Are No-Code and Low-Code Developer Tools a Security Risk?
No-code and low-code tools have continued to increase in popularity in recent years. According to Gartner, the global low-code market is expected to reach $13.8 billion in 2021, up 22% since 2020. Boosted by an increase in the number of digital businesses and the benefits of improved agility and higher productivity, this growth is expected to continue into 2022 and beyond.
However, while low-code solutions can empower non-technical users to build applications without writing code themselves and streamline development for the technical users that rely on them, these tools are not without risks. Here's what software development and security experts had to say about the potential security risks associated with low-code tools and guidelines on how to lower enterprise risk exposure.
Related Article: Low Code Finds Its Place in the Digital Workplace
What Are the Low-Code Security Risks?
In large companies, IT teams implement extensive security practices, precautions and workflows to help keep applications safe and secure. Many low-code applications, especially those built by non-technical personnel, don't follow those same guidelines.
"Unlike traditional software development, the applications built on these platforms do not follow a company's own IT practices including code reviews, test environments, code deployments, and often do not provide any visibility into what's under the hood," said Mang-Git Ng, CEO at San Francisco, CA.-based Anvil, a digital workflow company.
The advantage of low code is that citizen developers can create their own applications and shortcuts. But a lack of visibility means IT is less prepared for any impending security problems. To alleviate this problem, Ng suggested avoiding low-code solutions for business critical or external or customer-facing processes.
Permissions and Controls
IT departments act as gatekeepers between users and the critical files and classified resources on enterprise servers. As a result, they outline various levels of permissions and controls, allowing some users access to areas of a company database that are critical for their job but not to others that could be detrimental to security.
With low-code tools, permissions are under the spotlight. "Given low-code applications can store all types of data, there must be measures in place for two main aspects: what users can see and what users can do," said Tejas Gadhia, who is responsible for product management at Chennai-based Zoho Creator.
He suggested creating a combination of controls based on user level, role and group.
Third Party Integrations
A further security risk is third party software integrations. Approximately 80 percent of low-code apps have at least one such integration, said Gadhia. The data that gets exchanged between these external services may not follow enterprise business compliance requirements.
Low-code platforms use such third party integrations to build out their drag and drop components. The integrations aren't just limited to proprietary software solutions either, but could also include open source codebases.
The risk, according to Brian Sathianathan, chief technology officer at San Jose, Calif.-based Iterate.ai, is an exposed area that malicious actors can exploit.
"These third parties might find a security flaw and update their versions but those updates may not get applied in time into the low-code platform, due to the sheer volume of low-code components," he said.
3 Tips to Avoid Low-Code Security Issues
Given the potential problems that low code tools can cause, how can organizations prevent security issues from derailing them? Here are a few tips:
- Consult IT Before Implementation: Before deploying any low-code applications, developers should consult with their IT departments and cybersecurity teams. This ensures visibility of the application and the ability to monitor it for vulnerabilities. Plus, developers can follow best practices that include port security, note the type of data the application will process, and set up firewalls to prevent SQL injections and other attacks.
- Practice API Security: One overlooked area that exposes an organization's data and digital assets is an API. When using low-code tools, API security should be paramount, Sathianathan said. "Another tip for avoiding security events is securing API or REST calls with authentication or tokenization, or by using an API gateway," he said.
- Assess Low-Code Vendors: Enterprises should conduct an assessment and audit of any low-code platforms they choose to implement. This includes asking providers questions about how often they scan for vulnerabilities, conducting penetration tests and other security best practices.