While low-code and no-code application development is a couple decades old, the train truly left the station just a few years ago. It has been gaining considerable steam ever since. So popular and prevalent is low-code/no-code that several studies estimate that by 2025 it will be responsible for two-thirds of all applications developed. It shouldn’t come as a surprise when you consider what it brings to the table:
- Reduction in application development backlogs,
- Expedited innovation and responsiveness,
- Faster mobile app builds,
- Ability to keep up with development demands, and
- Less reliance on developers, who are hard to come by these days.
For the uninitiated, the low- and no- refer to the amount of coding experience needed to create applications on one of the many platforms available in the marketplace. It’s essentially drag-and-drop application development. So, if you have little or no coding experience, don’t fret. You, too, can be a citizen developer. You’re ready to build applications. That, however, is exactly what concerns many security professionals.
What Low-Code/No-Code Means to AppSec
While it’s hard to argue the importance of low-code/no-code app development and the benefits it delivers, here are a few concerns shared by security professionals.
If the idea of low- and no-code application development brings to mind thoughts of shadow IT, you’re not alone. It’s one of the issues that concern security professionals. When employees create applications accessible by users outside the organization, key, sensitive data may be exposed to bad actors and invite a spate of threats. The potential implications are dizzying. It’s why governance is so important.
Governance and Data Protection
If governance isn’t clearly spelled out regarding low-code/no-code application development, it can quickly lead to issues. Governance doesn’t need to feel confining and created to spoil the fun. It needs to be clearly stated and include which platforms and supporting tools can be used. Also, it must include how newly created applications need to be deployed, managed and tested. Governance and adherence to it mean mitigating risk.
Always remember to keep data security top-of-mind. Clearly spell out how data can be shared and used. Gaining access to it needs to come in the form of a documented request that goes through, and is monitored by, IT.
If you’re using a 3rd party platform, having visibility into source code will be an issue. That lack of visibility means testing and associated vulnerabilities may be difficult to get your arms around. When vetting platforms, ask vendors if they provide an SBOM (software bill of materials). It will provide information and insights into software components and related vulnerabilities.
Tips for Making Low-Code/No-Code App Development Safer and More Secure
It’s a must that you educate and train citizen developers on security best practices. Part of that education process should include IT security personnel mentoring them and checking their work prior to deploying apps, even if they’re only internal facing.
Due diligence is key when selecting low-code/no-code platforms. A vital component is researching vendors’ security history. How did they address past security issues, what did they do to remediate those and how well is security built into their platform?
Also, read online reviews. It’s amazing how many consumers don’t take these into account. Customers are providing key insights; take advantage of them.
Always — always! — include security team members
Make sure to include your IT security team when evaluating and selecting low-code/no-code platforms. Not keeping them apprised will come back to bite you. It really ties back to governance. Don’t be one of those organizations that finds out well after the fact that different departments have been using different platforms. This makes visibility exponentially harder.
It’s important to include IT Security because the drag-and-drop nature of low-code/no-code app development means security should be baked into the platform. Note the word should. Citizen developers won’t know the right questions to ask vendors; your security professionals will. They are far better equipped at vetting providers, understanding their security weaknesses and steps they take to ensure customers’ data is safe.
Questions About How Low-Code/No-Code Can Affect Your IT Security?
Applications are the lifeblood of your business. So, if you’re taking advantage of low-code/no-code app development — or would like to — security needs to be top-of-mind. It needs to come first. Always. That’s why talking with the application security experts at Radware is a great first step to help ensure your data remains secure. You can contact them here. They would love to hear from you.