentially exposing sensitive data and violating regulations like GDPR or PCI DSS.

On top of that, security teams also lack visibility and control over these apps, making it difficult to monitor and manage them effectively. This creates a blind spot where potential threats can go undetected, increasing the risk of cyberattacks and data breaches.


To address the security risks of shadow engineering, organizations should adopt traditional application security practices for LCNC apps starting by identifying and inventorying all LCNC applications and automations to pinpoint redundant or outdated ones and ensure that active apps comply with company policies.

Following this initial step, organizations should as well:

- Protect Applications: Regularly evaluate LCNC apps for threats and vulnerabilities. Implement runtime controls to detect malicious activity and conduct routine security assessments.

- Enforce Compliance: Educate business users about relevant regulations and enforce LCNC security policies to prevent compliance violations.

- Empower Business Users: Provide clear guidance and training to help business users address security risks promptly. Foster collaboration between business developers and security teams.

- Monitor Regularly: Continuously monitor the development process and conduct security audits. Inspect applications for vulnerabilities and ensure third-party components are secure.



The democratization of app development through LCNC and RPA can drive innovation and efficiency, provided organizations maintain the necessary visibility to enforce security controls. By implementing these practices, organizations can maintain the benefits of LCNC platforms while safeguarding against the hidden risks of shadow engineering 

For more insights and tailored cybersecurity solutions, visit [BayonTech Group]( Stay ahead of potential threats and ensure your digital transformation is secure!

‹ Back