owasp / www-project-top-10-low-code-no-code-security-risks Goto Github PK
View Code? Open in Web Editor NEWOWASP Low-Code/No-Code Top 10
Home Page: https://owasp.org/www-project-top-10-low-code-no-code-security-risks/
License: Other
OWASP Low-Code/No-Code Top 10
Home Page: https://owasp.org/www-project-top-10-low-code-no-code-security-risks/
License: Other
For each of the Top 10 risks, we would like to have a list of concrete attack scenarios where confidentiality, integrity or availability can be compromised.
The descriptions should be technical and one pharagraph long. They could be generic, or focus on a particular low-code/no-code platform.
To contribute, please create a PR.
I have updated all sections of the report with grammatical and syntax updates for better readability.
The language of OWASP documents speaks to security, operations, IT and engineering professionals. The introduction of low-code/no-code has lowered the bar to become a digital builder. This is the root of why this technology is so important. However, it also means that we cannot assume the same level of technical or security accoman from all low-code/no-code developers.
To enable usage of the OWASP Low-Code/No-Code Top 10 by everyone, no matter their technical background, we would need to remove our assumptions and describe risks in a common language that everyone can understand. This should not replace the technical or security oriented language which is a golden standard of an OWASP project, but come as a parallel view on the same issues.
The current template for a risk category is as follows:
We propose the following additions:
"Unintended consequences" may be too nebulous, it's coverage is broad and vague. Clarity in the description and impact for what "unintended consequences" means in relation to data leakage is required, or consider a different title.
I know that this was part of current available version, but should we move this risk of having too verbose logs to LCNC-SEC-08?
Originally posted by @mbrg in #56 (comment)
Consider (re)moving Scenario 2
I know this is unrelated and is not part of the change, but scenario 2 doesn't really fit here, right?
Originally posted by @mbrg in #56 (comment)
All texts in the repository, from the index.md
file to specific risks out of the Top 10 list, are up for review and improvement.
The logo usage here is in violation of the policy:
"Questionable practices include changing the circle to a square, altering the angle of the wasp feature, using non-branded wasp images, copyrighted images, and any other treatment that alters or obscures the OWASP brand. The OWASP Foundation reserves the right to request changes to any graphic that does not comply with these rules."
Please see https://owasp.org/www-policy/operational/branding for more information.
Low-Code/No-Code can mean many different things. Tools can differ in technology, users, developers, use cases and more. For example, Low-Code Application Platforms (LCAP) is used to build web and mobile applications while Robotic Process Automation (RPA) is used to build bots. These technologies are ever-changing and are in the process of merging with eachother, so its still important to cover them in a single project. However, we should also emphasize where they differ, allowing people to focus on the risks relevant to a particular technology.
The current template for a risk category is as follows:
We propose the following additions:
Low-Code development technologies to distinguish:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.