OWASP Low-Code/No-Code Top 10

OWASP Top 10 for Low-Code/No-Code Apps

stars slack email group


Low-Code/No-Code development platforms provide a development environment used to create application software through a graphical user interface instead of traditional hand-coded computer programming. Such platforms reduce the amount of traditional hand-coding, enabling accelerated delivery of business applications.

As Low-Code/No-Code platforms proliferate and become widely used by organizations, there is a clear and immediate need to create awareness around security and privacy risks related to applications developed on such platforms.

The primary goal of the “OWASP Low-Code/No-Code Top 10” document is to provide assistance and education for organizations looking to adopt and develop Low-Code/No-Code applications. The guide provides information about what the most prominent security risks are for such applications, the challenges involved, and how to overcome them.

The List

  1. LCNC-SEC-01: Account Impersonation
  2. LCNC-SEC-02: Authorization Misuse
  3. LCNC-SEC-03: Data Leakage and Unexpected Consequences
  4. LCNC-SEC-04: Authentication and Secure Communication Failures
  5. LCNC-SEC-05: Security Misconfiguration
  6. LCNC-SEC-06: Injection Handling Failures
  7. LCNC-SEC-07: Vulnerable and Untrusted Components
  8. LCNC-SEC-08: Data and Secret Handling Failures
  9. LCNC-SEC-09: Asset Management Failures
  10. LCNC-SEC-10: Security Logging and Monitoring Failures

How to contribute

Involvement in the development and promotion of OWASP Top 10 Low-Code/No-Code Security Risks is actively encouraged! You do not have to be a security expert in order to contribute.

Here are some ways you can help:

  • We are looking for organizations and individuals that will provide vulnerability prevalence data
  • Translate the top 10 to non-English languages
  • Review, critique and suggest improvements to the Top 10 list
  • Star the GitHub Project
  • Contribute real world examples to categories in the Top 10 list
  • Add your Success Story - tell us and the world how you’re using the Top 10 list

Individuals and organizations that provide a significant contribution to the project will be listed on the acknowledgments page.

How to reach out:

Got an idea?

Got any ideas on how to make this project better? These guidelines will help with how to get involved:

  1. Join the conversation on email or Slack to find collaborators or see if others have a similar interest.
  2. Search the project’s GitHub issues for related proposals. Found one? Join it!
  3. If you haven’t found a relevant issue, create one! Clearly specify why your proposal is important and which changes are proposed. Advertise your proposal to others to find collaborators. See examples: Add descriptions for business users, Add product-specific examples.

Getting Started with your first Pull Request

A Pull Request (PR) can be created by following these steps.

Remember to:

  1. Fork this repository.
  2. Create an initial draft implementing your proposal and submit it for review as a PR. Don’t let perfect be the enemy of good.
  3. Advertise your proposal to others and ask for reviews.
  4. Once your PR is merged, continue to submit PRs to fine-tune and improve on previous versions.
  5. Congrats and thank you!


Individuals that provided a significant contribution to the project:

Name Affiliation Contact
Michael Bargury Zenity Twitter LinkedIn
Ory Segal Palo Alto Networks Twitter LinkedIn
Don Willits Microsoft LinkedIn


The OWASP Top 10 Low-Code/No-Code Security Risks project is supported by Zenity