For each of the Top 10 risks, we would like to have a list of concrete attack scenarios where confidentiality, integrity or availability can be compromised.

The descriptions should be technical and one pharagraph long. They could be generic, or focus on a particular low-code/no-code platform.

To contribute, please create a PR.

I have updated all sections of the report with grammatical and syntax updates for better readability.

          I know that this was part of current available version, but should we move this risk of having too verbose logs to LCNC-SEC-08?

Originally posted by @mbrg in #56 (comment)

Consider (re)moving Scenario 2

          I know this is unrelated and is not part of the change, but scenario 2 doesn't really fit here, right?

Originally posted by @mbrg in #56 (comment)

All texts in the repository, from the index.md file to specific risks out of the Top 10 list, are up for review and improvement.

Context

The language of OWASP documents speaks to security, operations, IT and engineering professionals. The introduction of low-code/no-code has lowered the bar to become a digital builder. This is the root of why this technology is so important. However, it also means that we cannot assume the same level of technical or security accoman from all low-code/no-code developers.

To enable usage of the OWASP Low-Code/No-Code Top 10 by everyone, no matter their technical background, we would need to remove our assumptions and describe risks in a common language that everyone can understand. This should not replace the technical or security oriented language which is a golden standard of an OWASP project, but come as a parallel view on the same issues.

Proposal Description

The current template for a risk category is as follows:

• Risk Rating
• The Gist
• Description
• Example Attack Scenarios
  • Scenario 1
  • Scenario 2
  • ...
• How to Prevent
• References

We propose the following additions:

• A new section between Risk Rating and The Gist describing the category in simple terms
• A new subsection for each Scenario describing it in simple terms

The logo usage here is in violation of the policy:
"Questionable practices include changing the circle to a square, altering the angle of the wasp feature, using non-branded wasp images, copyrighted images, and any other treatment that alters or obscures the OWASP brand. The OWASP Foundation reserves the right to request changes to any graphic that does not comply with these rules."

Please see https://owasp.org/www-policy/operational/branding for more information.

Context

Low-Code/No-Code can mean many different things. Tools can differ in technology, users, developers, use cases and more. For example, Low-Code Application Platforms (LCAP) is used to build web and mobile applications while Robotic Process Automation (RPA) is used to build bots. These technologies are ever-changing and are in the process of merging with eachother, so its still important to cover them in a single project. However, we should also emphasize where they differ, allowing people to focus on the risks relevant to a particular technology.

Proposal Description

The current template for a risk category is as follows:

• Risk Rating
• The Gist
• Description
• Example Attack Scenarios
  • Scenario 1
  • Scenario 2
  • ...
• How to Prevent
• References

We propose the following additions:

• A new subsection under Risk Rating, where we provide different ratings for each Low-Code development technologies
• Label each Scenario with the relevant technologies. A scenario can apply to multiple technologies.

Low-Code development technologies to distinguish:

• Low-Code Application Platforms (LCAP)
• Robotic Process Automation (RPA)
• Integration Platform as a Service (iPaaS)

"Unintended consequences" may be too nebulous, it's coverage is broad and vague. Clarity in the description and impact for what "unintended consequences" means in relation to data leakage is required, or consider a different title.

@mbrg