Security Challenges in Low-Code, No-Code Platforms
There was a time where application development required grueling nights of planning, designing, testing and refining written codes. Now, to fight an escalating demand for rapid app development, enterprises are discovering that DevOps can scale through collaboration between developers and IT operators. One of these ways is through low-code, no-code technology. With a projected increase to $13.8 billion in 2021, it seems that the low-code development market is flourishing with ease.
Low-code platforms have been popping up in the techsphere in recent years, with the promise of quicker application development through visual tools that replace writing code. No-code falls under the ‘low-code’ umbrella term to define software that is designed and created within it without a code. Think about platforms like WordPress or Wix.com, that have built-in web design tools.
Why are low-code, no-code platforms surging in popularity?
It’s easy to see why the low-code technologies market is at an inflection point. Users are given access and the bandwidth to create software, applications and web pages at a much lower cost and duration. Besides functionality, these platforms also provide templates or tools to aid in visual design. One of the main contributing factors to the growth of no-code, low-code movement is the acceleration of digital transformation and the e-commerce boom. Another factor we can look at is the increasing need for user customization. As more businesses take on the online paradigm, the demand for technology to ease the process will follow.
With the emergence of any sort of technology, there are also risks associated with new trends. In this article, we take a look at some of the security challenges of low-code, no-code platforms:
● Lack of visibility
● No way to oversee data
● No access to auditing or provider systems
● Business logic mistakes
● Tendency for Shadow IT
● Lack of security awareness
● Danger of exposed code
Lack of visibility
Probably the biggest challenge when it comes to low-code technologies is that firms do not have any oversight on what employees are developing. When there is no visibility to the IT aspect, it can be hard to handle what is being built and enterprises lose track of their security needs.
Much of this has to do with no-code processes being simplified, transferrable and usable by untrained personnel. In traditional software development, experts and developers collaborate on a single code throughout the Secure Software Development Lifecycle (SSDLC), deploying extensive AppSec practices to secure, protect data and mitigate risks. To ensure that these processes are made possible, security personnel need access to critical data and an ability to track activity. In no-code environments, enterprises extract information and store it in internal architecture, e.g Microsoft Excel. However, all these are ungovernable, leading to low security protocols due to differing guidelines and practices. Think about a situation where an employee can easily apply a no-code application tool on his desktop without anyone knowing.
To combat this issue, organizations must actively shift their focus to opening up visibility in application development. For no-code workplaces, this can be done through cloud solutions. With cloud-based platforms, there is more harmony in workflow to open opportunities for visibility and tracking. Firms then can apply guidelines and security practices for safe application development based on organizational requirements.
No way to oversee data
When it comes to data management, common questions to ask are: who is allowed access to data and how is data being restricted or used. After all, data is a valuable asset of any organization and has a risk of being exploited for malicious intent. The level of control that businesses are allowed to have varies from platform to platform.
When we talk about data, this could refer to data that has lower exploitative vulnerabilities. For instance, if an enterprise had a code leak for a sorting system, it wouldn’t really be a cause for concern. On the other hand, enterprises, large or small, often possess critical data used in a business context that can be exploited by hackers. Think client address books, exclusive company software, sensitive bank information, among others. Being succumbed to data breaches with sensitive information could put a company in a lot of trouble.
This is not to say that there is zero control over data in no-code environments. Instead, the level of control, however limited, that businesses are allowed to have varies from platform to platform.
A prime illustration of the limitations of restrictions are clear in most business collaboration platforms. Dropbox allows users to share data, give or restrict access and track changes. But there are more refined tools in the world of data management to enable tracking of logins, re-sharing and granular access controls (granting selective levels of access) that do not exist in many commercial no-code applications. So, in most cases, company data ends up being partitioned and siloed, which put them at a higher security risk.
No access to auditing or provider systems
Since low-code platform providers are businesses themselves, they have also taken preventative measures to protect their digital assets. Enterprises who engage the help of these vendors do not have any access to the application code or controls. It is then impossible for them to get a full look into these systems to identify or discover faults in the software.
Customers who want to conduct security checks must do so through available means.
This could be done in the form of:
● Third-party security audits
● Running a black-box method testing
● Legal certifications and agreements
● Purchasing cybersecurity insurance
While security assurance through compliance checks, insurance and legal agreements are easy to accommodate, there are those that require larger access like, in this case, running tests. In the interest of allowing customers a peace of mind, low-code providers are beginning to take up more transparent coding practices. Again, the level of transparency or whether the code is provided for security checks is completely up to the platforms they choose. For instance, vendors can choose to write in a standard application code. Enterprises can then export the source code and run white-box method tests to determine security features.
Business logic mistakes
Low-code platforms have in-built features for permissions and access control, usually based on insights and analysis of customer preferences. This makes things easy when you want to build secure applications.
Problems arise when people look at software development from a business perspective, disregarding the IT side of things. It’s not uncommon, too. Because of how simplified application creation is now, it can be viewed as more non-technical work, less actual code involvement. However, with any technology, there is always an associated security risk.
In this case, people get lost in their creative or business headspace with low-code or no-code platforms and end up making mistakes. Business logic problems cannot be detected by tools, as it mainly happens through human error. Even unintended behavior can be manipulated by hackers and cyber criminals! Just a few to begin with are: sharing data with a colleague who did not have permission to know, posting sensitive company information on public platforms or leaking consumer data to close family members.
As IT teams continue to expand, it has to be an enterprise-wide priority to mitigate the risk of business logic flaws, which could be trivial or highly severe. In traditional software development, enterprises already have an extensive application security program laid out to test the integrity of their system network. Extending these security practices to low-code, no-code environments would ensure that organizational safety objectives are met.
Tendency for Shadow IT
Shadow IT refers to bringing in unauthorized information technology (IT) systems, applications or software without the knowledge of the central IT department, often to compensate for the perceived shortcomings in current solutions. A study from Cisco revealed that typical firms have from 15 to 22 times more cloud applications running in the workplace than what has been authorized.
While this is a quick fix in the short-term, attributing to a widespread usage, Shadow IT is a pervasive issue that could pose a security threat for organizations. For one, this is highly linked to challenges of visibility in low-code culture. Employees are also relying on undocumented software that hasn’t gone through a rigorous vetting process. And when management can’t see what processes are taking place, they can’t measure or assess risk.
Shadow IT contributes to quite a substantial amount of vulnerabilities in these areas:
● Reusability - projects are done through prohibited tools, it may be harder to replicate or transfer across people or departments.
● Onboarding - difficulty in sharing unauthorized systems with new colleagues or developers for fear of being caught.
● Data backup or recovery - software does not go through the same backup/recovery procedures when outside of the IT department’s control
● Risk of data breach - similarly, software is not given the same meticulousness in security standard. There may be outsiders who have privileged access to change, steal or exploit critical data. Even terminated employees may still be able to access the data.
● Risk of cyber security breach - developers and vendors run tests to detect vulnerabilities in software. When exploitable vulnerabilities are discovered, usually a patch will be issued to update the system. With Shadow IT, issues can go undetected and ignored for periods of time, exposing the user to malicious attacks.
● Unrealised inefficiencies - Shadow IT software does not go through a productivity assessment before implementation. Usually, the efficiency is based on the own perception of the user or group of users. Thus they run the risk of creating a single point of failure.
Lack of security awareness
With the emergence of low-code technologies, roles are not only limited to developers, but even those with business backgrounds. They become citizen developers, usually only with little to no formal training on the entire application development paradigm. It can raise issues in security awareness, as these novice practitioners are not as well-versed in application security as their IT counterparts.
The acceleration of digitalization paired with an ongoing tech talent shortage has led to citizen developers’ prominence in application building. As the demand for rapid change continues to fuel the need for output, organizations may end up overlooking the importance of security.
This could end up breeding a workplace culture of negligence. Management must do their part by ensuring that their teams and people go through proper training to gain understanding of cybersecurity and develop fundamental skills in risk management.
Bridging the security gap in low-code, no-code with DevSecOps
Many businesses are using DevOps to streamline workloads, boost productivity and increase output. At a CAGR of 18.7% from 2017 to 2023, the DevOps market is definitely set for growth. Against the backdrop of a billion dollar talent shortage, companies must do so much more to take the pressure of skilled workers, at the same time enhancing the abilities of their employees from non-technical backgrounds. Firms should begin to ask themselves how they can stay protected from attackers now that the DevOps market is in the spotlight.
DevSecOps (Development-Security-Operations) combines the world of DevOps with security. Instead of hyperfocusing on security or speed, DevSecOps aims to help everyone involved finding a healthy balance between staying protected and efficiency. This approach promotes the mindset that “everyone is responsible for safety” instead of dedicating it to siloed teams. Aiming to redefine security in application development, DevSecOps strategies often have striking differences from traditional security. Some common principles include using security to enable agile development, de-siloing IT and repositioning security in the development process.
Using services such as that of Nox90, organizations can safely integrate security with their DevOps strategy in every stage of the developmental life cycle. Nox90 aims to nurture a culture of security and vigilance in enterprises to ultimately contribute to the success of their partners.