Many organizations now rely on low-code/no-code app development platforms to cost-effectively address a variety of application needs in various aspects of business operations. A recent survey showed that 47% of organizations are already using these technologies, while 20% of those who are not using them express intentions to adopt the technology in the next 12 months.
The low code/no code trend is changing the way organizations build apps for their needs.
Businesses can use low-code/no-code development platforms to create apps that digitize and automate manual and paper-based processes. They can be used to develop tools for customer engagement. They can build apps that make it easy to share data with business partners.
This is because low/no code technology puts the power in the hands of the business users, who are the best people to decide what the company needs to build next. Now they have the power to build it themselves.
As with all major technology waves, innovation can also bring new risks, and low-code/no-code technology is no exception. The security risks of residential development are real and can outweigh the benefits.
Related: The evolution of low-code/no-code development
Here is a summary of the various points that highlight the risk propensity of low-code/no-code app development and the resulting applications.
The shared responsibility of application security
Like the public cloud, no-code/low-code platforms make it easier and faster to develop applications and automations (for different users and different use cases), but this again comes at a security cost.
LCNC platforms are responsible for ensuring that their platforms cannot be hacked. The problem that organizations face is about the way pro and citizen developers use these platforms and the way they build/deploy applications and automations. It is also about the business logic that is implemented.
When a professional or citizen developer creates an app that exposes an organization to security or compliance risks, such as an app that exposes administrator credentials to any user, or an automation that moves sensitive data to an uncontrolled location, or an app that mishandles PII — it it is the organisation’s responsibility to track such threats and drive remediation.
Lack of visibility leads to impossible management
One of the problems with no-code/low-code development is the fact that security teams lack visibility. As a cloud security expert Chris Hughes explains, “You are using the software and therefore do not know the source code, associated vulnerabilities or potentially the level of testing and rigor the platform has undergone.” This is because platforms abstract away the “code”, so you can’t enable traditional methods that rely on inventory and scanning the code.
Related: Low-code developers report higher levels of job satisfaction
No-code/low-code platforms are everywhere; From SaaS solutions that are already available in the business such as those from Microsoft, Salesforce or ServiceNow, to platforms such as Zapier that are used directly in the business. Security teams have no way of knowing what is being used, who the manufacturers are, whether business-critical applications are developed with such tools, and whether they involve sensitive data.
How can security teams secure and manage what they can’t see?
To address this challenge of lack of visibility and difficulty in governance, the most viable solution is to choose a low-code/no-code platform that comes with features that support visibility, such as the ability to integrate with existing security controls or with third-party cloud-based security validation tools. Integration with security solutions or platforms is important to have the ability to keep track of the low-code apps being deployed, especially the data they generate, process, store and transmit.
Overwhelming Shadow IT
At the rate low-code/no-code apps are being phased out, especially among large and complex organizations, organizations shouldn’t be surprised to see their shadow IT grow larger and larger. A study of Everest Group indicates that shadow IT accounts for 50% or more of IT spending. This does not bode well for cyber security, especially considering Gartner’s prediction that around 30% of security breaches can be attributed to shadow IT.
Related: First No-Code Day highlights growing application sector
To emphasize, shadow IT is about the use of IT systems, from hardware to software, that do not have explicit or clear approval from the IT department. This is what usually happens with the development and use of low-code/no-code applications. It would be inappropriate to remove low code/no code with the problem of shadow IT.
Shadow IT is not good for organizations for many reasons. Most notably, it results in the following:
- The inability to know and monitor IT resources suggests that one does not see the big picture. It prevents organizations from clearly knowing what they have and what they need to protect.
- Shadow IT makes it difficult to identify threats and effectively anticipate, stop or mitigate them. Apps that are part of shadow IT can be the source of data leaks, but IT departments or cybersecurity teams may have a hard time finding them and solving the problem accordingly.
- Having more software usually means more points of failure. There are cases where low-code/no-code apps are no longer monitored because they are considered insignificant or benign, and then end up becoming vulnerabilities because they leak data or allow script injection.
- Shadow IT is also an uncontrollable factor in organizational processes. Low-code/no-code apps under the veil of shadow IT cannot be built to conform to the security posture of an organization and cannot be easily tracked and fixed if they create security issues. The only way to rein them in is to bring these shadow IT components into the light, which means they must stop becoming shadow IT.
Many IT experts reiterate the idea that shadow IT is not the problem itself, but a symptom. It wouldn’t exist if employees got the IT resources they need from the known IT setup and resources of an organization. Low-code/no-code apps do not need to become part of shadow IT, with proper governance and security validation.
Lack of cybersecurity expertise
Users don’t need deep technical knowledge to figure out how to use low-code/no-code development platforms, let alone the cybersecurity knowledge to ensure they don’t build and deploy apps that could create security vulnerabilities or conflict with the security posture of their organizations.
This is clearly an inherent security risk for any organization. Anyone can now build apps through intuitive interfaces, but almost all of them have no idea about the potential risks. Teaching and learning the basics of secure app development is not going to be easy.
The OWASP Top 10 Low Code/No Code Security Risks capture the various risks attributable to the lack of cyber security knowledge of low-code/no-code users. It tends to create apps with insecure authentication, data leakage issues, oversharing of apps and components, data and secret handling errors, misconfiguration, dependency injection risks, unmanaged custom mode, and privilege escalation vulnerabilities.
Common users probably haven’t even heard of these security risks. It is unlikely that they will know what measures are necessary to avoid these. Although app development platforms come with wizards that provide reminders about security concerns, many users are likely to be unaware of what exactly they mean.
To conclude
The problem of security risks for low-code or code app development is not something that organizations are helpless about. Many platforms are already becoming more aware of security implications. The leading platforms are now designed with cyber security in mind.
The issues described here are in no way implicit deterrents to those looking to try low-code app building platforms. The risks are real, but they are not without correspondingly effective solutions. With the right cybersecurity knowledge and security validation tools, organizations can take advantage of low-code/no-code apps and security-free app development.
Ben Kliger is CEO and co-founder of Zenity.
