Continuous threat exposure management (CTEM) monitors cybersecurity threats continuously rather than intermittently, allowing organizations to constantly assess and manage their security posture, reduce exposure to threats, and integrate risk management into a continuous assessment and action loop. This five-stage framework, introduced by Gartner, comprises scoping, discovery, prioritization, validation, and mobilization. A prime candidate for inclusion under the CTEM umbrella is software created in low-code/no-code (LCNC) and robotic process automation (RPA) environments. With easy-to-use interfaces aided by generative AI, LCNC development platforms have expanded attack surfaces in most organizations, often beyond the visibility of security staff. They allow any employee, referred to as a “citizen developer,” to create and deploy apps or RPAs for automating business processes such as data integration, form automation, and custom reporting.
This “shadow engineering” has been embraced by management, with 64% of CIOs reporting they have or will deploy LCNC technology within two years. However, it complicates cyber risk management by allowing code to slip into the network unchecked, including potentially dangerous software vulnerabilities. Bringing LCNC apps and RPAs under the purview of CTEM helps organizations pinpoint vulnerabilities and exposures, correlate them to potential attack vectors and exploits, prioritize based on business impact and the criticality of assets, and validate remediation efforts effectively.
Defining Scope
Begin by assessing which LCNC and RPA assets should be managed by CTEM based on their business importance. Scoping may include selecting groups of users, connections, connectors, apps, flows, and automations. These can be categorized by business context, department, platform environment, or geographical location. Defining the scope effectively helps delineate the assets and activities that need protection, ensuring that critical business processes are appropriately safeguarded from cyber threats. This step is vital to establish a clear understanding of the assets that will be under the CTEM framework, thus enabling more precise and effective management.
In the context of LCNC, defining the scope involves understanding the wide range of applications and automations created by various departments or business units. Each of these units may have different levels of technical proficiency and understanding of security best practices. Therefore, identifying which groups of users and what types of apps and flows are being developed is essential to tailor security measures appropriately. Scoping also involves assessing the platform environment in which these apps operate, as the security requirements may differ significantly between development and production environments. By meticulously defining the scope, organizations can ensure that they are covering all bases and not leaving any critical assets exposed.
Detection
In this stage, the objective is to inventory and uncover visible and hidden assets, vulnerabilities, and misconfigurations. The lack of visibility into LCNC applications and automation can make it difficult to map LCNC activities and keep an up-to-date list of all assets associated with these platforms. Threats, risks, or any security concerns should be constantly scanned and communicated with all relevant parties, providing as many details as possible to support the upcoming stages of the model. Detection of issues may require implementing a policy engine based on rules or AI logic, informed by application security research and knowledge.
The detection phase aims to create a comprehensive map of all LCNC and RPA assets, highlighting any potential weak points that could be exploited. This involves using advanced monitoring tools and techniques to constantly scan the environment for new or emerging threats. By maintaining an up-to-date inventory of all assets, organizations can ensure they have a complete understanding of their attack surface. Continuous scanning and detection are crucial as new vulnerabilities can emerge at any time, and existing configurations may change, potentially introducing new risks. Effectively communicating these findings with all stakeholders ensures that everyone is aware of the current security posture and can take necessary actions to mitigate risks.
Ranking
Addressing security exposures involves evaluating urgency, severity, available controls, risk appetite, and the organization’s overall risk level. Predefined base security scores are not sufficient; ranking in LCNC should combine traditional risk-based scores with platform-specific and organization-specific inputs. Using an established scoring method like CVSS as a starting point is recommended. However, scores should also be influenced by accessibility, whether apps are enabled or disabled, and the deployment environment, such as production versus development. Ranking is crucial in LCNC due to the vast number of threats and issues detected, numerous assets, and the relatively limited security knowledge of app creators.
By combining traditional risk assessment methods with specific factors relevant to LCNC platforms, organizations can prioritize security efforts more effectively. This prioritization ensures that the most critical vulnerabilities, those that pose the highest risk to the business, are addressed first. Factors such as how accessible an application is to potential attackers and the environment in which it is deployed play a significant role in determining the overall risk level. Ensuring that these elements are considered in the ranking process helps focus resources on the most pressing threats, thereby improving the overall security posture.
Verification
The verification step aims to achieve three key goals. First, determining whether attackers can exploit known vulnerabilities. Second, the worst-case impact of defenses failing should be evaluated. Third, processes must be in place to respond to any security issues. While verification practices for LCNC applications generally mirror those of traditional application security, such as penetration testing, red team exercises, and simulations, they introduce specific challenges that require tailored validation techniques. These include considering visual development interfaces, rapid deployment cycles, and reliance on pre-built components.
Verification practices often need to be adjusted to accommodate the unique characteristics of LCNC platforms. For instance, the visual nature of LCNC development interfaces may necessitate different testing approaches compared to traditional code-based applications. Furthermore, the rapid deployment cycles typical of LCNC development mean that new versions of apps can be released frequently, each of which needs to be validated for security. By focusing on these specific challenges, security teams can ensure that their verification efforts are robust and effectively identify potential exploits and vulnerabilities.
Activation
Continuous threat exposure management (CTEM) continuously monitors cybersecurity threats, enabling organizations to consistently evaluate and manage their security posture. This method reduces threat exposure and integrates risk management into a continual assessment and action cycle. Gartner’s five-stage CTEM framework includes scoping, discovery, prioritization, validation, and mobilization. Software developed in low-code/no-code (LCNC) and robotic process automation (RPA) environments is a strong candidate for CTEM adoption. LCNC platforms, powered by generative AI, have broadened attack surfaces in most organizations, often without security teams’ awareness. This allows employees, known as “citizen developers,” to create and deploy apps or RPAs for automating tasks like data integration, form automation, and custom reporting.
This trend, termed “shadow engineering,” is welcomed by management, with 64% of CIOs planning to deploy LCNC technology within two years. However, it complicates cyber risk management by allowing unchecked code, potentially harboring software vulnerabilities, to enter the network. Incorporating LCNC apps and RPAs into CTEM helps organizations identify vulnerabilities and exposures, correlate them to possible attack vectors, prioritize them based on business impact and asset criticality, and validate remediation efforts effectively.
