Low code, no code: innovation or security catastrophe?
Check platform implementations for seriousl risks like...
As the number of cyber-threats continue to rise, organisations are making daily trade offs between security, practicality and speed, writes Matias Madou, co-founder and CTO, Secure Code Warrior. Nobody wants to make front-page news for the latest data-breach, and organisations can't afford to suffer reputational damage and lose business. At the heart of secure programmes is secure code - it’s imperative that software developers consider this from the offset to set their programme up for success.
Low code no code is currently taking the developer landscape by storm, but what is it? In a nutshell, low code no code enables users to develop new applications, without much, if any, input from developers. It enables businesses to deliver easily created, rapidly deployable applications using prebuilt ‘blocks’ of application components.
Low code no code platforms and tools are aimed at non-technical people such as citizen developers to allow them to create their own applications, and to improve the productivity of professional developers. While these two scenarios are completely different use cases, it’s important to understand that low code no code platforms are not a substitute for traditional coding, but is intended to complement it.
While they’re often used interchangeably in a marketing context, there are subtle differences between the terms “low code” and “no code”. Essentially, there is no such thing as no code; there is always code, it’s just hidden from the developer. The phrase “no code” is more of a marketing term suggesting that the tool is more appropriate for non-professional developers. Whereas low code tools go beyond the no code approach, offering rapid application development, with the option to use code or scripting.
Low code no code platforms are by no means a new phenomenon. The term “low code” was actually coined in 2014, but recently the tools have been rapidly rising in popularity. So much so, that analyst firm Gartner is expecting to see low code application platforms being utilised by 65% of all app development by 2024. And similarly, Forrester has predicted that over 2021, 75% of all development shops will adopt low code platforms.
What are the dangers of using low code no code platforms?
Given the benefits that low code no code platforms can provide to both professional and citizen developers, in terms of speed, simplicity and productivity, it’s easy to see why adoption of these tools is rapidly on the rise. However, as with any new approach to software development, businesses and IT teams need to be aware of the potential security risks that accompany them. In the following section, I’ve laid out some of the key areas to be aware of.
- Low visibility
Using low code no code platforms inevitably means utilising code that can’t be seen or inspected easily. If the vendor who has developed the low code no code platform doesn't follow best practice security and secure coding, then this can cause problems further down the line. Running vendor security audits can be time-consuming and costly for businesses, and for some, may not even be possible. For example, in many cases, enterprises will not have visibility of the code and security controls that are in place by the low code no code vendors, meaning they need to rely on the security tools they already have..
- Insecure code
Security needs to be a priority from the start, no matter what is being developed (and how simple and pared-down it might appear to the naked eye). If components of the platform have been developed insecurely, this poses a potentially insidious problem. Those pieces of code are inevitably copied and pasted elsewhere, especially by inexperienced developers who have the first priority of getting their software to function. In doing so, any bugs or security problems are inherited wherever that insecure component is replicated.
- Access control
A key feature of low code no code is that it makes it easy for people who are not developers to create app-like functionality in a much easier way. It's cost-effective, agile, faster, and easier to change. However, access control is a vital consideration at the implementation stage, ensuring that best practices are maintained and all users only have visibility over what they need (and nothing more). When end-users have the ability to make decisions over access control independent of an enterprise-level policy, with the potential to open up pathways to data that should be closed, it exposes the business to significantly more risk.
- Business logic flaws
Similarly to access control permissions, business logic permissions and privileges should be baked into the functionality of the software. If something is forgotten about, it's possible for sensitive data to be exposed to the wrong people, or even through API connectivity that further opens the threat surface area of an application. The vendors of low code/no code platforms need to test and evaluate all of these issues like they would their normal software development, or the above problems may occur.
How can businesses address these issues?
Despite the potential security issues associated with low code no code platforms, there are steps that businesses can take to mitigate the risks. One of the key actions is to choose vendors and partners carefully, opting for options where the security processes are made clear and transparent. The platform should be securely developed, and gaining insights into their approach to security best practices is smart. What tech stack are they using? How about SAST, DAST, IAST scanning, and other security tools? How much emphasis is placed on security awareness across the organisation, and most importantly, among the development team? Knowing this ahead of time can ensure you’re working with platforms built by people who take security as seriously as your company should.
Staying in the loop with the latest security issues and vulnerabilities doesn’t have to be a huge drain on time, energy, or resources, either. There are mailing lists from information security sites and software vendors that professional and citizen developers alike can subscribe to stay up to date. Alternatively, there are plenty of vulnerability databases out there which low code/no code platform users can peruse to ensure they’re conducting safe and best practice. Ultimately, it pays to invest in security awareness, including security-skilled, hands-on developers who can act as defenders against common vulnerabilities, including checking platform implementations for vulnerabilities like poor access control, broken authentication, or potentially dangerous API connectivity.
As with countless other security issues, it ultimately comes down to a culture re-education. One of the issues with low code no code platforms is that they are often viewed by CISOs and IT teams as more secure since there’s less actual code-writing involved. As discussed and evidenced in this article, this certainly isn’t the case. That’s not to say that low code platforms aren’t a valuable business investment. However, it’s important to view them and apply the same level of security testing as you would any traditionally developed software, as it only takes a small vulnerable window to create a much larger problem.