Best Practices & Risks Considerations in LCNC and RPA Automation

COMMENTARY

Technologies such as low-code/no-code (LCNC) and robotic process automation (RPA) have become fundamental in the digital transformation of companies. They continue to evolve and redefine software development, providing new possibilities for different organizations. This allows users with no programming experience — often called citizen developers — to create applications and automate processes, simplifying complex tasks and optimizing business operations.

Application platforms for these technologies offer intuitive visual interfaces. This allows anyone from a business professional to an IT employee to develop customized applications and automate repetitive processes quickly and efficiently.

Despite their advantages, the use of these technologies has challenges, especially regarding information security. These platforms, which aim to simplify and speed up development, can introduce risks related to controlling and protecting corporate data. The agility these tools provide tends to reduce development time and costs compared with traditional models significantly. However, the lack of centralized control, especially in environments where non-technical teams are free to create applications, can generate vulnerabilities and ultimately lead to higher costs.

After conducting several penetration tests and risk assessments in environments using LCNC, RPA, or other forms of automation, I thought it crucial to offer more detailed security considerations for these technologies. Companies must understand the potential risks and impacts that adopting these solutions can bring, ensuring that the benefits of automation do not compromise security and regulatory compliance.

Data Collection Through Scraping

A common use of LCNC and RPA is related to automating data retrieval processes, a technique known as scraping. In many of the instances, I have observed these tools scraping data from both internal environments (such as corporate databases) and external ones (API sites, among others). Based on this data, the automated "robot" makes decisions, following the configured workflow, such as carrying out new searches, saving information in files or databases, sending emails, generating alerts, etc. Although scraping is a widely used data collection practice, it can have legal implications, so I recommend that companies consult their legal or risk management department.

As you can imagine, this external dependence can become an absolute nightmare, especially when the organization has no direct control over these services. If the way the data is made available changes unexpectedly, whether the data host alters the addressing, data format, or presentation, or removes the data completely, the automation can become vulnerable to critical failures. This external dependency makes the problem even worse if the automation process is based on this data — unavailability can generate errors and allow the "robot" to continue executing the process with incorrect data in a more critical scenario. This can result in damaging actions, such as wrong decisions in sensitive financial or operational processes, potentially severely affecting the organization. Mishandled failures in the automation can also lead to organizational decisions being made with outdated data, or the loss of data by overwriting good records with bad ones.

Therefore, solutions developed with automation must be designed to deal robustly with data unavailability. Automation must be able to detect and handle these scenarios, including the appropriate use of exception and error handling. This will ensure that even when data sources fail, the system can behave safely and predictably, preventing further damage.

Best Practices for Internal Policies

Another crucial point, especially in organizations where the developers of LCNC solutions often lack formal programming experience, is the need to establish internal policies that guarantee the auditing and traceability of automated processes. A best practice is to implement detailed logs of all automation steps. Recording this information will not only allow the IT team or those responsible for security to investigate and correct any faults, but will also be essential in resolving future problems, guaranteeing greater transparency and control over automated processes.

By default, automation processes are run by a specific user account, meaning they are directly linked to the permissions and privileges associated with that account. This is a critical point and must be constantly monitored to avoid risks. In this context, the recommendation to adopt the principle of least privilege is fundamental: to grant the user only the minimum level of permissions necessary to carry out their task. This limits access privileges and helps mitigate the impact if the account is compromised.

I recognize that automation processes involving scripts and command execution, such as CMD, Python, VBScript, or PowerShell can be indispensable for organizations in some situations, however the recommendation is to reconsider using these technologies whenever possible, as they increase the overall risk considerably. A malicious user could exploit this capability to create harmful scripts and efficiently carry out malicious activities quickly. A good practice is implementing strict access controls in the infrastructure, limiting access to these functionalities, and constantly monitoring their use.

As always, I can't stress enough the importance of security training for users and developers of LCNC platforms and other automation processes, such as RPA. In addition to basic information security training, companies must include secure coding practices and emphasize adherence to general security best practices. This ensures that everyone involved in developing and operating automated solutions understands the risks and how to mitigate vulnerabilities.

Consider LCNC platforms as a potential insider threat vector in your network. Historical experience shows that many cyberattacks begin with the introduction of malicious agents inside corporate networks. These attack vectors can exploit vulnerabilities in internal systems, which happens often enough that you should exercise due care in the design and implementation of any system that handles sensitive data. It is, therefore, prudent to assume that any internal automation, especially those handling confidential information, should always be viewed with the same security caution applied to internal threats.

As mentioned, although LCNC and RPA technologies allow many companies to speed up their development processes and reduce costs, it is essential to remember that security is often overlooked. When this happens, the risks can outweigh the benefits. Organizations must adopt robust and continuous security measures to protect these solutions, preventing security costs from rising exponentially and risks from becoming irremediable.