Salesforce Low-Code Security Risks in 2023

By Phil Lepanto

When the Clouds emerged as a new way to avoid upfront hardware costs and rapidly adjust resources to meet fluctuating demands, the assumption was that security would be the same as traditional software and networking. We quickly realized that cloud security wasn’t going to be easy. 

As cloud computing deployments became more complex, it became obvious that the Cloud would also be far more complex than experienced security teams expected. Just like the cloud revolution, Software-as-a-Service’s (SaaS) ability to integrate layers of unique systems promised new capabilities and efficiencies. Again, it was assumed that security would be very similar to threats we had encountered with on-premise software or with cloud infrastructure, but now we’re learning that that isn’t quite the case. Let’s take a closer look.

New Types of Security Issues With SaaS

We’ve come to realize that SaaS now introduces new types of vulnerabilities, including some very serious ones that initiatives like the CVE Program strive to identify, define, and catalog for the public. Provisioning software over the open internet, by definition, exposes data and systems to attack vectors that didn’t exist for closed networks. Even if the network transport layer is completely secure, SaaS is provided from public endpoints that practically scream: “attack me!”

It’s entirely possible that devious hackers could exploit a vulnerability in your testing or staging environments, and find a way to attack your production environment. And worse – well-meaning developers on your team might rely on code that would only accidentally create an attack vector.

READ MORE: Ransomware Attacks are Targeting SaaS Data – Here’s How to Protect Yours

The rise of Low-Code, No-Code is now setting the stage for a new level of flexibility by reducing the time of development. This is an interesting promise, especially after we discovered the complexity of the new cloud-added layers of security issues. So, what exactly does it involve?

Keep Your Low-Code Secured

The idea behind Low-Code, No-Code software is that a layer of abstraction exists to allow non-developers to align business processes with flexible software, thereby reducing the volume of original code your team would need to generate. The promise is that we can empower non-developers to drive software innovation, while reducing the volume of novel code. Neither completely lives up to the promise. In either case, configuration settings might not be secure, or the small volume of code written might introduce new vulnerabilities.

You may ask: “just like with the cloud and SaaS?” Yes, but it’s more likely that Low-Code and No-Code will introduce yet another new layer of security vulnerabilities between ‘hidden’ code and that which is developed externally. 

READ MORE: 5 Low-Code Tools for Salesforce Admins

Vulnerabilities That Emerged from SaaS

Here are some examples of vulnerabilities that emerged as developers integrated Salesforce with other apps that help organizations increase productivity, yet also increase security risks:

  • One of the simplest examples that has been demonstrated in the past is how a simple Web-to-Lead form generated by Salesforce could be easily hacked if the administrators didn’t have strong Session Management enabled. This simple configuration setting would be a strong safeguard against hackers being able to hijack a session and gain access to a Salesforce environment.
  • Another concern is about how Salesforce flows can be chained together to make business processes more seamless. Unfortunately, because these flows run with system context, users who may not have access to component functions might be able to access these functions with unauthorized elevated privileges.
  • Finally, in a low-code environment, where a developer might leverage an outside library like jQuery or Bootstrap, they could accidentally be embedding a security time-bomb deep within your system. More than likely, the most up-to-date version of that library is secure today. However, by the next quarter, that library may have a security vulnerability that needs to be patched. If your team misses the notification, that door will now be wide open.

Low-Code, No Code is Here to Stay

The Low-Code, No-Code movement is only going to grow, and so will the security implications associated with it – just like it did for the cloud and SaaS. However, as with the latter two, companies need to stay focused and ahead of emerging threats that will no doubt be part of Low-Code, No-Code. This includes having the right tools to automate security, removing unnecessary privileges from users, classifying data, and new ways yet to come.

Practicing proactive security will help turn this fantasy into a reality where Low-Code, No-Code can help companies gain efficiency without sacrificing the security of their systems.


  • A quick read from IBM about Low-Code, and the differences between Low-Code and No-Code.
  • This article from DigitSec looks into what Low-Code, No-Code is, and the security risks associated with it.
  • This post from ZDNET talks about the appeal, as well as some of the downsides (including security concerns) associated with Low-Code, No-Code.

The Author

Phil Lepanto

Phil is a senior technology executive with 25 years of experience in a diverse range of roles.

Leave a Reply