OWASP Low-Code/No-Code Top 10

OWASP Low-Code/No-Code Top 10

stars twitter slack email group


Low-Code/No-Code development platforms provide a development environment used to create application software through a graphical user interface instead of traditional hand-coded computer programming. Such platforms reduce the amount of traditional hand-coding, enabling accelerated delivery of business applications.

As Low-Code/No-Code platforms proliferate and become widely used by organizations, there is a clear and immediate need to create awareness around security and privacy risks related to applications developed on such platforms.

The primary goal of the “OWASP Low-Code/No-Code Top 10” document is to provide assistance and education for organizations looking to adopt and develop Low-Code/No-Code applications. The guide provides information about what the most prominent security risks are for such applications, the challenges involved, and how to overcome them.

The List

  1. LCNC-SEC-01: Account Impersonation
  2. LCNC-SEC-02: Authorization Misuse
  3. LCNC-SEC-03: Data Leakage and Unexpected Consequences
  4. LCNC-SEC-04: Authentication and Secure Communication Failures
  5. LCNC-SEC-05: Security Misconfiguration
  6. LCNC-SEC-06: Injection Handling Failures
  7. LCNC-SEC-07: Vulnerable and Untrusted Components
  8. LCNC-SEC-08: Data and Secret Handling Failures
  9. LCNC-SEC-09: Asset Management Failures
  10. LCNC-SEC-10: Security Logging and Monitoring Failures

How to contribute

Involvement in the development and promotion of OWASP Top 10 Low-Code/No-Code Security Risks is actively encouraged! You do not have to be a security expert in order to contribute.

Here are some ways you can help:

  • We are looking for organizations and individuals that will provide vulnerability prevalence data
  • Translate the top 10 to non-English languages
  • Review, critique and suggest improvements to the Top 10 list
  • Star the GitHub Project
  • Contribute real world examples to categories in the Top 10 list
  • Add your Success Story - tell us and the world how you’re using the Top 10 list

Individuals and organizations that provide a significant contribution to the project will be listed on the acknowledgments page.

How to reach out:

Got an idea?

Got any ideas on how to make this project better? These guidelines will help with how to get involved:

  1. Join the conversation on email or Slack to find collaborators or see if others have a similar interest.
  2. Search the project’s GitHub issues for related proposals. Found one? Join it!
  3. If you haven’t found a relevant issue, create one! Clearly specify why your proposal is important and which changes are proposed. Advertise your proposal to others to find collaborators. See examples: Add descriptions for business users, Add product-specific examples.

Getting Started with your first Pull Request

A Pull Request (PR) can be created by following these steps.

Remember to:

  1. Fork this repository.
  2. Create an initial draft implementing your proposal and submit it for review as a PR. Don’t let perfect be the enemy of good.
  3. Advertise your proposal to others and ask for reviews.
  4. Once your PR is merged, continue to submit PRs to fine-tune and improve on previous versions.
  5. Congrats and thank you!


Individuals that provided a significant contribution to the project:

Name Affiliation Contact
Michael Bargury Zenity Twitter LinkedIn
Ory Segal Palo Alto Networks Twitter LinkedIn
Don Willits Microsoft LinkedIn
John McTiernan DT Group LinkedIn
Yianna Paris Xebia LinkedIn


The OWASP Top 10 Low-Code/No-Code Security Risks project is supported by Zenity